So, I am trying to set up a test domain as my company tries to decide if we wish to deploy this product. I’m currently on the Univention Core License, if that has any relevance to support.
I’m currently using a test client with Linux Mint, using the univention-join-domain script available through the PPA.
Whenever the script gets to the point of using “ldapwhoami” to discover the administrator’s DN, the script fails with
GSSAPI Error: No credentials were supplied
After some experimenting, I have determined this error is happening specifically on the Univention server, especially after getting the same error when logged-in as the Administrator account locally on the machine.
As near as I can guess, the Kerberos ticketing isn’t working properly on 5.0-7 errata998, though I’m still new to all this.
Is this a bug, or have I missed something painfully obvious during setup?
I am using the univention-dev ppa (ppa:univention-dev/ppa)
As for how I joined, I am using the univention-domain-join GUI command.
I would like to point out that it seems to be a server-side issue, because I am getting the same GSSAPI error when I try ldapwhoami while on the Univention server itself as Administrator.
On the Univention server side, I am using the ISO downloaded directly from the Univention website (https://www.univention.com/downloads/download-ucs/#1621251595720-76bcb7ea-6088). I set up a new AD Domain following the built-in installer.
FWIW, I did notice a few other issues not related to this issue, such as GRUB not being configured properly in an EFI environment, so I’m not sure if I’ve inadvertently downloaded a bad image. The checksum came back correct.
Hello,
I’m encountering the same issue when trying to join Ubuntu/gnome 24.04 into a UCS-Domain with 5.0.x .
In my testing environment with freshly installed UCS and Ubuntu the join worked with the domain-join-cli without any problem. But in production environment (only Ubuntu fresh, UCS in use for years) I get the following Message/log:
2025-09-04 22:09:30,448 userinfo CRITICAL An error occurred: get admin DN failed with: Warning: Permanently added '<DC-IP>' (ED25519) to the list of known hosts.
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
. Please check /var/log/univention/domain-join-cli.log for more information.
2025-09-04 22:09:30,448 debugging CRITICAL get admin DN failed with: Warning: Permanently added '<DC-IP>' (ED25519) to the list of known hosts.
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
Traceback (most recent call last):
File "/usr/sbin/univention-domain-join-cli", line 165, in <module>
distribution_joiner.join_domain()
File "/usr/lib/python3/dist-packages/univention_domain_join/distributions/ubuntu.py", line 86, in join_domain
admin_dn = LdapConfigurator().get_admin_dn(self.dc_ip, self.admin_username, self.admin_pw, self.ldap_base)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/univention_domain_join/join_steps/ldap_configurator.py", line 118, in get_admin_dn
raise LdapConfigutationException('get admin DN failed with: {}'.format(stderr.decode()))
univention_domain_join.join_steps.ldap_configurator.LdapConfigutationException: get admin DN failed with: Warning: Permanently added '<DC-IP>' (ED25519) to the list of known hosts.
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
I tried the join after getting a kerberos ticket manually but without success.
Then I assumed this problem to be related to DNS because the Ubuntu-Client in the production environment always sets the DHCP-Server as an additional DNS-server, even after deleting it from /etc/netplan/… In my testing environment this behaviour did not occur. I could solve it by creating /etc/NetworkManager/dispatcher.d/99-custom-dns
with this entry
[global-dns-domain-*]
servers=127.0.0.53
Now, after rebooting Ubuntu the DNS-setting seems okay, only UCS is set as nameserver.
But the domain-join still fails and after the join-trial I see the second DNS-entry again. [global-dns-domain-*]
has been deleted during the ‘join’
I don’t know yet, wether the join-prob and the dns-prob are related and don’t have an idea how to solve it.
