Univention-join LDAP errors - LDAP Error: Type or value exists: krb5Key: value #2 provided more than once

Hi there!

I’m having issues (again and again) adding machines to UCS domain or installing dockerized apps.
First it happened “only” with some docker apps (namely Openproject) but I encountered the same issue recently when adding a new machine to the domain.

The system cannot be joined and the error shown is

The system join process could not be completed:

Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- 
failed to modify DC Slave Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net 
[LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]

More details can be found in the log file /var/log/univention/join.log.
Please retry after resolving any conflicting issues.

here is a more detailed log from a openproject app container:

`Thu Jun 18 11:28:40 CEST 2020: starting /usr/sbin/univention-join -dcaccount Administrator -dcpwd /var/univention/tmp/tmpjiXcyQ -skipIpMac -containerAdMemberMode -disableVersionCheck -verbose
+ '[' -n 2 ']'
+ old_listener_debug_level=2
+ ucr set listener/debug/level=4
Setting listener/debug/level
+ listener_debug_level=4
+ display_header
+ echo 'univention-join: joins a computer to an ucs domain'
+ echo 'copyright (c) 2001-2019 Univention GmbH, Germany'
+ echo ''
+ '[' memberserver = domaincontroller_master ']'
+ '[' -z Administrator ']'
+ '[' '!' -f /tmp/tmp.aqIb5Zk8Sh/dcpwd ']'
+ chmod 600 /tmp/tmp.aqIb5Zk8Sh/dcpwd
+ '[' -n '' ']'
+ '[' memberserver = fatclient ']'
+ '[' -z memberserver ']'
+ '[' -z '' ']'
+ echo -n 'Search DC Master: '
++ host -t SRV _domaincontroller_master._tcp.sih.net
++ sed -ne '$s/.* \([^ ]\+\)\.$/\1/p'
+ DCNAME=ucs-master.sih.net
+ '[' -n ucs-master.sih.net ']'
+ echo -e '\033[60Gdone'
+ DCNAME=ucs-master.sih.net
+ '[' -z ucs-master.sih.net ']'
+ echo -n 'Check DC Master: '
++ nslookup ucs-master.sih.net
+ nslookup_out='Server:		10.0.50.102
Address:	10.0.50.102#53

Non-authoritative answer:
Name:	ucs-master.sih.net
Address: 10.0.50.102'
+ '[' 0 -ne 0 ']'
++ ping -q -c 3 ucs-master.sih.net
+ ping_out='PING ucs-master.sih.net (10.0.50.102) 56(84) bytes of data.

--- ucs-master.sih.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.345/0.486/0.598/0.106 ms'
+ '[' 0 -ne 0 ']'
++ univention-ssh -timeout 3 /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net ls
+ ssh_out=windows-profiles
+ '[' 0 -ne 0 ']'
++ univention-ssh /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net /usr/sbin/ucr search --brief '^version/'
+ versions='version/erratalevel: 624
version/patchlevel: 4
version/releasename: Blumenthal
version/version: 4.4'
+ OLDIFS=' 	
'
+ IFS='
'
+ for i in $versions
+ key=version/erratalevel
+ value=624
+ case "$key" in
+ for i in $versions
+ key=version/patchlevel
+ value=4
+ case "$key" in
+ master_patchlevel=4
+ for i in $versions
+ key=version/releasename
+ value=Blumenthal
+ case "$key" in
+ master_releasename=Blumenthal
+ for i in $versions
+ key=version/version
+ value=4.4
+ case "$key" in
+ master_version=4.4
+ IFS=' 	
'
+ echo 'running version check'
running version check
+ mystatus=no
+ '[' -n 4.4 -a -n 4 ']'
+ vmaster=4.44
+ vmyself=4.33
++ echo 4.44 4.33
++ awk '{if ($1 >= $2) print "yes"; else print "no"}'
+ mystatus=yes
+ '[' no = yes ']'
+ echo 'OK: UCS version on ucs-master.sih.net is higher or equal (4.44) to the local version (4.33).'
OK: UCS version on ucs-master.sih.net is higher or equal (4.44) to the local version (4.33).
+ echo -e '\033[60Gdone'
+ '[' false = false ']'
+ '[' memberserver = domaincontroller_backup -o memberserver = domaincontroller_slave ']'
+ '[' false = false -a -x /etc/init.d/univention-s4-connector ']'
+ '[' false = false -a -x /etc/init.d/slapd ']'
+ '[' false = false -a -x /etc/init.d/samba ']'
+ '[' -z '' ']'
+ echo -n 'Search ldap/base'
++ univention-ssh /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net /usr/sbin/ucr search --brief '^ldap/base$'
++ sed -ne 's|^ldap/base: ||p'
+ ldap_base=dc=sih,dc=net
+ '[' -n dc=sih,dc=net ']'
+ false
+ univention-config-registry set ldap/base=dc=sih,dc=net
+ echo -e '\033[60Gdone'
+ '[' false = false -a -x /etc/init.d/slapd ']'
+ echo -n 'Search LDAP binddn '
++ univention-ssh /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null
+++ tee -a /var/log/univention/join.log
++ sed -ne 's|^DN: ||p'
+ binddn=uid=Administrator,cn=users,dc=sih,dc=net
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ echo -e '\033[60Gdone'
+ false
+ '[' -x /usr/bin/rdate ']'
+ args=()
+ '[' -n '' ']'
+ '[' 4 -lt 3 ']'
+ args+=(-binddn "$binddn")
+ true
+ echo 'Not registering IP and MAC, as requested with -skipIpMac'
Not registering IP and MAC, as requested with -skipIpMac
+ test -x /usr/sbin/nscd
+ nscd -i hosts
+ echo -n 'Join Computer Account: '
+ args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")
+ grep -v '^KerberosPasswd="'
+ tee /tmp/tmp.aqIb5Zk8Sh/scrubbed
+ tee /tmp/tmp.aqIb5Zk8Sh/secret
++ bashquote -binddn uid=Administrator,cn=users,dc=sih,dc=net -role memberserver -hostname openp-07412003 -domainname sih.net
++ declare -a escaped
++ declare -r 'quote=\'\'''
++ local arg
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ echo -n ''\''-binddn'\''' ''\''uid=Administrator,cn=users,dc=sih,dc=net'\''' ''\''-role'\''' ''\''memberserver'\''' ''\''-hostname'\''' ''\''openp-07412003'\''' ''\''-domainname'\''' ''\''sih.net'\'''
+ univention-ssh --no-split /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' ''\''-binddn'\'' '\''uid=Administrator,cn=users,dc=sih,dc=net'\'' '\''-role'\'' '\''memberserver'\'' '\''-hostname'\'' '\''openp-07412003'\'' '\''-domainname'\'' '\''sih.net'\'''
univention-server-join: joins a server to an univention domain
copyright (c) 2001-2020 Univention GmbH, Germany

E: failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]
++ sed -ne 's/^E:\s*//p' /tmp/tmp.aqIb5Zk8Sh/scrubbed
+ res_message='failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]'
+ '[' -z 'failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]' ']'
+ failed_message 'failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]'
+ echo ''
+ echo ''
+ tee -a /var/log/univention/join.log
+ echo '**************************************************************************'
+ echo '* Join failed!                                                           *'
+ echo '* Contact your system administrator                                      *'
+ echo '**************************************************************************'
+ echo '* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]'
+ echo '**************************************************************************'

``
Exactly the same LDAP error is thrown when adding a new USC system to the domain.

Where could i look for more details? As I do not know what exactly is being executed to modify/update the LDAP data (not shown in log, how to enable more debuging?)

Regards,
M.Culibrk

Some more info…

after deleting the LDAP object (computer object created by the join script) and re-doing the univention-join manually i get another bizarre error - “invalid password”…

univention-server-join: joins a server to an univention domain
copyright (c) 2001-2020 Univention GmbH, Germany

ldap_dn="cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net"
++ sed -ne 's/^E:\s*//p' /tmp/tmp.7pOdXPMjEi/scrubbed
+ res_message=
+ '[' -z '' ']'
+ echo -e '\033[60Gdone'
+ '[' -s /tmp/tmp.7pOdXPMjEi/secret ']'
++ grep -e '^ldap_dn=' -e '^KerberosPasswd=' /tmp/tmp.7pOdXPMjEi/secret
+ eval 'ldap_dn="cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net"
KerberosPasswd="lOdHxqZADlkJ7vDIZScX" '
++ ldap_dn=cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net
++ KerberosPasswd=lOdHxqZADlkJ7vDIZScX
+ '[' -n cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net ']'
+ rdn=cn=openp-07412003
+ hostname=openp-07412003
+ '[' -n openp-07412003 ']'
+ '[' -n lOdHxqZADlkJ7vDIZScX ']'
+ '[' -e /etc/machine.secret ']'
+ cat /etc/machine.secret
+ echo -n lOdHxqZADlkJ7vDIZScX
+ fromdos /etc/machine.secret
+ chmod 600 /etc/machine.secret
+ '[' -e /etc/machine.secret.SAVE ']'
+ chmod 600 /etc/machine.secret.SAVE
+ hostname openp-07412003
hostname: you must be root to change the host name
+ univention-config-registry set hostname=openp-07412003 ldap/hostdn=cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net
Setting hostname
Setting ldap/hostdn
File: /etc/pam.d/smtp
File: /etc/welcome.msg
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /etc/pam_ldap.conf
File: /etc/issue
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/hosts
Multifile: /etc/postfix/ldap.groups
File: /etc/dhcp/dhclient.conf
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
File: /etc/libnss-ldap.conf
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.sharedfolderlocal
File: /etc/mailname
File: /etc/cron.d/univention-directory-policy
Multifile: /etc/postfix/main.cf
Multifile: /etc/postfix/ldap.sharedfolderremote
File: /etc/hostname
Multifile: /etc/postfix/ldap.external_aliases
+ '[' -e /usr/lib/univention-install/.index.txt ']'
+ mkdir -p /var/univention-join/
+ rm -rf /var/univention-join/status
+ rm /usr/lib/univention-install/.index.txt
+ touch /var/univention-join/status
+ '[' '!' -e /usr/lib/univention-install/.index.txt ']'
+ mkdir -p /var/univention-join/
+ touch /var/univention-join/status
+ ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt
+ '[' -e /etc/univention/ssl ']'
++ date +%y%m%d%H%M
+ mv /etc/univention/ssl /etc/univention/ssl_2006181159
+ install -m 755 -d /etc/univention/ssl
+ for service in univention-directory-notifier univention-directory-listener
+ '[' -e /etc/runit/univention/univention-directory-notifier ']'
+ for service in univention-directory-notifier univention-directory-listener
+ '[' -e /etc/runit/univention/univention-directory-listener ']'
+ rm -Rf '/var/lib/univention-directory-listener/*'
+ '[' memberserver = domaincontroller_backup ']'
+ '[' memberserver = domaincontroller_slave ']'
+ '[' memberserver = memberserver ']'
+ setup_ssl force
+ local ca dst=/etc/univention/ssl/ucsCA
+ '[' force = force ']'
+ rm -rf /etc/univention/ssl/ucsCA
+ install -m 0755 -d /etc/univention/ssl/ucsCA
+ for ca in ucsCA udsCA
+ '[' -e /etc/univention/ssl/ucsCA/CAcert.pem ']'
+ univention-scp /tmp/tmp.7pOdXPMjEi/dcpwd -q Administrator@ucs-master.sih.net:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/CAcert.pem
+ for ca in ucsCA udsCA
+ '[' -e /etc/univention/ssl/ucsCA/CAcert.pem ']'
+ break
+ chmod 755 /etc/univention/ssl
+ chmod 755 /etc/univention/ssl/ucsCA
+ chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
+ ln -snf /etc/univention/ssl/ucsCA/CAcert.pem /usr/local/share/ca-certificates/ucsCA.crt
+ update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
152 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
+ check_ldap_tls_connection
+ echo -n 'Check TLS connection: '
++ ucr shell ldap/master/port
+ eval ldap_master_port=7389
++ ldap_master_port=7389
+ univention-ldapsearch -p 7389 -s base -h ucs-master.sih.net -D uid=Administrator,cn=users,dc=sih,dc=net --bindpwdfile /tmp/tmp.7pOdXPMjEi/dcpwd dn
ldap_bind: Invalid credentials (49)
	additional info: The authentication has failed.
+ '[' 49 '!=' 0 ']'
+ failed_message 'Establishing a TLS connection with ucs-master.sih.net failed. Maybe you didn'\''t specify a FQDN.'
+ echo ''
+ echo ''
+ echo '**************************************************************************'
+ echo '* Join failed!                                                           *'
+ tee -a /var/log/univention/join.log
+ echo '* Contact your system administrator                                      *'
+ echo '**************************************************************************'
+ echo '* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- Establishing a TLS connection with ucs-master.sih.net failed. Maybe you didn'\''t specify a FQDN.'
+ echo '**************************************************************************'

but, if I execute the same univention-ldapsearch and enter the same! password manually all seems OK - ldapsearch gives the response

As the tmp file gets erased I cannot check/confirm which password was used but it’s strange anyway.

BR