Hi there!
I’m having issues (again and again) adding machines to UCS domain or installing dockerized apps.
First it happened “only” with some docker apps (namely Openproject) but I encountered the same issue recently when adding a new machine to the domain.
The system cannot be joined and the error shown is
The system join process could not be completed:
Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them --
failed to modify DC Slave Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net
[LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]
More details can be found in the log file /var/log/univention/join.log.
Please retry after resolving any conflicting issues.
here is a more detailed log from a openproject app container:
`Thu Jun 18 11:28:40 CEST 2020: starting /usr/sbin/univention-join -dcaccount Administrator -dcpwd /var/univention/tmp/tmpjiXcyQ -skipIpMac -containerAdMemberMode -disableVersionCheck -verbose
+ '[' -n 2 ']'
+ old_listener_debug_level=2
+ ucr set listener/debug/level=4
Setting listener/debug/level
+ listener_debug_level=4
+ display_header
+ echo 'univention-join: joins a computer to an ucs domain'
+ echo 'copyright (c) 2001-2019 Univention GmbH, Germany'
+ echo ''
+ '[' memberserver = domaincontroller_master ']'
+ '[' -z Administrator ']'
+ '[' '!' -f /tmp/tmp.aqIb5Zk8Sh/dcpwd ']'
+ chmod 600 /tmp/tmp.aqIb5Zk8Sh/dcpwd
+ '[' -n '' ']'
+ '[' memberserver = fatclient ']'
+ '[' -z memberserver ']'
+ '[' -z '' ']'
+ echo -n 'Search DC Master: '
++ host -t SRV _domaincontroller_master._tcp.sih.net
++ sed -ne '$s/.* \([^ ]\+\)\.$/\1/p'
+ DCNAME=ucs-master.sih.net
+ '[' -n ucs-master.sih.net ']'
+ echo -e '\033[60Gdone'
+ DCNAME=ucs-master.sih.net
+ '[' -z ucs-master.sih.net ']'
+ echo -n 'Check DC Master: '
++ nslookup ucs-master.sih.net
+ nslookup_out='Server: 10.0.50.102
Address: 10.0.50.102#53
Non-authoritative answer:
Name: ucs-master.sih.net
Address: 10.0.50.102'
+ '[' 0 -ne 0 ']'
++ ping -q -c 3 ucs-master.sih.net
+ ping_out='PING ucs-master.sih.net (10.0.50.102) 56(84) bytes of data.
--- ucs-master.sih.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.345/0.486/0.598/0.106 ms'
+ '[' 0 -ne 0 ']'
++ univention-ssh -timeout 3 /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net ls
+ ssh_out=windows-profiles
+ '[' 0 -ne 0 ']'
++ univention-ssh /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net /usr/sbin/ucr search --brief '^version/'
+ versions='version/erratalevel: 624
version/patchlevel: 4
version/releasename: Blumenthal
version/version: 4.4'
+ OLDIFS='
'
+ IFS='
'
+ for i in $versions
+ key=version/erratalevel
+ value=624
+ case "$key" in
+ for i in $versions
+ key=version/patchlevel
+ value=4
+ case "$key" in
+ master_patchlevel=4
+ for i in $versions
+ key=version/releasename
+ value=Blumenthal
+ case "$key" in
+ master_releasename=Blumenthal
+ for i in $versions
+ key=version/version
+ value=4.4
+ case "$key" in
+ master_version=4.4
+ IFS='
'
+ echo 'running version check'
running version check
+ mystatus=no
+ '[' -n 4.4 -a -n 4 ']'
+ vmaster=4.44
+ vmyself=4.33
++ echo 4.44 4.33
++ awk '{if ($1 >= $2) print "yes"; else print "no"}'
+ mystatus=yes
+ '[' no = yes ']'
+ echo 'OK: UCS version on ucs-master.sih.net is higher or equal (4.44) to the local version (4.33).'
OK: UCS version on ucs-master.sih.net is higher or equal (4.44) to the local version (4.33).
+ echo -e '\033[60Gdone'
+ '[' false = false ']'
+ '[' memberserver = domaincontroller_backup -o memberserver = domaincontroller_slave ']'
+ '[' false = false -a -x /etc/init.d/univention-s4-connector ']'
+ '[' false = false -a -x /etc/init.d/slapd ']'
+ '[' false = false -a -x /etc/init.d/samba ']'
+ '[' -z '' ']'
+ echo -n 'Search ldap/base'
++ univention-ssh /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net /usr/sbin/ucr search --brief '^ldap/base$'
++ sed -ne 's|^ldap/base: ||p'
+ ldap_base=dc=sih,dc=net
+ '[' -n dc=sih,dc=net ']'
+ false
+ univention-config-registry set ldap/base=dc=sih,dc=net
+ echo -e '\033[60Gdone'
+ '[' false = false -a -x /etc/init.d/slapd ']'
+ echo -n 'Search LDAP binddn '
++ univention-ssh /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null
+++ tee -a /var/log/univention/join.log
++ sed -ne 's|^DN: ||p'
+ binddn=uid=Administrator,cn=users,dc=sih,dc=net
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ '[' -z uid=Administrator,cn=users,dc=sih,dc=net ']'
+ echo -e '\033[60Gdone'
+ false
+ '[' -x /usr/bin/rdate ']'
+ args=()
+ '[' -n '' ']'
+ '[' 4 -lt 3 ']'
+ args+=(-binddn "$binddn")
+ true
+ echo 'Not registering IP and MAC, as requested with -skipIpMac'
Not registering IP and MAC, as requested with -skipIpMac
+ test -x /usr/sbin/nscd
+ nscd -i hosts
+ echo -n 'Join Computer Account: '
+ args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")
+ grep -v '^KerberosPasswd="'
+ tee /tmp/tmp.aqIb5Zk8Sh/scrubbed
+ tee /tmp/tmp.aqIb5Zk8Sh/secret
++ bashquote -binddn uid=Administrator,cn=users,dc=sih,dc=net -role memberserver -hostname openp-07412003 -domainname sih.net
++ declare -a escaped
++ declare -r 'quote=\'\'''
++ local arg
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ for arg in "$@"
++ escaped+=("'${arg//\'/'$quote'}'")
++ echo -n ''\''-binddn'\''' ''\''uid=Administrator,cn=users,dc=sih,dc=net'\''' ''\''-role'\''' ''\''memberserver'\''' ''\''-hostname'\''' ''\''openp-07412003'\''' ''\''-domainname'\''' ''\''sih.net'\'''
+ univention-ssh --no-split /tmp/tmp.aqIb5Zk8Sh/dcpwd Administrator@ucs-master.sih.net 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' ''\''-binddn'\'' '\''uid=Administrator,cn=users,dc=sih,dc=net'\'' '\''-role'\'' '\''memberserver'\'' '\''-hostname'\'' '\''openp-07412003'\'' '\''-domainname'\'' '\''sih.net'\'''
univention-server-join: joins a server to an univention domain
copyright (c) 2001-2020 Univention GmbH, Germany
E: failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]
++ sed -ne 's/^E:\s*//p' /tmp/tmp.aqIb5Zk8Sh/scrubbed
+ res_message='failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]'
+ '[' -z 'failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]' ']'
+ failed_message 'failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]'
+ echo ''
+ echo ''
+ tee -a /var/log/univention/join.log
+ echo '**************************************************************************'
+ echo '* Join failed! *'
+ echo '* Contact your system administrator *'
+ echo '**************************************************************************'
+ echo '* Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- failed to modify Member Server cn=openp-07412003,cn=memberserver,cn=computers,dc=sih,dc=net [LDAP Error: Type or value exists: krb5Key: value #2 provided more than once]'
+ echo '**************************************************************************'
``
Exactly the same LDAP error is thrown when adding a new USC system to the domain.
Where could i look for more details? As I do not know what exactly is being executed to modify/update the LDAP data (not shown in log, how to enable more debuging?)
Regards,
M.Culibrk