Univention UCS 4.2 - Failed 'Active Directory Takeover' process - Troubleshooting

ad-connection
dns
samba
linux
ucs-4-2
samba-ad

#1

Attention moderators: could any of you show the images and links I reference below on my post?, I was able to put a maximum of 2 images/links because I’m a new user. After that you can remove this text. Thanks.

I successfully installed Univention UCS 4.2.

On this UCS 4.2 server I have installed the following applications / plugins:

  • Active Directory Connection
  • Active Directory Takeover
  • Active Directory-compatible Domain Controller
  • DHCP server
  • Print server (CUPS)

I have the following Linux distribution:

root@ucs:~# cat /etc/*-release
DISTRIB_ID=Univention
DISTRIB_RELEASE="4.2-2 errata159"
DISTRIB_CODENAME=Lesum

DISTRIB_DESCRIPTION="Univention Corporate Server 4.2-2 errata159 (Lesum)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

and the following Samba version:

root@ucs:~# samba -V
Version 4.6.1-Debian

This UCS 4.2 server is running on IP: 10.16.100.115.

On another IP: 10.16.100.20 I have Microsoft Windows Server 2008 R2 (64-bit) let’s call it: Win 2008 which acts as: Active Directory Domain Controller.

The UCS 4.2 server is working properly as DNS server. In addition of that, if on a whatever Windows PC on the local network I point to it as DNS server like on the following image:

enter image description here

I can add that Windows PC to the domain by using the following credentials:

Domain: mydomain.intranet
User name: Administrator
Password: <thepassword>

Then, my next step was trying to migrate the Active Directory I had on Win 2008 to UCS 4.2. For that I used the application: Active Directory Takeover via the web interface:

enter image description here

When click Next I get:

[image] i.stack.imgur. com/kIW6O.png

When click Next I get:

[image] i.stack.imgur. com/iZSX6.png

Then, I check that file referenced on the image above:

/var/log/univention/ad-takeover.log

and I find the following content:

2017-09-12 16:35:25,671 INFO: Time difference is less than 180 seconds, skipping reset of local time
2017-09-12 16:35:25,688 Starting phase I of the takeover process.
2017-09-12 16:35:25,688 Calling: univention-config-registry set hosts/static/10.16.100.20=DLDC.MYDOMAIN.intranet DLDC
2017-09-12 16:35:25,791 Create hosts/static/10.16.100.20
2017-09-12 16:35:25,791 Multifile: /etc/hosts
2017-09-12 16:35:25,798 Calling: /etc/init.d/univention-s4-connector stop
2017-09-12 16:35:25,818 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:25,818 Calling: /etc/init.d/samba-ad-dc stop
2017-09-12 16:35:25,993 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:25,994 Calling: univention-config-registry set nameserver1/local=10.16.100.115 nameserver1=10.16.100.20 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2017-09-12 16:35:26,082 Create nameserver1/local
2017-09-12 16:35:26,082 Setting nameserver1
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/users/user/properties/username/syntax
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2017-09-12 16:35:26,082 Setting dns/backend
2017-09-12 16:35:26,082 File: /etc/resolv.conf
2017-09-12 16:35:26,090 Calling: /etc/init.d/nscd stop
2017-09-12 16:35:26,113 Stopping nscd (via systemctl): nscd.service.
2017-09-12 16:35:26,114 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:31,603 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:31,603 Starting Samba domain join.
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5_sasl' registered
2017-09-12 16:35:31,885 GENSEC backend 'spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'schannel' registered
2017-09-12 16:35:31,885 GENSEC backend 'naclrpc_as_system' registered
2017-09-12 16:35:31,885 GENSEC backend 'sasl-EXTERNAL' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp_resume_ccache' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_basic' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_ntlm' registered
2017-09-12 16:35:31,886 GENSEC backend 'krb5' registered
2017-09-12 16:35:31,886 GENSEC backend 'fake_gssapi_krb5' registered
2017-09-12 16:35:31,908 resolve_lmhosts: Attempting lmhosts lookup for name DLDC.MYDOMAIN.intranet<0x20>
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/DLDC.MYDOMAIN.intranet@MYDOMAIN.INTRANET : kinit for myuser@MYDOMAIN.INTRANET failed (Cannot contact any KDC for requested realm)
2017-09-12 16:35:31,915 SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DLDC.MYDOMAIN.intranet failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
2017-09-12 16:35:31,915 Got challenge flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62898235
2017-09-12 16:35:31,915 NTLMSSP: Set final flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,915 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,916 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,916 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,926 workgroup is MYDOMAIN
2017-09-12 16:35:31,926 realm is MYDOMAIN.intranet
2017-09-12 16:35:31,940 tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
2017-09-12 16:35:31,940 Could not open tdb: No such file or directory
2017-09-12 16:35:31,944 ldb_wrap open of secrets.ldb
2017-09-12 16:35:31,944 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4576 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2017-09-12 16:35:31,994 ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -  <00002071: UpdErr: DSID-03050328, problem 6005 (ENTRY_EXISTS), data 0
2017-09-12 16:35:31,994 > <>
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2017-09-12 16:35:31,995     return self.run(*args, **kwargs)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2017-09-12 16:35:31,995     keep_existing=keep_existing)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1276, in join_DC
2017-09-12 16:35:31,996     ctx.do_join()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1182, in do_join
2017-09-12 16:35:31,996     ctx.join_add_objects()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 613, in join_add_objects
2017-09-12 16:35:31,996     ctx.samdb.add(rec)
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Join failed - cleaning up
2017-09-12 16:35:31,996 removing samaccount: CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Deleted CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:32,017 Calling: univention-config-registry unset hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Unsetting hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Multifile: /etc/hosts
2017-09-12 16:35:32,131 Calling: /etc/init.d/samba-ad-dc start
2017-09-12 16:35:32,452 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:32,452 Calling: /etc/init.d/univention-s4-connector start
2017-09-12 16:35:37,699 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:37,699 Calling: univention-config-registry set nameserver1=10.16.100.115
2017-09-12 16:35:37,895 Setting nameserver1
2017-09-12 16:35:37,895 File: /etc/resolv.conf
2017-09-12 16:35:37,902 Calling: univention-config-registry unset nameserver1/local
2017-09-12 16:35:38,029 Unsetting nameserver1/local
2017-09-12 16:35:38,029 File: /etc/resolv.conf
2017-09-12 16:35:38,034 Calling: univention-config-registry set dns/backend=samba4
2017-09-12 16:35:38,098 Setting dns/backend
2017-09-12 16:35:38,102 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:48,642 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:48,642 Calling: /etc/init.d/nscd restart
2017-09-12 16:35:48,736 Restarting nscd (via systemctl): nscd.service.
2017-09-12 16:35:48,736 The domain join failed. See /var/log/univention/ad-takeover.log for details.

where there are some lines that catch my attention:

2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/DLDC.MYDOMAIN.intranet@MYDOMAIN.INTRANET : kinit for myuser@MYDOMAIN.INTRANET failed (Cannot contact any KDC for requested realm)

Then, checking the samba configuration file: /etc/samba/smb.conf I see the following fragment:

[global]
	debug level		= 1
	logging			= file
	log file		= /var/log/samba/log.%m
	log level		= 3
	max log size	= 0

	netbios name	= controller
	server role	= active directory domain controller
	server string	= Univention Corporate Server
	server services	= -dns -smb +s3fs -nbt
	server role check:inhibit = yes
	# use nmbd; to disable set samba4/service/nmb to s4
	nmbd_proxy_logon:cldap_server=127.0.0.1
	workgroup	= LAGOON
	realm		= LAGOON.LOCAL

	tls enabled	= yes
	tls keyfile	= /etc/univention/ssl/controller.lagoon.local/private.key
	tls certfile	= /etc/univention/ssl/controller.lagoon.local/cert.pem
	tls cafile	= /etc/univention/ssl/ucsCA/CAcert.pem
	tls verify peer	= ca_and_name
	ldap server require strong auth	= allow_sasl_over_tls
	dsdb:schema update allowed = no
	max open files = 32808
	ntlm auth	= yes
	machine password timeout	= 0
	acl allow execute always = True

	# ignore interfaces in samba/register/exclude/interfaces
	bind interfaces only = yes
	interfaces = lo eth0
	kccsrv:samba_kcc = False

where there is another line that catch my attention:

nmbd_proxy_logon:cldap_server=127.0.0.1

Notice the same 127.0.0.1 as on the error log.

Other details:

  • on Win 2008 server I was using the domain: MYDOMAIN.intranet
  • on UCS 4.2 server I was using the domain: mydomain.intranet

After the failed takeover process I checked the list of users on UCS 4.2 server and there was no imported users from the Win 2008 server (same users as before).

Just as a Memo, I have to say that for some reason, after doing the above, when trying to use the previous server: Win 2008 as local domain and then try to login I got the following error:

The security database on the server does not have a computer account for this workstation trust relationship.

[image] i.stack.imgur. com/EzbCG.png

But I solved this by following the steps on the following link:

[link] virtualcurtis.wordpress. com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/

[Checks]

root@controller:~# ls -la /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 430080 Sep 11 16:08 /var/lib/samba/private/secrets.tdb

Any idea on how to make the takeover process go thru?


#2

I see you’ve also created this post about the AD takeover process, and it seems you’ve gotten further with the process than shown in this post. Is this one obsolete now?


#3

Hi Moritz, yes, this post is obsolete.

I could move forward to the following point:

but I got stuck there. Then, I could not continue setting up the local domain on my lab.

Maybe someday somebody help me to go forward on that other post.

Just in case it helps somebody, my problem on this post was the case sensitivity of: MYDOMAIN.intranet. I had to be respectful on every place. I think I didn’t take care of the requirment [2] below, recommended on the user guide:

  1. The UCS domain controller (master domain controller) needs to be installed with a unique hostname, not used in the AD domain.
  2. The UCS domain controller needs to be installed with the same DNS domain name, NetBIOS (pre Windows 2000) domain name and Kerberos realm as the AD domain. It is also recommended to configure the same LDAP base DN.
  3. The UCS domain controller needs to be installed with a unique IPv4 address in the same IP subnet as the Active Directory domain controller that is used for the takeover.

Anyway, I had no luck and got stuck on the other post and nobody helped me, so I could not use this amazing tool: UCS 4.2. I think Univention team have created a wonderful tool, though. I hope I can use it someday.

Regards.


#4

Dang, I was working on that other post before I read your reply here. Yeah, that’s what I figured from your output, too. I’d be good if you replied on that other post as well so that others can see that you managed to find the source of the problem.


#5

Yes, my bad. Next time I will reply myself when figure out an answer for my own question. I just highlighted the solution to be easier for others to read the solution.

By the way, do you have any idea on how can I troubleshoot my other problem?

You are the first person I can interact with on this forum after about one month here.

Kind Regards!


#6

By the way, do you have any idea on how can I troubleshoot my other problem?

I’ve posted a reply to that post half and hour ago. Let’s continue the discussion there.

You are the first person I can interact with on this forum after about one month here.

Your problems are rather unusual and involved, unfortunately. Therefor it’s not really surprising that no one else has replied yet.


#7

Good Moritz. Just checked your answer above as a solution for this.