Univention Bugzilla – Bug 42859
S4 member server join failed
Last modified: 2016-11-08 13:26:39 CET
It happened in my test setup and in Jenkins. The join failed: ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** __JOINERR__:FAILED: 30univention-appcenter.inst * Message: FAILED: 30univention-appcenter.inst ************************************************************************** From the join.log: ---------------------------------------------------------------------- Configure 30univention-appcenter.inst Sat Nov 5 19:08:22 EDT 2016 2016-11-05 19:08:22.865376519-04:00 (in joinscript_init) Object exists: cn=apps,cn=univention,dc=autotest097,dc=local Object exists: cn=ldapschema,cn=univention,dc=autotest097,dc=local INFO: No change of core data of object univention-app. Object exists: cn=ldapacl,cn=univention,dc=autotest097,dc=local INFO: No change of core data of object 66univention-appcenter_app. Object exists: cn=udm_module,cn=univention,dc=autotest097,dc=local INFO: No change of core data of object appcenter/app. No modification: cn=univention-app,cn=ldapschema,cn=univention,dc=autotest097,dc=local No modification: cn=66univention-appcenter_app,cn=ldapacl,cn=univention,dc=autotest097,dc=local No modification: cn=appcenter/app,cn=udm_module,cn=univention,dc=autotest097,dc=local Waiting for activation of the extension object univention-app:.......................................................ERROR: Master did not mark the ---------------------------------------------------------------------- From the listener.log: ---------------------------------------------------------------------- 05.11.16 19:08:04.023 LISTENER ( PROCESS ) : updating 'cn=Computers,cn=groups,dc=autotest097,dc=local' command m 05.11.16 19:08:13.951 LISTENER ( PROCESS ) : updating 'cn=member097.autotest097.local,cn=shares,dc=autotest097,dc=local' command a 05.11.16 19:08:14.037 LISTENER ( PROCESS ) : updating 'cn=default containers,cn=univention,dc=autotest097,dc=local' command m 05.11.16 19:08:22.453 LISTENER ( PROCESS ) : updating 'cn=Samba 3,cn=services,cn=univention,dc=autotest097,dc=local' command a Traceback (most recent call last): File "/usr/lib/univention-pam/ldap-group-to-file.py", line 109, in <module> lo = univention.uldap.getMachineConnection( ldap_master=False ) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 89, in getMachineConnection return access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 150, in __init__ self.__open(ca_certfile) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 189, in __open self.lo.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw)) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 879, in simple_bind_s res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 215, in simple_bind_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} 05.11.16 19:12:05.308 LISTENER ( WARN ) : received signal 15 05.11.16 19:12:11.365 DEBUG_INIT 05.11.16 19:12:11.419 LDAP ( ERROR ) : ldap_simple_bind: Operations error 05.11.16 19:12:11.419 LISTENER ( WARN ) : can not connect to LDAP server master097.autotest097.local:7389 05.11.16 19:12:11.419 LISTENER ( WARN ) : can not connect any server, retrying in 30 seconds 05.11.16 19:12:41.420 LISTENER ( WARN ) : chosen server: master097.autotest097.local:7389 05.11.16 19:12:41.420 LDAP ( ERROR ) : start_tls: Can't contact LDAP server 05.11.16 19:12:41.420 LISTENER ( WARN ) : can not connect to LDAP server master097.autotest097.local:7389 05.11.16 19:12:41.420 LISTENER ( WARN ) : can not connect any server, retrying in 30 seconds 05.11.16 19:13:11.421 LISTENER ( WARN ) : chosen server: master097.autotest097.local:7389 ---------------------------------------------------------------------- So, my guess is that the password of the member server has been changed in the Samba join script. It happens in about 50% of the installations.
r74129: autotest-097-member-s4.cfg: Activate more debug (Bug #42859)"
On my test system, it looks like a move: ------------------------------------------------------------------------------- 05.11.2016 13:58:47,129 LDAP (PROCESS): sync from ucs: [windowscomputer] [ add] cn=member435,cn=memberserver,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,188 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,197 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=computers,cn=groups,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,218 LDAP (PROCESS): sync from ucs: [ dns] [ add] DC=member435,dc=deadlock43.intranet,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,243 LDAP (PROCESS): sync from ucs: [ dns] [ modify] dc=@,dc=deadlock43.intranet,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,254 LDAP (WARNING): s4_zone_msdcs_sync: SOA serial OpenLDAP zone deadlock43.intranet is higher than corresponding value of DC=@,DC=_msdcs.deadlock43.intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,258 LDAP (PROCESS): sync from ucs: [ dns] [ add] DC=5.43,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:58:47,287 LDAP (PROCESS): sync from ucs: [ dns] [ modify] dc=@,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:58:48,331 LDAP (PROCESS): sync to ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,dc=deadlock43,dc=intranet 05.11.2016 13:58:48,426 LDAP (PROCESS): sync to ucs: [ dns] [ modify] relativedomainname=member435,zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:58:48,439 LDAP (PROCESS): sync to ucs: [ dns] [ modify] relativedomainname=5.43,zonename=201.10.in-addr.arpa,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:58:48,448 LDAP (PROCESS): sync to ucs: [ dns] [ modify] zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:58:48,466 LDAP (PROCESS): sync to ucs: [ dns] [ modify] zonename=201.10.in-addr.arpa,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:58:50,225 MAIN (------ ): DEBUG_INIT 05.11.2016 13:58:54,556 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 13:59:00,610 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=dc slave hosts,cn=groups,DC=deadlock43,DC=intranet 05.11.2016 13:59:00,641 LDAP (PROCESS): sync from ucs: [ dns] [ add] DC=slave433,dc=deadlock43.intranet,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:59:00,666 LDAP (PROCESS): sync from ucs: [ dns] [ modify] dc=@,dc=deadlock43.intranet,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:59:00,687 LDAP (PROCESS): sync from ucs: [ dns] [ add] DC=3.43,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:59:00,714 LDAP (PROCESS): sync from ucs: [ dns] [ modify] dc=@,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 13:59:01,778 LDAP (PROCESS): sync to ucs: [ dns] [ modify] relativedomainname=slave433,zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:59:01,788 LDAP (PROCESS): sync to ucs: [ dns] [ modify] relativedomainname=3.43,zonename=201.10.in-addr.arpa,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:59:01,801 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=dc slave hosts,cn=groups,dc=deadlock43,dc=intranet 05.11.2016 13:59:01,840 LDAP (PROCESS): sync to ucs: [ dns] [ modify] zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:59:01,862 LDAP (PROCESS): sync to ucs: [ dns] [ add] relativeDomainName=@._msdcs,zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:59:01,878 LDAP (PROCESS): sync to ucs: [ dns] [ modify] zonename=201.10.in-addr.arpa,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 13:59:53,292 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 13:59:54,358 LDAP (PROCESS): sync to ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,dc=deadlock43,dc=intranet 05.11.2016 14:00:16,217 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 14:00:16,234 LDAP (PROCESS): sync from ucs: [ dns] [ modify] dc=@,dc=deadlock43.intranet,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 14:00:16,254 LDAP (PROCESS): sync from ucs: [ dns] [ modify] dc=@,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,DC=deadlock43,DC=intranet 05.11.2016 14:00:17,319 LDAP (PROCESS): sync to ucs: [windowscomputer] [ modify] cn=member435,cn=memberserver,cn=computers,dc=deadlock43,dc=intranet 05.11.2016 14:00:17,354 LDAP (PROCESS): sync to ucs: [ dns] [ modify] zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 14:00:17,381 LDAP (PROCESS): sync to ucs: [ dns] [ add] relativeDomainName=@._msdcs,zonename=deadlock43.intranet,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 14:00:17,406 LDAP (PROCESS): sync to ucs: [ dns] [ modify] zonename=201.10.in-addr.arpa,cn=dns,dc=deadlock43,dc=intranet 05.11.2016 14:00:18,453 LDAP (PROCESS): sync to ucs: [windowscomputer] [ move] cn=MEMBER435,cn=computers,dc=deadlock43,dc=intranet 05.11.2016 14:00:24,565 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=member435,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 14:00:24,577 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=member435,cn=computers,DC=deadlock43,DC=intranet 05.11.2016 14:00:24,582 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=computers,cn=groups,DC=deadlock43,DC=intranet ------------------------------------------------------------------------------- Maybe it is related to the uppercase name in S4?
More a Samba or a S4 Connector issue.
Created attachment 8191 [details] connector-s4.log connector-s4.log while joining a new member server (member436).
Created attachment 8192 [details] connector-s4.log It looks like the GUID is no longer changed while joining a client to Samba. It looks like a change in Samba 4.4 or Samba 4.5. Before the Samba Join: --------------------------------------------------------------------------- # record 1 dn: CN=member437,CN=memberserver,CN=Computers,DC=deadlock43,DC=intranet objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: member437 instanceType: 4 whenCreated: 20161106001433.0Z whenChanged: 20161106001433.0Z uSNCreated: 4175 name: member437 objectGUID: c403d534-2855-4509-9098-42f9f82eaea2 userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 515 objectSid: S-1-5-21-148074546-3894801993-3450292389-1122 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: member437$ sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=deadlock43,DC=intran et isCriticalSystemObject: FALSE userPrincipalName: host/member437.deadlock43.intranet@DEADLOCK43.INTRANET pwdLastSet: 131228648700000000 lockoutTime: 0 uSNChanged: 4176 distinguishedName: CN=member437,CN=memberserver,CN=Computers,DC=deadlock43,DC= intranet # Referral ref: ldap://deadlock43.intranet/CN=Configuration,DC=deadlock43,DC=intranet # Referral ref: ldap://deadlock43.intranet/DC=DomainDnsZones,DC=deadlock43,DC=intranet # Referral ref: ldap://deadlock43.intranet/DC=ForestDnsZones,DC=deadlock43,DC=intranet # returned 4 records # 1 entries # 3 referrals --------------------------------------------------------------------------- After the Samba join: --------------------------------------------------------------------------- # record 1 dn: CN=MEMBER437,CN=Computers,DC=deadlock43,DC=intranet objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20161106001433.0Z uSNCreated: 4175 objectGUID: c403d534-2855-4509-9098-42f9f82eaea2 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 515 objectSid: S-1-5-21-148074546-3894801993-3450292389-1122 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: member437$ sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=deadlock43,DC=intran et isCriticalSystemObject: FALSE userPrincipalName: host/member437.deadlock43.intranet@DEADLOCK43.INTRANET lockoutTime: 0 operatingSystemVersion: 4.1-4 operatingSystem: Univention Corporate Server pwdLastSet: 131228649220000000 CN: MEMBER437 whenChanged: 20161106001520.0Z uSNChanged: 4184 name: MEMBER437 userAccountControl: 69632 dNSHostName: member437.deadlock43.intranet servicePrincipalName: HOST/MEMBER437 servicePrincipalName: HOST/member437.deadlock43.intranet lastLogonTimestamp: 131228649204327320 msDS-SupportedEncryptionTypes: 31 distinguishedName: CN=MEMBER437,CN=Computers,DC=deadlock43,DC=intranet # Referral ref: ldap://deadlock43.intranet/CN=Configuration,DC=deadlock43,DC=intranet # Referral ref: ldap://deadlock43.intranet/DC=DomainDnsZones,DC=deadlock43,DC=intranet # Referral ref: ldap://deadlock43.intranet/DC=ForestDnsZones,DC=deadlock43,DC=intranet # returned 4 records # 1 entries # 3 referrals ---------------------------------------------------------------------------
With UCS 4.1 (Samba 4.3) the existing object is modified: Before the Samba Join: --------------------------------------------------------------------------- # record 1 dn: CN=member416,CN=memberserver,CN=Computers,DC=deadlock41,DC=intranet objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: member416 instanceType: 4 whenCreated: 20151120193954.0Z whenChanged: 20151120193954.0Z uSNCreated: 4081 name: member416 objectGUID: 762b9886-7e03-450c-ae05-3dcaaffe0854 userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 515 objectSid: S-1-5-21-3869528978-413072183-2970949430-1117 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: member416$ sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=deadlock41,DC=intran et isCriticalSystemObject: FALSE userPrincipalName: host/member416.deadlock41.intranet@DEADLOCK41.INTRANET pwdLastSet: 130925219880000000 lockoutTime: 0 uSNChanged: 4082 distinguishedName: CN=member416,CN=memberserver,CN=Computers,DC=deadlock41,DC= intranet # Referral ref: ldap://deadlock41.intranet/CN=Configuration,DC=deadlock41,DC=intranet # Referral ref: ldap://deadlock41.intranet/DC=DomainDnsZones,DC=deadlock41,DC=intranet # Referral ref: ldap://deadlock41.intranet/DC=ForestDnsZones,DC=deadlock41,DC=intranet # returned 4 records # 1 entries # 3 referrals --------------------------------------------------------------------------- After the Samba join: --------------------------------------------------------------------------- # record 1 dn: CN=member416,CN=memberserver,CN=Computers,DC=deadlock41,DC=intranet objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: member416 instanceType: 4 whenCreated: 20151120193954.0Z uSNCreated: 4081 name: member416 objectGUID: 762b9886-7e03-450c-ae05-3dcaaffe0854 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 515 objectSid: S-1-5-21-3869528978-413072183-2970949430-1117 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: member416$ sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=deadlock41,DC=intran et isCriticalSystemObject: FALSE userPrincipalName: host/member416.deadlock41.intranet@DEADLOCK41.INTRANET lockoutTime: 0 operatingSystemVersion: 4.1-3 operatingSystem: Univention Corporate Server userAccountControl: 69632 dNSHostName: member416.deadlock41.intranet servicePrincipalName: HOST/MEMBER416 servicePrincipalName: HOST/member416.deadlock41.intranet msDS-SupportedEncryptionTypes: 31 lastLogonTimestamp: 130925220709888350 lastLogon: 130925221185606740 pwdLastSet: 130925220640000000 whenChanged: 20151120194159.0Z uSNChanged: 4095 distinguishedName: CN=member416,CN=memberserver,CN=Computers,DC=deadlock41,DC= intranet # Referral ref: ldap://deadlock41.intranet/CN=Configuration,DC=deadlock41,DC=intranet # Referral ref: ldap://deadlock41.intranet/DC=DomainDnsZones,DC=deadlock41,DC=intranet # Referral ref: ldap://deadlock41.intranet/DC=ForestDnsZones,DC=deadlock41,DC=intranet # returned 4 records # 1 entries # 3 referrals --------------------------------------------------------------------------- If I join a UCS 4.1-3 member server into a UCS 4.1-4 Samba 4 domain, it works. So, I guess it is a Samba client / net ads join change.
https://bugzilla.samba.org/show_bug.cgi?id=11755 might be the reason for the change.
(In reply to Stefan Gohmann from comment #7) > https://bugzilla.samba.org/show_bug.cgi?id=11755 might be the reason for the > change. I've reverted e2b8b2cf5a96921f615055e31d6516d13c76832b and it seems to work now. Samba is currently building with this patch. UCS 4.1-4: r16855 + r16857 UCS 4.2-0: r16856 + r16858
My tests were successful.
Ok, works. Patch is applied successfully during built and merged to UCS 4.2-0: * patches/samba/4.1-0-0-ucs/2:4.5.1-1-ucs4.1-4/99_bug42859.quilt * patches/samba/4.2-0-0-ucs/2:4.5.1-1/99_bug42859.quilt Bug is referenced in changelog.
UCS 4.1-4 has been released: https://docs.software-univention.de/release-notes-4.1-4-en.html https://docs.software-univention.de/release-notes-4.1-4-de.html If this error occurs again, please use "Clone This Bug".