Univention Bugzilla – Bug 31926
computer not removed completely: re-join hangs during ssl certificate download
Last modified: 2018-04-13 13:30:40 CEST
I removed a DC slave and asked to referenced objects as well, but some data still remains in LDAP: # univention-ldapsearch -xLLL '(|(nSRecord=slave.update.dev.)(krb5PrincipalName=ldap/slave.update.dev@UPDATE.DEV)(uid=ldap/slave.update.dev))' dn: zoneName=update.dev,cn=dns,dc=update,dc=dev objectClass: dNSZone nSRecord: slave.update.dev. ... dn: zoneName=17.200.10.in-addr.arpa,cn=dns,dc=update,dc=dev objectClass: dNSZone nSRecord: slave.update.dev. ... dn: krb5PrincipalName=ldap/slave.update.dev@UPDATE.DEV,cn=kerberos,dc=update,d c=dev uid: ldap/slave.update.dev krb5PrincipalName: ldap/slave.update.dev@UPDATE.DEV objectClass: krb5Principal objectClass: krb5KDCEntry ... Even worse is that the NSCD cache still remembers the UID: # getent passwd slave\$ slave$:x:2006:5006:slave:/dev/null:/bin/sh # nscd -i passwd # getent passwd slave\$ This leads to an error when the system is re-joined: A new SSL certificate is created, but the owner-ID does not match the login-UID of the scp process, which tries to download the certificates: /var/log/univention/join.log contains "permission denied" errors. The join process hangs in that loop for a long time, sometimes forever.
*** This bug has been marked as a duplicate of bug 32192 ***