Univention Bugzilla – Bug 35563
s4 connector transforms dc slave into windows domaincontroller during 96univention-samba4.inst on slave after ad takeover from ad member mode
Last modified: 2017-07-11 22:17:56 CEST
UCS master and slave, w2k12 * configured AD member mode on master - OK * rejoin slave - OK * adtakeover on master - OK * rejoin slave - OK * installation of univention-samba4 on slave - OK * univention-run-join-scripts on slave - FAIL/slave no longer usable @slave -> univention-ldapsearch ldap_bind: Invalid credentials (49) during the 96univention-samba4.inst on the slave the s4 connector on the master deletes/creates the UDM slave objects sync to ucs: [windowscomputer] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test sync to ucs: [windowscomputer] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test sync to ucs: [ dc] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test sync to ucs: [windowscomputer] [ delete] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test sync to ucs: [ dc] [ add] cn=SLAVE,cn=dc,cn=computers,dc=w2k12,dc=test sync from ucs: [ dc] [ add] cn=slave,ou=domain controllers,dc=w2k12,dc=test sync from ucs: [ dc] [ modify] cn=slave,ou=domain controllers,dc=w2k12,dc=test sync from ucs: [ dc] [ modify] cn=slave,ou=domain controllers,dc=w2k12,dc=test sync to ucs: [ dc] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test sync to ucs: [ dc] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test sync from ucs: [ dc] [ modify] cn=slave,ou=domain controllers,dc=w2k12,dc=test After this, the slave is no longer usable -> univention-ldapsearch ldap_bind: Invalid credentials (49) and my slave is now a windows_domaincontroller?? -> univention-s4search cn=slave # record 1 dn: CN=SLAVE,OU=Domain Controllers,DC=w2k12,DC=test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: SLAVE instanceType: 4 whenCreated: 20140804173044.0Z displayName: SLAVE$ uSNCreated: 3975 name: SLAVE objectGUID: bd22f576-7abb-4dbe-a68c-2903e03f7a16 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 516 objectSid: S-1-5-21-4081652553-1298243908-2397940796-1610 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: SLAVE$ sAMAccountType: 805306369 dNSHostName: SLAVE.w2k12.test objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=w2k12,DC=test isCriticalSystemObject: TRUE msDS-SupportedEncryptionTypes: 31 serverReferenceBL: CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN= Configuration,DC=w2k12,DC=test servicePrincipalName: HOST/SLAVE servicePrincipalName: HOST/SLAVE.w2k12.test servicePrincipalName: GC/SLAVE.w2k12.test/w2k12.test servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/0c2e25a6-80c9-4a74- a3d2-4f88b10b134d/w2k12.test pwdLastSet: 130516470450000000 userAccountControl: 532480 rIDSetReferences: CN=RID Set,CN=SLAVE,OU=Domain Controllers,DC=w2k12,DC=test userPrincipalName: host/SLAVE.w2k12.test@W2K12.TEST whenChanged: 20140804174041.0Z uSNChanged: 4038 distinguishedName: CN=SLAVE,OU=Domain Controllers,DC=w2k12,DC=test -> univention-ldapsearch cn=slave dn: cn=SLAVE,cn=dc,cn=computers,dc=w2k12,dc=test univentionServerRole: windows_domaincontroller displayName: SLAVE cn: SLAVE krb5PrincipalName: host/SLAVE.w2k12.test@W2K12.TEST objectClass: top objectClass: person objectClass: univentionHost objectClass: univentionWindows objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: univentionObject loginShell: /bin/false univentionObjectType: computers/windows_domaincontroller uidNumber: 2013 krb5KDCFlags: 126 sambaAcctFlags: [S ] krb5MaxRenew: 604800 krb5KeyVersionNumber: 1 sn: SLAVE homeDirectory: /dev/null sambaSID: S-1-4-2013 krb5MaxLife: 86400 uid: SLAVE$ gidNumber: 5006 sambaPrimaryGroupSID: S-1-5-21-4081652553-1298243908-2397940796-1607 sambaNTPassword: D05B4EB5DAFBC710C8C9069FEF80FE1E krb5Key:: MB2hGzAZoAMCARehEgQQ0FtOtdr7xxDIyQaf74D+Hg== krb5Key:: MFihKzApoAMCARKhIgQgQ6gT1x6nd8D3RHWxzMEro01xp3MhJJOS7UmZ3JoKa4eiKTAn oAMCAQOhIAQeVzJLMTIuVEVTVGhvc3RzbGF2ZS53MmsxMi50ZXN0 krb5Key:: MEihGzAZoAMCARGhEgQQIWRPBOWhxqt/S2VKq8xh5qIpMCegAwIBA6EgBB5XMksxMi5U RVNUaG9zdHNsYXZlLncyazEyLnRlc3Q= krb5Key:: MEChEzARoAMCAQOhCgQIinAsirr+XmeiKTAnoAMCAQOhIAQeVzJLMTIuVEVTVGhvc3Rz bGF2ZS53MmsxMi50ZXN0 krb5Key:: MEChEzARoAMCAQGhCgQIinAsirr+XmeiKTAnoAMCAQOhIAQeVzJLMTIuVEVTVGhvc3Rz bGF2ZS53MmsxMi50ZXN0 sambaPwdLastSet: 1407173445 even a complete re-join does not work: -> univention-join univention-join: joins a computer to an ucs domain copyright (c) 2001-2014 Univention GmbH, Germany Enter DC Master Account : Administrator Enter DC Master Password: Search DC Master: done Check DC Master: done Stop LDAP Server: done Stop Samba 4 Server: done Search ldap/base done Start LDAP Server: done Search LDAP binddn done Sync time: done Join Computer Account: ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: failed to create DC Slave (1) [E: Object exists: (uid) : slave$] ************************************************************************** I have to delete the new "windows domaincntroller" ucs slave in order to successfully rejoin my slave.
Created attachment 6047 [details] connector-s4.log
See also Bug 35559
a "net ads leave -U Administrator%Univention.99" before the univention-join on the slave (after ad takeover) seems to help, but the object is deleted in samba4 and UCS. univention-join univention-install univention-samba4 univention-run-join-scripts works now
*** Bug 35559 has been marked as a duplicate of this bug. ***
* delete_in_ucs: added a special handling for windows computer. If the computer is a normal member in AD and a DC in OpenLDAP, the computer will be removed and re-added if Samba 4 will be installed on the DC slave. Without this special check the object will be removed by the connector (Bug #35563) UCS 3.2-3: r53367 UCS 4.0-0: r53368 YAML: r53369 + r53371
OK - if a "windowscomputer" is a DC in UCS the s4-connector no longer deletes the object sync to ucs: [ dc] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test sync to ucs: [windowscomputer] [ delete] cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test The windows computer cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test is a Domain Controller in OpenLDAP. The deletion will be skipped. sync to ucs: [ dc] [ modify] cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test OK - other computer object are still deleted sync to ucs: [windowscomputer] [ delete] cn=ubuntu,dc=w2k8r2en,dc=test sync from ucs: [windowscomputer] [ delete] cn=ubuntu,dc=w2k8r2en,dc=test sync to ucs: [windowscomputer] [ delete] cn=windows,dc=w2k8r2en,dc=test sync from ucs: [windowscomputer] [ delete] cn=windows,dc=w2k8r2en,dc=test sync to ucs: [windowscomputer] [ delete] cn=macos,dc=w2k8r2en,dc=test sync from ucs: [windowscomputer] [ delete] cn=macos,dc=w2k8r2en,dc=test sync to ucs: [windowscomputer] [ delete] cn=member,dc=w2k8r2en,dc=test sync from ucs: [windowscomputer] [ delete] cn=member,dc=w2k8r2en,dc=test OK - YAML OK - UCS 4.0
http://errata.univention.de/ucs/3.2/199.html