Univention Bugzilla – Bug 36734
Unable to join a DC backup into AD domain
Last modified: 2014-11-26 06:54:45 CET
I'm unable to join a DC backup into the AD domain: root@ucs-3151:~# ucr search --brief role samba/role: memberserver server/role: domaincontroller_backup system/setup/boot/select/role: true root@ucs-3151:~# From the join.log: Configure 26univention-samba.inst Mon Nov 17 02:42:08 EST 2014 Create samba/role Multifile: /etc/samba/smb.conf INFO: ad/member is true, will join as memberserver into an AD domain Create samba/domain/security Multifile: /etc/samba/smb.conf Create samba4/ntacl/backend File: /etc/samba/base.conf Restarting univention-directory-listener daemon. ok: run: univention-directory-listener: (pid 8546) 0s, normally down done. Setting samba/share/home File: /etc/samba/base.conf Multifile: /etc/samba/smb.conf Setting samba/autostart Multifile: /etc/samba/smb.conf Not updating samba/autostart Stopping the Winbind daemon: winbind. Create samba/user Create samba/user/pwdfile Multifile: /etc/samba/smb.conf Setting stored password for "cn=ucs-3151,cn=dc,cn=computers,dc=ad92,dc=local" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Stopping Samba daemons: nmbd smbd. Starting Samba daemons: nmbd smbd. Object modified: cn=ucs-3151,cn=dc,cn=computers,dc=ad92,dc=local Invalid configuration. Exiting.... Host is not configured as a member server. Failed to join domain: This operation is only allowed for the PDC of the domain. ERROR: Failed to join to AD DC via net ads join. Please check your Samba DCs and your DNS and WINS configuration. Mon Nov 17 02:42:26 EST 2014: finish /usr/share/univention-join/univention-join
If I try to join the system later, I get the following log output: RUNNING 26univention-samba.inst Setting samba/role Multifile: /etc/samba/smb.conf INFO: ad/member is true, will join as memberserver into an AD domain Setting samba/domain/security Multifile: /etc/samba/smb.conf Setting samba/share/home File: /etc/samba/base.conf Multifile: /etc/samba/smb.conf Setting samba/autostart Multifile: /etc/samba/smb.conf Not updating samba/autostart Stopping the Winbind daemon: winbind. Setting samba/user Not updating samba/user/pwdfile Multifile: /etc/samba/smb.conf Setting stored password for "cn=ucs-3151,cn=dc,cn=computers,dc=ad92,dc=local" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Secret stored Stopping Samba daemons: nmbd smbd. Starting Samba daemons: nmbd smbd. Object modified: cn=ucs-3151,cn=dc,cn=computers,dc=ad92,dc=local kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Matching credential (ldap/win-d5rhq351m1j.ad92.local@AD92.LOCAL) not found Failed to join domain: failed to connect to AD: Miscellaneous failure (see text) : Matching credential (ldap/win-d5rhq351m1j.ad92.local@AD92.LOCAL) not found ERROR: Failed to join to AD DC via net ads join. Please check your Samba DCs and your DNS and WINS configuration. EXITCODE=1
Ok, the problem in Coment 1 was that KDC time offset is 32399 seconds I saw this by running net ads join manually with -d10. After running "rdate -n" against the AD Server the join succeeded. About the initial error: Seems like "net ads" came to the conclusion the the local system was not configured as a member server. No clue yet why it should get this idea, the smb.conf should have been configured properly at that point.
The net ads join command didn't use the smb.conf. With r55900 export SMB_CONF_PATH=/etc/samba/smb.conf is set. Changelog: r55901
OK - Installed UCS 4.0 master, slave, backup. Join into AD worked fine for all of them. OK - Changelog
UCS 4.0-0 has been released: http://docs.univention.de/release-notes-4.0-0-en.html http://docs.univention.de/release-notes-4.0-0-de.html If this error occurs again, please use "Clone This Bug".