Univention Bugzilla – Bug 38983
adconnector/take_over_domain: handle LdbError
Last modified: 2017-06-07 15:22:34 CEST
We almost finished the AD takeover process, but at the end when UCS told me click Next with the message "The group policies have been transferred successfully. In order to complete the takeover process, all previous Active Directory Domain Controllers need to be switched off now. Click "Next" as soon as all Domain Controllers are shutdown completely" After click Next, we got error as below: Execution of command 'take_over_domain' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background result = func(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/__init__.py", line 119, in take_over_domain takeover.take_over_domain(self.progress) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/takeover.py", line 354, in take_over_domain takeover_final.create_DNS_SPN() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/takeover.py", line 1759, in create_DNS_SPN "msDS-KeyVersionNumber": dnsKeyVersion}) LdbError: (68, 'Entry samAccountName=dns-fmp-ucs-298,CN=Principals already exists') Now we cannot continue or rollback the system.
Ticket#2015071821000208 with log files attachment, pls help us
Created attachment 7036 [details] takeover.patch As far as I understand the logs the UCS DC had been configured as AD member before running AD takeover. The traceback occurs because the DNS service account already exists in secrets.ldb. The patch should avoid that traceback in the future.
Hi Arvid, You are true about the event to be AD member before takeover. Honestly, I haved checked 3 options in the setup: (as DC backup) - AD connection - AD Takeover - DHCP Server and it will be DC master, but after the setup, it does not appear as a DC. I checked carefully, it only appeared in Computer OU (which hold computer client objects), and did not appear in Domain Controller OU. After that, I discovered that AD Takeover had not been installed as I choose. Then I installed AD Takeover from AppCenter and start the AD Takeover process as you know. Thank you again for your help, Arvid. Regards,
I reopened this bug because we want to improve the product with the attached patch. Please leave the this bug open. Details regarding customer setups are better discussed on a non-public channel.
Reported again: Ticket #2015072921000411
Reported again, 4.1-2 errata176 (Vahr) Execution of command 'take_over_domain' has failed: Traceback (most recent call last): File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background result = func(self, request) File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 119, in take_over_domain takeover.take_over_domain(self.progress) File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 355, in take_over_domain takeover_final.create_DNS_SPN() File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 1793, in create_DNS_SPN self.samdb.modify(delta) LdbError: (32, 'No such Base DN: CN=dns-ucsserver1,CN=Users,DC=XXX,DC=LOCAL')
again at: Ticket#2016093021000402
Version: 4.1-3 errata239 (Vahr) Execution of command 'take_over_domain' has failed: Traceback (most recent call last): File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background result = func(self, request) File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 119, in take_over_domain takeover.take_over_domain(self.progress) File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 355, in take_over_domain takeover_final.create_DNS_SPN() File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 1793, in create_DNS_SPN self.samdb.modify(delta) LdbError: (32, 'No such Base DN: CN=dns-*,CN=Users,DC=*,DC=LOCAL')
*** Bug 34650 has been marked as a duplicate of this bug. ***
Created attachment 8088 [details] Adjusted takeover.patch for errata4.0-2 and later Thanks to collateral whitespace cleanup during Bug 38729 the initial patch trivially fails for all releases >= errata4.0-2.
Package rebuilt in errata4.2-0 with patch. Advisory: univention-management-console-module-adtakeover.yaml
Created Bug #44583 for the "LdbError: (32, 'No such Base DN: CN=dns-ucsserver1,CN=Users,DC=XXX,DC=LOCAL')" error. This is something else.
Ok, as discussed, I've tried to add some workaround, by using a subtree search instead of a base search. Advisory updated.
*** Bug 44583 has been marked as a duplicate of this bug. ***
Felix had the brilliant idea to get rid of the whole special create_DNS_SPN code and run the univention-samba4-dns joinscript instead. Advisory updated.
Unfortunately, we allow the takeover on master, back and slave -> https://docs.software-univention.de/manual-4.2.html#windows:adtakeover The UCS domain controller (master domain controller, backup domain controller or slave domain controller) needs to be installed with a unique hostname, not used in the AD domain. If the ucs server is not a master univention-run-join-scripts asks for the password and the takeover process hangs forever. What now?
But that already happens before this change for the other two joinscripts? So that would be a separate issue, or am I missing something? Re Comment 17: yeah, we discussed that option but that script masks the return code by exit 0. Then the user doesn't get feedback about a possible failure. That's the whole point we discussed about for different bug: If an incomplete "fix" for a bug masks the original problem, then it's not good.
The password of the user (is the module forced to be executed by an Administrator?) is available in self.username/self.password - if not logged in via SAML. If logged in via SAML there is a decorator @required_password. There were already 2 joinscripts which were executed, what about them? The problem exists before, too?!
(In reply to Florian Best from comment #20) > The password of the user (is the module forced to be executed by an > Administrator?) is available in self.username/self.password - if not logged > in via SAML. If logged in via SAML there is a decorator @required_password. You can also do an AD takeover via system-setup, which is an anonymous User. It has to be made sure that the credentials are also passed correctly from the setup wizard
(In reply to Arvid Requate from comment #19) > But that already happens before this change for the other two joinscripts? > So that would be a separate issue, or am I missing something? > > Re Comment 17: yeah, we discussed that option but that script masks the > return code by exit 0. Then the user doesn't get feedback about a possible > failure. That's the whole point we discussed about for different bug: If an > incomplete "fix" for a bug masks the original problem, then it's not good. yes, but the other two join scripts are very rare exceptions while univention-samba4-dns is always installed. So we have increased the chance of hitting this bug by 1000 + x %. I think we have to fix this now (or revert the change and reactive create_DNS_SPN). possible fixes: * run univention-run-join-scripts only on MASTER * use -dcaccount -dcpwd
(In reply to Erik Damrose from comment #21) > You can also do an AD takeover via system-setup I was wrong, one can only install the ad-takeover during system setup, but the takeover itself is not possible.
> possible fixes: > * use -dcaccount -dcpwd Ok, adjusted. Advisory updated.
(In reply to Felix Botner from comment #18) > Unfortunately, we allow the takeover on master, back and slave > -> https://docs.software-univention.de/manual-4.2.html#windows:adtakeover > > The UCS domain controller (master domain controller, backup domain > controller > or slave domain controller) needs to be installed with a unique hostname, > not > used in the AD domain. > > If the ucs server is not a master univention-run-join-scripts asks for the > password and the takeover process hangs forever. > > What now? NO, the takeover app requires a UCS master, and the takeover itself also (fails on back during Samba domain join successful. 2017-05-18 11:13:19,779 Calling: univention-run-join-scripts --run-scripts 96univention-samba4.inst 2017-05-18 11:13:20,334 ************************************************************************** 2017-05-18 11:13:20,334 * Running join scripts failed! * 2017-05-18 11:13:20,334 ************************************************************************** 2017-05-18 11:13:20,335 * Message: binddn for user not found 2017-05-18 11:13:20,335 ************************************************************************** 2017-05-18 11:13:20,336 ERROR: Final univention-run-join-scripts --run-scripts 96univention-samba4.inst failed (1) So the manual is broken i am afraid to say, but we should revert the last change
Ok, reverted to Comment 16. Advisory updated.
OK - takeover OK - YAML
<http://errata.software-univention.de/ucs/4.2/29.html>