Bug 42022 - binddn for user $DCACCOUNT not found
binddn for user $DCACCOUNT not found
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Richard Ulmer
Arvid Requate
Depends on:
Blocks: 47767
  Show dependency treegraph
Reported: 2016-08-17 16:33 CEST by Florian Best
Modified: 2018-11-13 15:11 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018073121000311, 2018040921000841, 2018041321000511, 2017120521000675, 2016093021000073, 2016100121000053, 2016111021000909, 2016120521000328, 2017051321000468, 2017062221000449, 2017080621000225
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:

bug42022_qa.patch (4.37 KB, patch)
2018-07-12 17:54 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-08-17 16:33:36 CEST
We received the feedback, that the initial setup failed with the message:
Domain setup (this might take a while): binddn for user EvosysAdmin not found.

Version: 4.1-3 errata234 (Vahr)

Remark: Trying to join second USC Server as member server into existing UCS domain

management/univention-join/univention-join:485: failed_message "binddn for user $DCACCOUNT not found. "

We could enhance the message and make further checks before starting the system setup.
Comment 1 Florian Best univentionstaff 2016-10-04 12:33:09 CEST
Reported again, 4.1-3 errata282 (Vahr)
Comment 2 Florian Best univentionstaff 2016-10-04 12:38:04 CEST
Reported again, 4.1-3 errata282 (Vahr)

Remark: Ganz normale installation zum X-ten mal mit den gleichen Problemen bei aufnahme eines Backup-Domain-Controlers.
Der Administrator Account ist nach der AD-Verbindung beschädigt/verändert (schon am Domain-Master). In der Web-Konsole funktioniert nur jede 3. Anmeldung. Die AD-Sync schlägt mit
Zugriffsverletzungen auf sobald diese für eine join benötigt wird. Das System ist danach unbrauchbar. Seit 1 ner Woche mit mehreren Nächten suche ich vergeblich eine Workaround.
Frustierend ohne Ende. DN (****.com) und Windows-Domain (Entwickler) sind bei mir unterschiedlich (uns setze ich über F3 vorher richtig ucr set windows/domain="ENTWICKER".
Comment 3 Florian Best univentionstaff 2016-11-11 10:35:09 CET
Reported again, 4.1-4 errata324 (Vahr)
Comment 4 Florian Best univentionstaff 2016-12-09 17:42:21 CET
Reported again, 4.1-3 errata350 (Vahr)

Remark: adding a domain slave to my ucs-network
Comment 5 Florian Best univentionstaff 2017-05-16 13:08:40 CEST
Version: 4.2-0 errata15 (Lesum)
Comment 6 Florian Best univentionstaff 2017-06-23 17:25:53 CEST
Reported again, 4.2-1 errata52 (Lesum)
Role: domaincontroller_backup
Comment 7 Florian Best univentionstaff 2017-08-15 09:17:23 CEST
Version: 4.2-1 errata122 (Lesum)

Remark: Immer der gleiche Fehler, weil Ihr mit jedem Update die Leserechte von machine.secret zurücksetzt !!!!
Comment 8 Florian Best univentionstaff 2017-11-27 19:12:40 CET
I think as a solution we can search for the binddn of the user before starting the join process. If it's not available we can deny the further configuration.
Comment 9 Johannes Keiser univentionstaff 2017-12-11 16:58:47 CET
Reported again: Version: 4.2-2 errata231 (Lesum)

Domain setup (this might take a while): binddn for user Administrator not found.
Comment 10 Johannes Keiser univentionstaff 2018-04-13 11:37:43 CEST
Reported again: Version: 4.3-0 errata0 (Neustadt)
Comment 11 Johannes Keiser univentionstaff 2018-04-13 11:39:04 CEST
(In reply to Johannes Keiser from comment #10)
> Reported again: Version: 4.3-0 errata0 (Neustadt)

Remark: Fresh install of a UCS DC backup, UCS DC master is member of AD domain
Comment 12 Johannes Keiser univentionstaff 2018-04-27 19:50:10 CEST
Reported again: Version: 4.2-3 errata321 (Lesum)

Remark: I am not able to join my existing domain. with owncloud appliance, there were no issue. test123 is a test-domainadmin ive created just to check if its a problem with the

Domain setup (this might take a while): binddn for user test123 not found.
Comment 13 Richard Ulmer univentionstaff 2018-07-03 12:55:40 CEST
How can this bug be reproduced?

When entering invalid credentials for the domain administrator in the system setup I will be prompted to enter the correct ones. I did also go through an installation in AD-Member mode and did not encounter any problems.
Comment 14 Richard Ulmer univentionstaff 2018-07-09 15:17:02 CEST
Since I couldn't reproduce the problem I've just added an additional check to the system setup. It runs univention-join with a newly added -checkPrerequisites parameter, to see if there are any problems.

The check is run when clicking "Next" on the "Domain join information" page.

Since more of such checks will follow I have refactored the code a bit in the process.

univention-system-setup (11.0.5-5)
38f83e9ef2d5 | Bug #42022: Merge branch 'rulmer/42022' into 4.3-1
886dc6624ecd | Bug #42022: Add changelog entry for univention-system-setup
8a407009cf7e | Bug #42022: Cleanup
1de1faf3d909 | Bug #42022: Also test if univention-join will work in system setup

a788f2053fb3 | Bug #42022: Update yaml file

univention-join (10.0.0-16)
38f83e9ef2d5 | Bug #42022: Merge branch 'rulmer/42022' into 4.3-1
9d2733a2fbc7 | Bug #42022: Add changelog entry for univention-join
d0639114a962 | Bug #42022: Add -checkPrerequisites mode for univention-join

63529a211e8a | Bug #42022: Update yaml file
Comment 15 Arvid Requate univentionstaff 2018-07-09 17:49:45 CEST
The package version in univention-join.yaml has not been updated.
Comment 16 Richard Ulmer univentionstaff 2018-07-10 08:44:19 CEST
Thanks for the heads-up.

b754411987 | Bug #42022: Update version in univention-join.yaml file
Comment 17 Arvid Requate univentionstaff 2018-07-12 17:54:07 CEST
Created attachment 9594 [details]

QA feedback:

* The errors reported in the CHECK_RUN phase of univention-join are not written to join.log but only to stdout. The attached patch would fix both: a) log to join.log too and b) display the error message. If you are installing from a DVD it's pretty hard for the user to retrieve the join.log from that system (e.g. no ssh yet).

* The translation for the new UMC_Errormessage is missing

* The attached patch additionally adds another binddn search via GSSAPI that could help avoid the issue reported on this bug itself: Currently, in case the udm search fails, we only fall back to ldapsearch via LDAPI, which only works for root, and finally anonymous LDAP search, which is disabled by default. Both isn't likely to succeed. The GSSAPI search may also fail, but it's at least something that could possibly work for users != root.
Comment 18 Richard Ulmer univentionstaff 2018-07-16 15:54:22 CEST
The changes in the patch look reasonable to me and all altered commands work, so I applied the patch. The missing translation has also been added.

e417790c083e | Bug #42022: Update yaml file

univention-system-setup (11.0.5-7)
844d790374bf | Bug #42022: Merge branch 'rulmer/42022' into 4.3-1
d683e33c46e6 | Bug #42022: Add changelog entry
f04d1d0c88a0 | Bug #42022: Add translation
b64d0b6eb9d2 | Bug #42022: Apply patch from QA
Comment 19 Felix Botner univentionstaff 2018-07-17 16:59:32 CEST
This breaks the install tests (samba-env, slave installation.

Installation of a new slave system fails with

  univention-join -checkPrerequisites reported a problem.
  The OpenLDAP extension memberOf is activated on the UCS master (UCR variable 
  ldap/overlay/memberof is true). In order to join this system successfully

see http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/Installation%20Tests/mode=samba-env/ws/screenshots/error.png
Comment 20 Richard Ulmer univentionstaff 2018-07-18 12:29:28 CEST
I fixed the problem mentioned in comment #19.

univention-join (10.0.0-17)
b806a39beccf | Bug #42022: Fix test in -checkPrerequisites mode of univention-join

0e095ad7ac4b | Bug #42022: Update yaml file
Comment 21 Arvid Requate univentionstaff 2018-07-24 12:02:23 CEST
Ok, package update and join worked, even when I temporarily break /usr/sbin/udm on the master.
Comment 22 Johannes Keiser univentionstaff 2018-07-31 14:25:21 CEST
Reported again:
Version: 4.3-1 errata157 (Neustadt)

Domain setup (this might take a while): Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- binddn for user Administrator
not found.

Role: domaincontroller_backup