Bug 42022 – binddn for user $DCACCOUNT not found

Bug 42022 - binddn for user $DCACCOUNT not found


Summary:	binddn for user $DCACCOUNT not found

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Join (univention-join)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-1-errata
Assigned To:	Richard Ulmer
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:	47767
	Show dependency tree / graph

Reported:	2016-08-17 16:33 CEST by Florian Best
Modified:	2018-11-13 15:11 CET (History)
CC List:	5 users (show)

See Also:	43006 48134
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.206
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018073121000311, 2018040921000841, 2018041321000511, 2017120521000675, 2016093021000073, 2016100121000053, 2016111021000909, 2016120521000328, 2017051321000468, 2017062221000449, 2017080621000225
Bug group (optional):	Error handling, External feedback
Max CVSS v3 score:

Attachments
bug42022_qa.patch (4.37 KB, patch) 2018-07-12 17:54 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-08-17 16:33:36 CEST

We received the feedback, that the initial setup failed with the message:
Domain setup (this might take a while): binddn for user EvosysAdmin not found.

Version: 4.1-3 errata234 (Vahr)

Remark: Trying to join second USC Server as member server into existing UCS domain

management/univention-join/univention-join:485: failed_message "binddn for user $DCACCOUNT not found. "

We could enhance the message and make further checks before starting the system setup.

Comment 1 Florian Best

2016-10-04 12:33:09 CEST

Reported again, 4.1-3 errata282 (Vahr)

Comment 2 Florian Best

2016-10-04 12:38:04 CEST

Reported again, 4.1-3 errata282 (Vahr)

Remark: Ganz normale installation zum X-ten mal mit den gleichen Problemen bei aufnahme eines Backup-Domain-Controlers.
Der Administrator Account ist nach der AD-Verbindung beschädigt/verändert (schon am Domain-Master). In der Web-Konsole funktioniert nur jede 3. Anmeldung. Die AD-Sync schlägt mit
Zugriffsverletzungen auf sobald diese für eine join benötigt wird. Das System ist danach unbrauchbar. Seit 1 ner Woche mit mehreren Nächten suche ich vergeblich eine Workaround.
Frustierend ohne Ende. DN (****.com) und Windows-Domain (Entwickler) sind bei mir unterschiedlich (uns setze ich über F3 vorher richtig ucr set windows/domain="ENTWICKER".

Comment 3 Florian Best

2016-11-11 10:35:09 CET

Reported again, 4.1-4 errata324 (Vahr)

Comment 4 Florian Best

2016-12-09 17:42:21 CET

Reported again, 4.1-3 errata350 (Vahr)

Remark: adding a domain slave to my ucs-network

Comment 5 Florian Best

2017-05-16 13:08:40 CEST

Version: 4.2-0 errata15 (Lesum)

Comment 6 Florian Best

2017-06-23 17:25:53 CEST

Reported again, 4.2-1 errata52 (Lesum)
Role: domaincontroller_backup

Comment 7 Florian Best

2017-08-15 09:17:23 CEST

Version: 4.2-1 errata122 (Lesum)

Remark: Immer der gleiche Fehler, weil Ihr mit jedem Update die Leserechte von machine.secret zurücksetzt !!!!

Comment 8 Florian Best

2017-11-27 19:12:40 CET

I think as a solution we can search for the binddn of the user before starting the join process. If it's not available we can deny the further configuration.

Comment 9 Johannes Keiser

2017-12-11 16:58:47 CET

Reported again: Version: 4.2-2 errata231 (Lesum)

Domain setup (this might take a while): binddn for user Administrator not found.

Comment 10 Johannes Keiser

2018-04-13 11:37:43 CEST

Reported again: Version: 4.3-0 errata0 (Neustadt)

Comment 11 Johannes Keiser

2018-04-13 11:39:04 CEST

(In reply to Johannes Keiser from comment #10)
> Reported again: Version: 4.3-0 errata0 (Neustadt)

Remark: Fresh install of a UCS DC backup, UCS DC master is member of AD domain

Comment 12 Johannes Keiser

2018-04-27 19:50:10 CEST

Reported again: Version: 4.2-3 errata321 (Lesum)

Remark: I am not able to join my existing domain. with owncloud appliance, there were no issue. test123 is a test-domainadmin ive created just to check if its a problem with the
user

Domain setup (this might take a while): binddn for user test123 not found.

Comment 13 Richard Ulmer

2018-07-03 12:55:40 CEST

How can this bug be reproduced?

When entering invalid credentials for the domain administrator in the system setup I will be prompted to enter the correct ones. I did also go through an installation in AD-Member mode and did not encounter any problems.

Comment 14 Richard Ulmer

2018-07-09 15:17:02 CEST

Since I couldn't reproduce the problem I've just added an additional check to the system setup. It runs univention-join with a newly added -checkPrerequisites parameter, to see if there are any problems.

The check is run when clicking "Next" on the "Domain join information" page.

Since more of such checks will follow I have refactored the code a bit in the process.

univention-system-setup (11.0.5-5)
38f83e9ef2d5 | Bug #42022: Merge branch 'rulmer/42022' into 4.3-1
886dc6624ecd | Bug #42022: Add changelog entry for univention-system-setup
8a407009cf7e | Bug #42022: Cleanup
1de1faf3d909 | Bug #42022: Also test if univention-join will work in system setup

univention-system-setup.yaml
a788f2053fb3 | Bug #42022: Update yaml file

univention-join (10.0.0-16)
38f83e9ef2d5 | Bug #42022: Merge branch 'rulmer/42022' into 4.3-1
9d2733a2fbc7 | Bug #42022: Add changelog entry for univention-join
d0639114a962 | Bug #42022: Add -checkPrerequisites mode for univention-join

univention-join.yaml
63529a211e8a | Bug #42022: Update yaml file

Comment 15 Arvid Requate

2018-07-09 17:49:45 CEST

The package version in univention-join.yaml has not been updated.

Comment 16 Richard Ulmer

2018-07-10 08:44:19 CEST

Thanks for the heads-up.

univention-join.yaml
b754411987 | Bug #42022: Update version in univention-join.yaml file

Comment 17 Arvid Requate

2018-07-12 17:54:07 CEST

Created attachment 9594 [details]
bug42022_qa.patch

QA feedback:

* The errors reported in the CHECK_RUN phase of univention-join are not written to join.log but only to stdout. The attached patch would fix both: a) log to join.log too and b) display the error message. If you are installing from a DVD it's pretty hard for the user to retrieve the join.log from that system (e.g. no ssh yet).

* The translation for the new UMC_Errormessage is missing

* The attached patch additionally adds another binddn search via GSSAPI that could help avoid the issue reported on this bug itself: Currently, in case the udm search fails, we only fall back to ldapsearch via LDAPI, which only works for root, and finally anonymous LDAP search, which is disabled by default. Both isn't likely to succeed. The GSSAPI search may also fail, but it's at least something that could possibly work for users != root.

Comment 18 Richard Ulmer

2018-07-16 15:54:22 CEST

The changes in the patch look reasonable to me and all altered commands work, so I applied the patch. The missing translation has also been added.

univention-system-setup.yaml
e417790c083e | Bug #42022: Update yaml file

univention-system-setup (11.0.5-7)
844d790374bf | Bug #42022: Merge branch 'rulmer/42022' into 4.3-1
d683e33c46e6 | Bug #42022: Add changelog entry
f04d1d0c88a0 | Bug #42022: Add translation
b64d0b6eb9d2 | Bug #42022: Apply patch from QA

Comment 19 Felix Botner

2018-07-17 16:59:32 CEST

This breaks the install tests (samba-env, slave installation.

Installation of a new slave system fails with

  univention-join -checkPrerequisites reported a problem.
  The OpenLDAP extension memberOf is activated on the UCS master (UCR variable 
  ldap/overlay/memberof is true). In order to join this system successfully

see http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/Installation%20Tests/mode=samba-env/ws/screenshots/error.png

Comment 20 Richard Ulmer

2018-07-18 12:29:28 CEST

I fixed the problem mentioned in comment #19.

univention-join (10.0.0-17)
b806a39beccf | Bug #42022: Fix test in -checkPrerequisites mode of univention-join

univention-join.yaml
0e095ad7ac4b | Bug #42022: Update yaml file

Comment 21 Arvid Requate

2018-07-24 12:02:23 CEST

Ok, package update and join worked, even when I temporarily break /usr/sbin/udm on the master.

Comment 22 Johannes Keiser

2018-07-31 14:25:21 CEST

Reported again:
Version: 4.3-1 errata157 (Neustadt)

Domain setup (this might take a while): Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- binddn for user Administrator
not found.

Role: domaincontroller_backup

Comment 23 Arvid Requate

2018-08-22 14:26:14 CEST

<http://errata.software-univention.de/ucs/4.3/214.html>
<http://errata.software-univention.de/ucs/4.3/216.html>