Bug 44762 - adconnector/check_domain() GSSAPI failed
adconnector/check_domain() GSSAPI failed
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on: 38285
Blocks: 45401
  Show dependency treegraph
 
Reported: 2017-06-12 13:56 CEST by Florian Best
Modified: 2018-02-15 18:26 CET (History)
9 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.514
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2018012721000036, 2017112721000617, 2017091221000382, 2017060721000816, 2017062721000207, 2017080821000552, 2017081821000301, 2017082321000131, 2017082821000372, 2017082721000061, 2017090221000347
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:


Attachments
management-console-module-setup.log (22.64 KB, text/x-log)
2017-07-06 12:09 CEST, Johannes Keiser
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-06-12 13:56:09 CEST
This has been reported again with UCS 4.2-0 errata 29.

Execution of command 'adconnector/check_domain' has failed:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "%PY2.7%/univention/management/console/modules/adconnector/__init__.py", line 393, in check_domain
    admember.check_ad_account(ad_domain_info, username, password)
  File "%PY2.7%/univention/lib/admember.py", line 261, in check_ad_account
    lo_ad.lo.sasl_interactive_bind_s("", auth)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s
    res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/192.168.5.81@168.5.81) not found)', 'desc': 'Local
error'}

+++ This bug was initially created as a clone of Bug #38285 +++

We received the following traceback, 4.0-1 errata152 (Walle).

Execution of command 'adconnector/check_domain' has failed:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/__init__.py", line 176, in _decorated
    return function(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 188, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 316, in _response
    result = _multi_response(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 460, in _response
    return list(function(self, iterator, *nones))
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 282, in _fake_func
    yield function(self, *args)
  File "%PY2.7%/univention/management/console/modules/adconnector/__init__.py", line 377, in check_domain
    admember.check_ad_account(ad_domain_info, username, password)
  File "%PY2.7%/univention/lib/admember.py", line 235, in check_ad_account
    lo_ad.lo.sasl_interactive_bind_s("", auth)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s
    res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/xbmc.desk76.local@DESK76.LOCAL) not found)', 'desc': 'Local error'}
Comment 1 Florian Best univentionstaff 2017-06-27 09:58:27 CEST
Reported again, 4.2-1 errata52 (Lesum)

Remark: Creating a Backup GC with the setup routine.
Comment 2 Stefan Gohmann univentionstaff 2017-06-28 06:51:39 CEST
Mark all bugs with a user pain > 0.3 as errata bugs.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2017-07-04 12:49:17 CEST
I was able to reproduce this.

04.07.17 12:23:39.964  MODULE      ( PROCESS ) : stderr: 
04.07.17 12:23:40.122  MODULE      ( PROCESS ) : AD Info: {'Domain': 'myad.intra', 'LDAP Base': 'DC=myad,DC=intra', 'Forest': 'myad.intra', 'Client Site': 'Default-First-Site-Name', 'DC Netbios Name': 'WIN-HVD93QSGOEV', 'DC DNS Name': 'WI
N-HVD93QSGOEV.myad.intra', 'Netbios Domain': 'MYAD', 'DC IP': '10.200.18.98', 'Server Site': 'Default-First-Site-Name'}
04.07.17 12:23:40.376  MODULE      ( PROCESS ) : Time difference is less than 180 seconds, skipping reset of local time
04.07.17 12:23:40.602  MODULE      ( PROCESS ) : Prepare Kerberos UCR settings
04.07.17 12:23:40.603  MODULE      ( PROCESS ) : Setting UCR variables: [u'kerberos/defaults/dns_lookup_kdc=true', u'kerberos/realm=MYAD.INTRA']
04.07.17 12:23:41.158  MODULE      ( PROCESS ) : Unsetting UCR variables: [u'kerberos/kdc', u'kerberos/kpasswdserver', u'kerberos/adminserver']
04.07.17 12:23:41.403  MODULE      ( PROCESS ) : Setting UCR variables: [u'hosts/static/10.200.18.98=WIN-HVD93QSGOEV.myad.intra']
04.07.17 12:23:43.298  MODULE      ( PROCESS ) : Die Ausführung des Kommandos adconnector/check_domain ist fehlgeschlagen:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adconnector/__init__.py", line 393, in check_domain
    admember.check_ad_account(ad_domain_info, username, password)
  File "/usr/lib/pymodules/python2.7/univention/lib/admember.py", line 261, in check_ad_account
    lo_ad.lo.sasl_interactive_bind_s("", auth)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s
    res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/10.200.18.98@200.18.98) not found)', 'desc': 'Local error'}
Comment 4 Florian Best univentionstaff 2017-07-04 12:53:07 CEST
Note: There is a difference to Bug #38285Bug #38285 had always FQDN's in the error message
→ This Bug always has IP addresses in the error message
Comment 5 Arvid Requate univentionstaff 2017-07-04 13:15:52 CEST
> → This Bug always has IP addresses in the error message

AFAIK GSSAPI only works with FQDNs.
Comment 6 Arvid Requate univentionstaff 2017-07-04 13:16:56 CEST
Re: Comment 3:

> I was able to reproduce this.

How, where? Logs?
Comment 7 Johannes Keiser univentionstaff 2017-07-06 12:09:47 CEST
Created attachment 9001 [details]
management-console-module-setup.log
Comment 8 Jürn Brodersen univentionstaff 2017-07-13 15:29:49 CEST
I think I saw the same error, too:

Windows DC: Server 2008r2
Ad member: UCS 4.2

The error happened with the forest functional level set to 2003. After raising it to 2008r2 I could join without an error.
Comment 9 Florian Best univentionstaff 2017-08-15 11:37:19 CEST
Reported again, 4.2-1 errata52 (Lesum)
Comment 10 Felix Botner univentionstaff 2017-08-17 19:53:27 CEST
yup, can be reproduced with 2008R2 Domain(Forest) mode 2003

seems to be a timing/nscd issue. Without a running nscd it works. Don't know why, don't know how ... 
anyway just stop nscd in check_ad_account before sasl bind and start nscd 


QA: 

this is enough to force the error:

import univention.lib.admember
info = univention.lib.admember.lookup_adds_dc(ad_server='10.210.109.164')
username = 'Administrator'
password = 'SYZUnE%78h'
univention.lib.admember.check_ad_account(info, username, password)
...
Traceback (most recent call last):
  File "/opt/a.py", line 8, in <module>
    univention.lib.admember.check_ad_account(info, username, password)
  File "/usr/lib/pymodules/python2.7/univention/lib/admember.py", line 262, in check_ad_account
    lo_ad.lo.sasl_interactive_bind_s("", auth)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s
    res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/10.210.109.164@210.109.164) not found)', 'desc': 'Local error'}
Comment 11 Florian Best univentionstaff 2017-08-21 11:17:56 CEST
Version: 4.2-1 errata118 (Lesum)
Comment 12 Florian Best univentionstaff 2017-08-23 10:33:53 CEST
Reported again, 4.2-1 errata118 (Lesum)

Remark: Problem with AD acces
Comment 13 Arvid Requate univentionstaff 2017-08-28 19:43:06 CEST
Ok.
Comment 14 Florian Best univentionstaff 2017-08-29 14:06:32 CEST
Version: 4.2-1 errata144 (Lesum)

Remark: Einrichtung AD-Connector beim Kunden,
Comment 15 Florian Best univentionstaff 2017-08-29 14:07:25 CEST
Version: 4.2-1 errata118 (Lesum)

Remark: Cant join Domain
Comment 16 Michael Grandjean univentionstaff 2017-08-29 14:21:46 CEST
(In reply to Florian Best from comment #14)
> Version: 4.2-1 errata144 (Lesum)
> 
> Remark: Einrichtung AD-Connector beim Kunden,

That was me. I can confirm that stopping nscd helped in this case :)
Comment 17 Arvid Requate univentionstaff 2017-09-13 16:35:06 CEST
<http://errata.software-univention.de/ucs/4.2/160.html>
Comment 18 Florian Best univentionstaff 2017-09-15 11:37:37 CEST
Version: 4.2-1 errata118 (Lesum)
Comment 19 Florian Best univentionstaff 2017-09-15 11:45:06 CEST
 Version: 4.2-1 errata159 (Lesum)

Remark: unable to join currrent AD domain
Comment 20 Arvid Requate univentionstaff 2017-10-13 11:14:29 CEST
*** Bug 45401 has been marked as a duplicate of this bug. ***
Comment 21 Johannes Keiser univentionstaff 2017-11-29 14:05:33 CET
Version: 4.2-1 errata118 (Lesum)
Comment 22 Johannes Keiser univentionstaff 2018-02-15 18:26:08 CET
Reported again: Version: 4.2-1 errata133 (Lesum)