Univention Bugzilla – Bug 51806
AD Member Mode: sambaJoinScriptFailed (wait for well known sid objects not correct?)
Last modified: 2020-08-11 14:30:13 CEST
UCS appliance joins as member into w2k12 german AD. admin account is Administrator2, domain admins group in AD is Domänen-Admins. 11.08.20 06:56:03.443 MODULE ( PROCESS ) : Running samba join script ... Stopping winbind (via systemctl): winbind.service. Create samba/user Create samba/user/pwdfile Multifile: /etc/samba/smb.conf Setting stored password for "cn=ucs,cn=dc,cn=computers,dc=admember,dc=local" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Secret stored Stopping smbd (via systemctl): smbd.service. Stopping nmbd (via systemctl): nmbd.service. Starting nmbd (via systemctl): nmbd.service. Starting smbd (via systemctl): smbd.service. Permission denied. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/setup/setup_script.py", line 313, in run success = self.inner_run() File "/usr/lib/univention-system-setup/scripts/90_postjoin/10admember", line 119, in inner_run admember.run_samba_join_script(username, password) File "/usr/lib/python2.7/dist-packages/univention/lib/admember.py", line 1266, in run_samba_join_script raise sambaJoinScriptFailed() sambaJoinScriptFailed My assumption is that the "Permission denied." is from a udm call listener.log 11.08.20 06:56:22.463 LISTENER ( PROCESS ) : updating 'cn=Domain Admins,cn=groups,dc=admember,dc=local' command r 11.08.20 06:56:22.463 LISTENER ( PROCESS ) : updating 'cn=Domänen-Admins,cn=groups,dc=admember,dc=local' command a 11.08.20 06:56:22.465 LISTENER ( PROCESS ) : well-known-sid-name-mapping: ucr set groups/default/domainadmins=Domänen-Admins 11.08.20 06:56:26.632 LISTENER ( PROCESS ) : updating 'cn=Domänen-Admins,cn=groups,dc=admember,dc=local' command m 11.08.20 06:56:26.634 LISTENER ( PROCESS ) : updating 'cn=Domain Guests,cn=groups,dc=admember,dc=local' command r ... 11.08.20 06:57:09.241 LISTENER ( ERROR ) : well-known-sid-name-mapping.d/univention-ldap-server.py: postrun: Restarting slapd (via systemctl): slapd.service. So up until 06:57:09.241 when the ldap server is restarted with the new ACL's the univention-samba join script can not run. The order in scripts/90_postjoin/10admember seems to be correct _progress(70, _('Renaming well known SID objects...')) admember.rename_well_known_sid_objects(username, password) _progress(75, _('Configuring Administrator account...')) admember.prepare_administrator(username, password) _progress(80, _('Running Samba join script...')) admember.run_samba_join_script(username, password) But the actual join happened before the ldap server restart: 11.08.20 06:55:48.017 MODULE ( PROCESS ) : Create connector/ad/mapping/group/table/Printer-Admins Unsetting connector/ad/mapping/group/language Process: Renaming 'cn=Domain Users,cn=groups,dc=admember,dc=local' to 'Domänen-Benutzer' in UCS LDAP. Process: Modifying 'cn=default,cn=univention,dc=admember,dc=local' in UCS LDAP. Process: Renaming 'cn=Domain Admins,cn=groups,dc=admember,dc=local' to 'Domänen-Admins' in UCS LDAP. Process: Renaming 'cn=Domain Guests,cn=groups,dc=admember,dc=local' to 'Domänen-Gäste' in UCS LDAP. Process: Renaming 'uid=Administrator,cn=users,dc=admember,dc=local' to 'Administrator2' in UCS LDAP. 11.08.20 06:55:48.018 MODULE ( INFO ) : Waiting for well-known-sid-name-mapping listener to map Domain Admins __STEP__:75 __MSG__:Configuring Administrator account... 11.08.20 06:56:03.139 MODULE ( PROCESS ) : Prepare administrator account __STEP__:80 __MSG__:Running Samba join script... 11.08.20 06:56:03.443 MODULE ( PROCESS ) : Running samba join script 11.08.20 06:56:34.069 MODULE ( PROCESS ) : 2020-08-11 06:56:03.593354121-04:00 (in joinscript_init) Create samba/role Multifile: /etc/samba/smb.conf INFO: ad/member is true, will join as memberserver into an AD domain Create samba/domain/security Multifile: /etc/samba/smb.conf Create samba4/ntacl/backend File: /etc/samba/base.conf Restarting univention-directory-listener (via systemctl): univention-directory-listener.service. Setting samba/share/home File: /etc/samba/base.conf Multifile: /etc/samba/smb.conf No handlers could be found for logger "univention.service_info" Setting samba/autostart Module: autostart Multifile: /etc/samba/smb.conf Not updating samba/autostart Stopping nfs-kernel-server (via systemctl): nfs-kernel-server.serviceWarning: nfs-kernel-server.service changed on disk. Run 'systemctl daemon-reload' to reload units. . Stopping winbind (via systemctl): winbind.service. Create samba/user Create samba/user/pwdfile Multifile: /etc/samba/smb.conf Setting stored password for "cn=ucs,cn=dc,cn=computers,dc=admember,dc=local" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Secret stored Stopping smbd (via systemctl): smbd.service. Stopping nmbd (via systemctl): nmbd.service. Starting nmbd (via systemctl): nmbd.service. Starting smbd (via systemctl): smbd.service. Permission denied. 11.08.20 06:56:34.069 MODULE ( ERROR ) : 26univention-samba.inst failed with 3 => 06:56:34.069 26univention-samba.inst failed => 06:57:09.241 LISTENER ( ERROR ) : well-known-sid-name-mapping.d/univention-ldap-server.py: postrun: Restarting slapd (via systemctl): slapd.service. There is code in rename_well_known_sid_objects (univention-lib/python/admember.py) to wait for the replication, maybe we are missing something there. Seen only once in our app appliances tests.
Created attachment 10457 [details] listener.log
Created attachment 10458 [details] notifier.log
Created attachment 10459 [details] setup.log