First Last Prev Next    This bug is not in your last search results.
Bug 53944 - Can't join UCS as member into Microsoft Active Directory Forest child domain
Can't join UCS as member into Microsoft Active Directory Forest child domain
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-5-errata
Assigned To: Arvid Requate
Julia Bremer
:
: 54041 (view as bug list)
Depends on: 37626
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-19 11:17 CEST by Arvid Requate
Modified: 2023-11-02 17:48 CET (History)
11 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.051
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021100421000225
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-10-19 11:17:13 CEST 
Ticket #2021100421000225:

04.10.21 11:46:36.268 MODULE ( PROCESS ) : Umbennen bekannter SID-Objekte...
04.10.21 11:46:36.470 MODULE ( PROCESS ) : Matching well known object names
04.10.21 11:46:37.054 MODULE ( PROCESS ) : Failed to lookup attribute Schema from AD: {'desc': 'No such object', 'matched': 'DC=subdom,DC=example,DC=org', 'info': "0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=subdom,DC=example,DC=org'\n"}
04.10.21 11:46:37.054 MODULE ( ERROR ) : well-known-sid-object-rename failed with 1 ()
04.10.21 11:46:37.054 MODULE ( ERROR ) : Join process failed [connectionFailed]: well-known-sid-object-rename failed with 1 ()
04.10.21 11:46:37.054 MODULE ( ERROR ) : Eine Verbindung zum AD-Server tth-dc02.subdom.example.org konnte nicht hergestellt werden. Bitte überprüfen Sie Benutzername und Password. (Details:
well-known-sid-object-rename failed with 1 ())
04.10.21 11:46:37.055 MODULE ( PROCESS ) : Der Domänenbeitritt wurde mit Fehlern abgeschlossen.
04.10.21 11:46:37.255 MODULE ( PROCESS ) : Revert UCR settings
Comment 1 Arvid Requate univentionstaff 2021-10-19 11:21:41 CEST 
We've set up an example forest, and it looks like the CN=Configuration partition in the subdomain is not below the base DN of the subdomain but below the base DN of the forest root:

## Subdomain:

root@primary20:~# ldbsearch -H ldap://10.200.43.118 -b '' \
                  -U Administrator%Univention.1  -s base namingContexts 
# record 1
dn: 
namingContexts: CN=Configuration,DC=example,DC=org
namingContexts: CN=Schema,CN=Configuration,DC=example,DC=org
namingContexts: DC=subdomain,DC=example,DC=org


## vs forest root:

root@primary20:~# ldbsearch -H ldap://10.200.43.114 -b '' \
                  -U Administrator%Univention.1  -s base namingContexts 
# record 1
dn: 
namingContexts: DC=example,DC=org
namingContexts: CN=Configuration,DC=example,DC=org
namingContexts: CN=Schema,CN=Configuration,DC=example,DC=org
namingContexts: DC=DomainDnsZones,DC=example,DC=org
namingContexts: DC=ForestDnsZones,DC=example,DC=org
Comment 2 Arvid Requate univentionstaff 2023-04-05 15:31:26 CEST 
We could use the attributes "configurationNamingContext" and "schemaNamingContext"
which are present at the LDAP root DSE of AD domain controllers.

OTOH there's the conceptual issue in this case, that the AD-Connector probably
cannot write to the configurationNamingContext if that is "outside" of
the boundary of the specific remote AD-Domain we want to synchronize with.
I think this will not work, at least not as generic as with a top/standalone AD domain.
Comment 3 Ingo Steuwer univentionstaff 2023-05-22 11:21:16 CEST 
I'd recommend to add to the documentation that joining a forrest ist currently not supported and continue with this bugzilla entry as a feature request, not as a bug.
Comment 5 Arvid Requate univentionstaff 2023-11-01 16:47:08 CET 
Repository univention/dist/ucs-winrm:
ed6cfa990f | feat: setup-domain-in-forest

Repository univention/ucs, branch 5.0-5:
a82b406a9e | Add support for AD Forest subdomains to AD-Connector
65c6a17af3 | Make UCS and AD use different domain names in adsync-w2k19-english-forest-child
5cdeed3e66 | Add test admember-w2019-english-forest-child
b2fe68d660 | Test prepare-new-instance for AD-Connector
b98d836a87 | Changelog and Advisory
55333a116b | Update documentation
4e06ff14d6 | Fix english wording
Comment 6 Julia Bremer univentionstaff 2023-11-02 09:03:55 CET 
OK: Join against a forest child with ad-connector
OK: Automatic test scenario with one + two forest children
OK: Jenkins tests
OK: YAML 


Verified
Comment 8 Arvid Requate univentionstaff 2023-11-02 17:48:05 CET 
*** Bug 54041 has been marked as a duplicate of this bug. ***
First Last Prev Next    This bug is not in your last search results.