Univention Bugzilla – Full Text Bug Listing |
Summary: | Join into AD: Clock synchronization | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | univention-lib | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, requate, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.0-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Troubleshooting | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 36406 |
Description
Arvid Requate
2015-01-08 12:45:23 CET
Advisory: 2014-12-09-univention-lib.yaml Code review: Failed If I see it correctly, the join aborts if the time synchronization fails. I'm not sure but I think that could happen if the Windows firewall blocks the port. I think we should only abort if the join fails. If I try to use the AD connection module, I got the following message (I definitely synced the time): 21.01.15 07:44:21.620 MODULE ( PROCESS ) : stderr: 21.01.15 07:44:21.622 MODULE ( PROCESS ) : AD Info: {'Domain': 'deadlock65.intranet', 'LDAP Base': 'DC=deadlock65,DC=intranet', 'Forest': 'deadlock65.intranet', 'Client Site': 'Default-First-Site-Name', 'DC Netbios Name': 'WIN-125IN6TLA89', 'DC DNS Name': 'WIN-125IN6TLA89.deadlock65.intranet', 'Netbios Domain': 'DEADLOCK65', 'DC IP': '10.201.65.1', 'Server Site': 'Default-First-Site-Name'} 21.01.15 07:44:21.625 MODULE ( INFO ) : running check_connection 21.01.15 07:44:21.643 MODULE ( INFO ) : running check_account 21.01.15 07:44:21.652 MODULE ( PROCESS ) : Time difference is less than 180 seconds, skipping reset of local time 21.01.15 07:44:21.793 MODULE ( PROCESS ) : Prepare Kerberos UCR settings 21.01.15 07:44:21.796 MODULE ( PROCESS ) : Setting UCR variables: [u'kerberos/defaults/dns_lookup_kdc=true'] 21.01.15 07:44:21.927 MODULE ( PROCESS ) : Unsetting UCR variables: [u'kerberos/kdc', u'kerberos/kpasswdserver', u'kerberos/adminserver'] 21.01.15 07:44:22.057 MODULE ( INFO ) : running _get_kerberos_ticket 21.01.15 07:44:22.115 MODULE ( ERROR ) : kinit failed: kinit: krb5_get_init_creds: Clock skew too great 21.01.15 07:44:22.457 MODULE ( WARN ) : Failure: 21.01.15 07:44:22.457 MODULE ( PROCESS ) : Das Kommando ist fehlgeschlagen: Eine Verbindung zum AD-Server WIN-125IN6TLA89.deadlock65.intranet konnte nicht hergestellt werden. Bitte überprüfen Sie Benutzername und Password. 21.01.15 07:44:22.457 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 142182266158102-54 See also: Setup via module failed: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-0/job/AD%20Member%20MultiEnv/Mode=module,Version=w2k8r2-english/10/console Setup via installation is successful: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-0/job/AD%20Member%20MultiEnv/Mode=installation,Version=w2k8r2-english/10/console > 21.01.15 07:44:22.115 MODULE ( ERROR ) : kinit failed: > kinit: krb5_get_init_creds: Clock skew too great Works for me, I need a look at your environment (Maybe a time zone issue?). > Setup via module failed: That's Bug 35096#c3 > 21.01.15 07:44:22.115 MODULE ( ERROR ) : kinit failed: > kinit: krb5_get_init_creds: Clock skew too great Ah, nasty, setup.log shows in my test that the script 40_ssl/10ssl explicitly syncs the time to some external source... ============================================================================ === 40_ssl/10ssl (2015-01-06 15:20:54) === __NAME__:40_ssl/10ssl Erstellen der SSL-Zertifikate Wed Jan 21 22:06:40 CET 2015 ============================================================================ Looking at the script: ============================================================================ # try to set the clock before generating the root CA, otherwise it # is possible that the certificate is not valid at the end of the # installation Bug #13549 timeout -k 5 15 rdate time.fu-berlin.de || timeout -k 5 15 rdate 130.133.1.10 || true ============================================================================ Now we avoid this in case ad/member is true. Additionally I added a workaround for an unlikely issue with kinit. Advisory updated. OK, now it works in my test cases. |