Univention Bugzilla – Bug 37481
Join into AD: Clock synchronization
Last modified: 2015-01-29 11:43:18 CET
The admember module of python-univention-lib should support direct unconditional synchronization of the system time with and AD server. Required for Bug #36406
Advisory: 2014-12-09-univention-lib.yaml
Code review: Failed If I see it correctly, the join aborts if the time synchronization fails. I'm not sure but I think that could happen if the Windows firewall blocks the port. I think we should only abort if the join fails.
If I try to use the AD connection module, I got the following message (I definitely synced the time): 21.01.15 07:44:21.620 MODULE ( PROCESS ) : stderr: 21.01.15 07:44:21.622 MODULE ( PROCESS ) : AD Info: {'Domain': 'deadlock65.intranet', 'LDAP Base': 'DC=deadlock65,DC=intranet', 'Forest': 'deadlock65.intranet', 'Client Site': 'Default-First-Site-Name', 'DC Netbios Name': 'WIN-125IN6TLA89', 'DC DNS Name': 'WIN-125IN6TLA89.deadlock65.intranet', 'Netbios Domain': 'DEADLOCK65', 'DC IP': '10.201.65.1', 'Server Site': 'Default-First-Site-Name'} 21.01.15 07:44:21.625 MODULE ( INFO ) : running check_connection 21.01.15 07:44:21.643 MODULE ( INFO ) : running check_account 21.01.15 07:44:21.652 MODULE ( PROCESS ) : Time difference is less than 180 seconds, skipping reset of local time 21.01.15 07:44:21.793 MODULE ( PROCESS ) : Prepare Kerberos UCR settings 21.01.15 07:44:21.796 MODULE ( PROCESS ) : Setting UCR variables: [u'kerberos/defaults/dns_lookup_kdc=true'] 21.01.15 07:44:21.927 MODULE ( PROCESS ) : Unsetting UCR variables: [u'kerberos/kdc', u'kerberos/kpasswdserver', u'kerberos/adminserver'] 21.01.15 07:44:22.057 MODULE ( INFO ) : running _get_kerberos_ticket 21.01.15 07:44:22.115 MODULE ( ERROR ) : kinit failed: kinit: krb5_get_init_creds: Clock skew too great 21.01.15 07:44:22.457 MODULE ( WARN ) : Failure: 21.01.15 07:44:22.457 MODULE ( PROCESS ) : Das Kommando ist fehlgeschlagen: Eine Verbindung zum AD-Server WIN-125IN6TLA89.deadlock65.intranet konnte nicht hergestellt werden. Bitte überprüfen Sie Benutzername und Password. 21.01.15 07:44:22.457 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 142182266158102-54
See also: Setup via module failed: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-0/job/AD%20Member%20MultiEnv/Mode=module,Version=w2k8r2-english/10/console Setup via installation is successful: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-0/job/AD%20Member%20MultiEnv/Mode=installation,Version=w2k8r2-english/10/console
> 21.01.15 07:44:22.115 MODULE ( ERROR ) : kinit failed: > kinit: krb5_get_init_creds: Clock skew too great Works for me, I need a look at your environment (Maybe a time zone issue?). > Setup via module failed: That's Bug 35096#c3
> 21.01.15 07:44:22.115 MODULE ( ERROR ) : kinit failed: > kinit: krb5_get_init_creds: Clock skew too great Ah, nasty, setup.log shows in my test that the script 40_ssl/10ssl explicitly syncs the time to some external source... ============================================================================ === 40_ssl/10ssl (2015-01-06 15:20:54) === __NAME__:40_ssl/10ssl Erstellen der SSL-Zertifikate Wed Jan 21 22:06:40 CET 2015 ============================================================================ Looking at the script: ============================================================================ # try to set the clock before generating the root CA, otherwise it # is possible that the certificate is not valid at the end of the # installation Bug #13549 timeout -k 5 15 rdate time.fu-berlin.de || timeout -k 5 15 rdate 130.133.1.10 || true ============================================================================ Now we avoid this in case ad/member is true. Additionally I added a workaround for an unlikely issue with kinit. Advisory updated.
OK, now it works in my test cases.
<http://errata.univention.de/ucs/4.0/56.html>