Univention Bugzilla – Bug 43745
Master join as AD member fails due to old _domaincontroller_master._tcp record
Last modified: 2017-11-30 11:47:03 CET
If the SRV record _domaincontroller_master._tcp is already (or still) present in the DNS domain zone of the Active Directory nameserver, the setup of the AD connection (aka member mode) doesn't work. We should help the user to avoid running into this. We could e.g. check for this record in the setup wizard, ping that system and offer to delete that record if that system is not reachable. +++ This bug was initially created as a clone of SDB Bug #43683 +++
This happens fairly often, there are several reports on help.univention.com. Today we had a potential customer in sales with this problem.
*** Bug 45253 has been marked as a duplicate of this bug. ***
*** Bug 42918 has been marked as a duplicate of this bug. ***
(In reply to Florian Best from comment #3) > *** Bug 42918 has been marked as a duplicate of this bug. *** (In reply to Jürn Brodersen from comment #19) > (In reply to Florian Best from comment #3) > > Version: 4.1-3 errata239 (Vahr) > > > > Remark: One UCS Kopano-Core system is already installed as an AD member > > server. > > When installing the second UCS server this "connection > > refused/authentication error" persists. > > > > During installation it was selected to "Join existing AD domain". > > Tried even the option of "Join existing USC domain" which ended in a similar > > error. > > This was not fixed in bug 44995 :( > > The problem happens if there is already one ucs system joined into an ad > domain and a user tries to join an additional ucs system (an app appliance) > into that domain. > > The error happens because the licence check is done against the windows dc > and not against the ucs master. > > Relevant file: base/univention-system-setup/umc/python/setup/util.py > > The ucs master can be found with the SRV record: > _domaincontroller_master._tcp.$DOMAIN. See for example is_ucs_domain(). If > something like a get_ucs_master() function gets added it might make sense to > fix bug 45170 as well. > > As a workaround I had success using the ucs master as the dns and choosing > "Join existing ucs domain". > > Note: As described in bug 44995 non master app appliances aren't working > that well at the moment. So that should be fixed first.
*** Bug 43683 has been marked as a duplicate of this bug. ***
(In reply to Florian Best from comment #5) > *** Bug 43683 has been marked as a duplicate of this bug. *** (In reply to Nico Gulden from comment #0) > Background: The user already had a UCS system joined into a Microsoft Active > Directory domain. He deleted the system. The records in AD remained. The > join of another system failed because of these left overs. > > The forum has the solution: > http://forum.univention.de/viewtopic.php?f=48&t=3889&p=14035#p14008
The following changes have been done: * If a _domaincontroller_master._tcp exists and one selects to join into an AD domain, it is tried to reach the system via SSH. If that succeeds everything is fine and the system can be configured as DC Backup/Slave/Member. If not a pop up asks to replace the record or to retry the connection. * When a DC Backup/Slave/Member as AD-Member is selected the credentials for the AD domain are checked. This check now includes a check also against the DC Master to ensure that a connection via SSH is possible. Otherwise the join will end up in "ping to $DCNAME failed". * If a DC Master joins while there is already an _domaincontroller_master._tcp SRV record the record will be removed with Domain Admin credentials and a new one is created with machine credentials * Mulitline error messages (like tracebacks) in any python system setup script are now correctly send to the frontend. univention-system-setup (10.0.10-44) ef3f6eb77352 | Bug #43745: make joining into AD domains possible if a dead _domaincontroller_master._tcp SRV record exists univention-system-setup (10.0.10-45) 2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2 ecb97ce7f70e | Bug #43745: adapt translations 7319cd787264 | Bug #43745: debian/changelog univention-system-setup (10.0.10-43) a149d9f0149c | Bug #43745: remove existing _domaincontroller_master._tcp SRV record before adding another entry 69c3662bfc85 | Bug #43745: make sure that multiline errors (e.g. tracebacks) are send to the frontend univention-lib (6.0.9-20) 2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2 7319cd787264 | Bug #43745: debian/changelog univention-systen-setup.yaml 2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2 5ca5952e6fca | YAML Bug #43745 univention-ad-connector (11.0.6-32) 2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2 7319cd787264 | Bug #43745: debian/changelog univention-ad-connector.yaml 2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2 5ca5952e6fca | YAML Bug #43745 univention-lib.yaml 2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2 5ca5952e6fca | YAML Bug #43745 univention-lib (6.0.9-19) a149d9f0149c | Bug #43745: remove existing _domaincontroller_master._tcp SRV record before adding another entry univention-ad-connector (11.0.6-31) a149d9f0149c | Bug #43745: remove existing _domaincontroller_master._tcp SRV record before adding another entry
Created attachment 9280 [details] Screenshot
I would suggest to swap the button position due to psychological behavior of people!
commit 69c3662bfc859e806df2ff3193fb36eac7e91df4 seems to break the jenkins tests Reading package lists... === 05_role/10role (2017-11-10 16:52:25) === __NAME__:05_role/10role Configuring server role __ERR__:Traceback (most recent call last): __ERR__: File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 310, in run __ERR__: success = self.inner_run() __ERR__: File "/usr/lib/univention-system-setup/scripts/05_role/10role", line 46, in inner_run __ERR__: self.steps(3 * 100) __ERR__: File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 272, in steps __ERR__: self.inform_progress_parser('steps', steps) __ERR__: File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 236, in inform_progress_parser __ERR__: msg = '\n'.join('__%s__:%s' % (progress_attribute.upper(), message) for message in msg.splitlines()) __ERR__:AttributeError: 'int' object has no attribute 'splitlines' Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 310, in run success = self.inner_run() File "/usr/lib/univention-system-setup/scripts/05_role/10role", line 46, in inner_run self.steps(3 * 100) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 272, in steps self.inform_progress_parser('steps', steps) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 236, in inform_progress_parser msg = '\n'.join('__%s__:%s' % (progress_attribute.upper(), message) for message in msg.splitlines()) AttributeError: 'int' object has no attribute 'splitlines'
(In reply to Felix Botner from comment #10) > commit 69c3662bfc859e806df2ff3193fb36eac7e91df4 seems to break the jenkins > tests Thank you for reporting this so soon. Fixed in: univention-system-setup (10.0.10-46) 38d2d10219df | Bug #43745: fix AttributeError when logging non string
Advisory: sed "s/n-setup/m-setup/"
61d363aaa9: rename doc/errata/staging/{univention-systen-setup.yaml => univention-system-setup.yaml}
OK - clean setup (ad + ucs master as member) OK - new master replaces old UCS Master during setup OK - slave in ad, first with ucs master turned off (got warning), restarted master and i could continue the ad member slave setup OK - YAML
<http://errata.software-univention.de/ucs/4.2/225.html> <http://errata.software-univention.de/ucs/4.2/226.html> <http://errata.software-univention.de/ucs/4.2/227.html>
*** Bug 38343 has been marked as a duplicate of this bug. ***
*** Bug 40342 has been marked as a duplicate of this bug. ***
*** Bug 37880 has been marked as a duplicate of this bug. ***
*** Bug 41796 has been marked as a duplicate of this bug. ***