Univention Bugzilla – Bug 44762
adconnector/check_domain() GSSAPI failed
Last modified: 2018-02-15 18:26:08 CET
This has been reported again with UCS 4.2-0 errata 29. Execution of command 'adconnector/check_domain' has failed: Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 249, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "%PY2.7%/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "%PY2.7%/univention/management/console/modules/adconnector/__init__.py", line 393, in check_domain admember.check_ad_account(ad_domain_info, username, password) File "%PY2.7%/univention/lib/admember.py", line 261, in check_ad_account lo_ad.lo.sasl_interactive_bind_s("", auth) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/192.168.5.81@168.5.81) not found)', 'desc': 'Local error'} +++ This bug was initially created as a clone of Bug #38285 +++ We received the following traceback, 4.0-1 errata152 (Walle). Execution of command 'adconnector/check_domain' has failed: Traceback (most recent call last): File "%PY2.7%/univention/management/console/modules/__init__.py", line 176, in _decorated return function(self, request, *args, **kwargs) File "%PY2.7%/univention/management/console/modules/decorators.py", line 188, in _response return function(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 316, in _response result = _multi_response(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 460, in _response return list(function(self, iterator, *nones)) File "%PY2.7%/univention/management/console/modules/decorators.py", line 282, in _fake_func yield function(self, *args) File "%PY2.7%/univention/management/console/modules/adconnector/__init__.py", line 377, in check_domain admember.check_ad_account(ad_domain_info, username, password) File "%PY2.7%/univention/lib/admember.py", line 235, in check_ad_account lo_ad.lo.sasl_interactive_bind_s("", auth) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/xbmc.desk76.local@DESK76.LOCAL) not found)', 'desc': 'Local error'}
Reported again, 4.2-1 errata52 (Lesum) Remark: Creating a Backup GC with the setup routine.
Mark all bugs with a user pain > 0.3 as errata bugs.
I was able to reproduce this. 04.07.17 12:23:39.964 MODULE ( PROCESS ) : stderr: 04.07.17 12:23:40.122 MODULE ( PROCESS ) : AD Info: {'Domain': 'myad.intra', 'LDAP Base': 'DC=myad,DC=intra', 'Forest': 'myad.intra', 'Client Site': 'Default-First-Site-Name', 'DC Netbios Name': 'WIN-HVD93QSGOEV', 'DC DNS Name': 'WI N-HVD93QSGOEV.myad.intra', 'Netbios Domain': 'MYAD', 'DC IP': '10.200.18.98', 'Server Site': 'Default-First-Site-Name'} 04.07.17 12:23:40.376 MODULE ( PROCESS ) : Time difference is less than 180 seconds, skipping reset of local time 04.07.17 12:23:40.602 MODULE ( PROCESS ) : Prepare Kerberos UCR settings 04.07.17 12:23:40.603 MODULE ( PROCESS ) : Setting UCR variables: [u'kerberos/defaults/dns_lookup_kdc=true', u'kerberos/realm=MYAD.INTRA'] 04.07.17 12:23:41.158 MODULE ( PROCESS ) : Unsetting UCR variables: [u'kerberos/kdc', u'kerberos/kpasswdserver', u'kerberos/adminserver'] 04.07.17 12:23:41.403 MODULE ( PROCESS ) : Setting UCR variables: [u'hosts/static/10.200.18.98=WIN-HVD93QSGOEV.myad.intra'] 04.07.17 12:23:43.298 MODULE ( PROCESS ) : Die Ausführung des Kommandos adconnector/check_domain ist fehlgeschlagen: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 249, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adconnector/__init__.py", line 393, in check_domain admember.check_ad_account(ad_domain_info, username, password) File "/usr/lib/pymodules/python2.7/univention/lib/admember.py", line 261, in check_ad_account lo_ad.lo.sasl_interactive_bind_s("", auth) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/10.200.18.98@200.18.98) not found)', 'desc': 'Local error'}
Note: There is a difference to Bug #38285 → Bug #38285 had always FQDN's in the error message → This Bug always has IP addresses in the error message
> → This Bug always has IP addresses in the error message AFAIK GSSAPI only works with FQDNs.
Re: Comment 3: > I was able to reproduce this. How, where? Logs?
Created attachment 9001 [details] management-console-module-setup.log
I think I saw the same error, too: Windows DC: Server 2008r2 Ad member: UCS 4.2 The error happened with the forest functional level set to 2003. After raising it to 2008r2 I could join without an error.
Reported again, 4.2-1 errata52 (Lesum)
yup, can be reproduced with 2008R2 Domain(Forest) mode 2003 seems to be a timing/nscd issue. Without a running nscd it works. Don't know why, don't know how ... anyway just stop nscd in check_ad_account before sasl bind and start nscd QA: this is enough to force the error: import univention.lib.admember info = univention.lib.admember.lookup_adds_dc(ad_server='10.210.109.164') username = 'Administrator' password = 'SYZUnE%78h' univention.lib.admember.check_ad_account(info, username, password) ... Traceback (most recent call last): File "/opt/a.py", line 8, in <module> univention.lib.admember.check_ad_account(info, username, password) File "/usr/lib/pymodules/python2.7/univention/lib/admember.py", line 262, in check_ad_account lo_ad.lo.sasl_interactive_bind_s("", auth) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/10.210.109.164@210.109.164) not found)', 'desc': 'Local error'}
Version: 4.2-1 errata118 (Lesum)
Reported again, 4.2-1 errata118 (Lesum) Remark: Problem with AD acces
Ok.
Version: 4.2-1 errata144 (Lesum) Remark: Einrichtung AD-Connector beim Kunden,
Version: 4.2-1 errata118 (Lesum) Remark: Cant join Domain
(In reply to Florian Best from comment #14) > Version: 4.2-1 errata144 (Lesum) > > Remark: Einrichtung AD-Connector beim Kunden, That was me. I can confirm that stopping nscd helped in this case :)
<http://errata.software-univention.de/ucs/4.2/160.html>
Version: 4.2-1 errata159 (Lesum) Remark: unable to join currrent AD domain
*** Bug 45401 has been marked as a duplicate of this bug. ***
Reported again: Version: 4.2-1 errata133 (Lesum)