Univention UCS 4.2 - Failed 'Active Directory Takeover' process - Troubleshooting

1k views Asked by At

I successfully installed Univention UCS 4.2.

On this UCS 4.2 server I have installed the following applications / plugins:

  • Active Directory Connection
  • Active Directory Takeover
  • Active Directory-compatible Domain Controller
  • DHCP server
  • Print server (CUPS)

I have the following Linux distribution:

root@ucs:~# cat /etc/*-release
DISTRIB_ID=Univention
DISTRIB_RELEASE="4.2-2 errata159"
DISTRIB_CODENAME=Lesum

DISTRIB_DESCRIPTION="Univention Corporate Server 4.2-2 errata159 (Lesum)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

and the following Samba version:

root@ucs:~# samba -V
Version 4.6.1-Debian

This UCS 4.2 server is running on IP: 10.16.100.115.

On another IP: 10.16.100.20 I have Microsoft Windows Server 2008 R2 (64-bit) let's call it: Win 2008 which acts as: Active Directory Domain Controller.

The UCS 4.2 server is working properly as DNS server. In addition of that, if on a whatever Windows PC on the local network I point to it as DNS server like on the following image:

enter image description here

I can add that Windows PC to the domain by using the following credentials:

Domain: mydomain.intranet
User name: Administrator
Password: <thepassword>

Then, my next step was trying to migrate the Active Directory I had on Win 2008 to UCS 4.2. For that I used the application: Active Directory Takeover via the web interface:

enter image description here

When click Next I get:

enter image description here

When click Next I get:

enter image description here

Then, I check that file referenced on the image above:

/var/log/univention/ad-takeover.log

and I find the following content:

2017-09-12 16:35:25,671 INFO: Time difference is less than 180 seconds, skipping reset of local time
2017-09-12 16:35:25,688 Starting phase I of the takeover process.
2017-09-12 16:35:25,688 Calling: univention-config-registry set hosts/static/10.16.100.20=DLDC.MYDOMAIN.intranet DLDC
2017-09-12 16:35:25,791 Create hosts/static/10.16.100.20
2017-09-12 16:35:25,791 Multifile: /etc/hosts
2017-09-12 16:35:25,798 Calling: /etc/init.d/univention-s4-connector stop
2017-09-12 16:35:25,818 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:25,818 Calling: /etc/init.d/samba-ad-dc stop
2017-09-12 16:35:25,993 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:25,994 Calling: univention-config-registry set nameserver1/local=10.16.100.115 nameserver1=10.16.100.20 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2017-09-12 16:35:26,082 Create nameserver1/local
2017-09-12 16:35:26,082 Setting nameserver1
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/users/user/properties/username/syntax
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2017-09-12 16:35:26,082 Setting dns/backend
2017-09-12 16:35:26,082 File: /etc/resolv.conf
2017-09-12 16:35:26,090 Calling: /etc/init.d/nscd stop
2017-09-12 16:35:26,113 Stopping nscd (via systemctl): nscd.service.
2017-09-12 16:35:26,114 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:31,603 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:31,603 Starting Samba domain join.
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5_sasl' registered
2017-09-12 16:35:31,885 GENSEC backend 'spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'schannel' registered
2017-09-12 16:35:31,885 GENSEC backend 'naclrpc_as_system' registered
2017-09-12 16:35:31,885 GENSEC backend 'sasl-EXTERNAL' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp_resume_ccache' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_basic' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_ntlm' registered
2017-09-12 16:35:31,886 GENSEC backend 'krb5' registered
2017-09-12 16:35:31,886 GENSEC backend 'fake_gssapi_krb5' registered
2017-09-12 16:35:31,908 resolve_lmhosts: Attempting lmhosts lookup for name DLDC.MYDOMAIN.intranet<0x20>
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/[email protected] : kinit for [email protected] failed (Cannot contact any KDC for requested realm)
2017-09-12 16:35:31,915 SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DLDC.MYDOMAIN.intranet failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
2017-09-12 16:35:31,915 Got challenge flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62898235
2017-09-12 16:35:31,915 NTLMSSP: Set final flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,915 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,916 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,916 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,926 workgroup is MYDOMAIN
2017-09-12 16:35:31,926 realm is MYDOMAIN.intranet
2017-09-12 16:35:31,940 tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
2017-09-12 16:35:31,940 Could not open tdb: No such file or directory
2017-09-12 16:35:31,944 ldb_wrap open of secrets.ldb
2017-09-12 16:35:31,944 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4576 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2017-09-12 16:35:31,994 ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -  <00002071: UpdErr: DSID-03050328, problem 6005 (ENTRY_EXISTS), data 0
2017-09-12 16:35:31,994 > <>
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2017-09-12 16:35:31,995     return self.run(*args, **kwargs)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2017-09-12 16:35:31,995     keep_existing=keep_existing)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1276, in join_DC
2017-09-12 16:35:31,996     ctx.do_join()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1182, in do_join
2017-09-12 16:35:31,996     ctx.join_add_objects()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 613, in join_add_objects
2017-09-12 16:35:31,996     ctx.samdb.add(rec)
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Join failed - cleaning up
2017-09-12 16:35:31,996 removing samaccount: CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Deleted CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:32,017 Calling: univention-config-registry unset hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Unsetting hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Multifile: /etc/hosts
2017-09-12 16:35:32,131 Calling: /etc/init.d/samba-ad-dc start
2017-09-12 16:35:32,452 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:32,452 Calling: /etc/init.d/univention-s4-connector start
2017-09-12 16:35:37,699 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:37,699 Calling: univention-config-registry set nameserver1=10.16.100.115
2017-09-12 16:35:37,895 Setting nameserver1
2017-09-12 16:35:37,895 File: /etc/resolv.conf
2017-09-12 16:35:37,902 Calling: univention-config-registry unset nameserver1/local
2017-09-12 16:35:38,029 Unsetting nameserver1/local
2017-09-12 16:35:38,029 File: /etc/resolv.conf
2017-09-12 16:35:38,034 Calling: univention-config-registry set dns/backend=samba4
2017-09-12 16:35:38,098 Setting dns/backend
2017-09-12 16:35:38,102 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:48,642 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:48,642 Calling: /etc/init.d/nscd restart
2017-09-12 16:35:48,736 Restarting nscd (via systemctl): nscd.service.
2017-09-12 16:35:48,736 The domain join failed. See /var/log/univention/ad-takeover.log for details.

where there are some lines that catch my attention:

2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/[email protected] : kinit for [email protected] failed (Cannot contact any KDC for requested realm)

Then, checking the samba configuration file: /etc/samba/smb.conf I see the following fragment:

[global]
    debug level     = 1
    logging         = file
    log file        = /var/log/samba/log.%m
    log level       = 3
    max log size    = 0

    netbios name    = controller
    server role = active directory domain controller
    server string   = Univention Corporate Server
    server services = -dns -smb +s3fs -nbt
    server role check:inhibit = yes
    # use nmbd; to disable set samba4/service/nmb to s4
    nmbd_proxy_logon:cldap_server=127.0.0.1
    workgroup   = LAGOON
    realm       = LAGOON.LOCAL

    tls enabled = yes
    tls keyfile = /etc/univention/ssl/controller.lagoon.local/private.key
    tls certfile    = /etc/univention/ssl/controller.lagoon.local/cert.pem
    tls cafile  = /etc/univention/ssl/ucsCA/CAcert.pem
    tls verify peer = ca_and_name
    ldap server require strong auth = allow_sasl_over_tls
    dsdb:schema update allowed = no
    max open files = 32808
    ntlm auth   = yes
    machine password timeout    = 0
    acl allow execute always = True

    # ignore interfaces in samba/register/exclude/interfaces
    bind interfaces only = yes
    interfaces = lo eth0
    kccsrv:samba_kcc = False

where there is another line that catch my attention:

nmbd_proxy_logon:cldap_server=127.0.0.1

Notice the same 127.0.0.1 as on the error log.

Other details:

  • on Win 2008 server I was using the domain: MYDOMAIN.intranet
  • on UCS 4.2 server I was using the domain: mydomain.intranet

After the failed takeover process I checked the list of users on UCS 4.2 server and there were no imported users from the Win 2008 server (same users as before).

Just as a Memo, I have to say that for some reason, after doing the above, when trying to use the previous server: Win 2008 as local domain and then try to login I got the following error:

The security database on the server does not have a computer account for this workstation trust relationship.

enter image description here

But I solved this by following the steps on the following link:

https://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/

[Checks]

root@controller:~# ls -la /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 430080 Sep 11 16:08 /var/lib/samba/private/secrets.tdb

Any idea on how to make the takeover process go thru?

1

There are 1 answers

0
AudioBubble On

Did you take a look at the Documentation? I see two problems in your post.

First, you claim that both Systems have the same domain name, as required. Your screenshot shows though, that your AD Domain Name is LAGOON.local, not MYDOMAIN.intranet as it is for your Univention Server.

Second, your log file shows, that you are - again - trying to use your simple Domain User myuser, not your AD Domain Admin Admin. This user simply doesn't have the needed rights to access the Data of your whole AD Domain.

It is way easier for us to help you on these Univention specific questions in our forum. We can't guarantee support for our Products on external forums.