I successfully installed Univention UCS 4.2.
On this UCS 4.2 server I have installed the following applications / plugins:
- Active Directory Connection
- Active Directory Takeover
- Active Directory-compatible Domain Controller
- DHCP server
- Print server (CUPS)
I have the following Linux distribution:
root@ucs:~# cat /etc/*-release
DISTRIB_ID=Univention
DISTRIB_RELEASE="4.2-2 errata159"
DISTRIB_CODENAME=Lesum
DISTRIB_DESCRIPTION="Univention Corporate Server 4.2-2 errata159 (Lesum)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
and the following Samba version:
root@ucs:~# samba -V
Version 4.6.1-Debian
This UCS 4.2 server is running on IP: 10.16.100.115.
On another IP: 10.16.100.20 I have Microsoft Windows Server 2008 R2 (64-bit) let's call it: Win 2008 which acts as: Active Directory Domain Controller.
The UCS 4.2 server is working properly as DNS server. In addition of that, if on a whatever Windows PC on the local network I point to it as DNS server like on the following image:
I can add that Windows PC to the domain by using the following credentials:
Domain: mydomain.intranet
User name: Administrator
Password: <thepassword>
Then, my next step was trying to migrate the Active Directory I had on Win 2008 to UCS 4.2. For that I used the application: Active Directory Takeover via the web interface:
When click Next I get:
When click Next I get:
Then, I check that file referenced on the image above:
/var/log/univention/ad-takeover.log
and I find the following content:
2017-09-12 16:35:25,671 INFO: Time difference is less than 180 seconds, skipping reset of local time
2017-09-12 16:35:25,688 Starting phase I of the takeover process.
2017-09-12 16:35:25,688 Calling: univention-config-registry set hosts/static/10.16.100.20=DLDC.MYDOMAIN.intranet DLDC
2017-09-12 16:35:25,791 Create hosts/static/10.16.100.20
2017-09-12 16:35:25,791 Multifile: /etc/hosts
2017-09-12 16:35:25,798 Calling: /etc/init.d/univention-s4-connector stop
2017-09-12 16:35:25,818 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:25,818 Calling: /etc/init.d/samba-ad-dc stop
2017-09-12 16:35:25,993 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:25,994 Calling: univention-config-registry set nameserver1/local=10.16.100.115 nameserver1=10.16.100.20 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2017-09-12 16:35:26,082 Create nameserver1/local
2017-09-12 16:35:26,082 Setting nameserver1
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/users/user/properties/username/syntax
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2017-09-12 16:35:26,082 Setting dns/backend
2017-09-12 16:35:26,082 File: /etc/resolv.conf
2017-09-12 16:35:26,090 Calling: /etc/init.d/nscd stop
2017-09-12 16:35:26,113 Stopping nscd (via systemctl): nscd.service.
2017-09-12 16:35:26,114 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:31,603 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:31,603 Starting Samba domain join.
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5_sasl' registered
2017-09-12 16:35:31,885 GENSEC backend 'spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'schannel' registered
2017-09-12 16:35:31,885 GENSEC backend 'naclrpc_as_system' registered
2017-09-12 16:35:31,885 GENSEC backend 'sasl-EXTERNAL' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp_resume_ccache' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_basic' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_ntlm' registered
2017-09-12 16:35:31,886 GENSEC backend 'krb5' registered
2017-09-12 16:35:31,886 GENSEC backend 'fake_gssapi_krb5' registered
2017-09-12 16:35:31,908 resolve_lmhosts: Attempting lmhosts lookup for name DLDC.MYDOMAIN.intranet<0x20>
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/[email protected] : kinit for [email protected] failed (Cannot contact any KDC for requested realm)
2017-09-12 16:35:31,915 SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DLDC.MYDOMAIN.intranet failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
2017-09-12 16:35:31,915 Got challenge flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62898235
2017-09-12 16:35:31,915 NTLMSSP: Set final flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,915 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,916 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,916 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,926 workgroup is MYDOMAIN
2017-09-12 16:35:31,926 realm is MYDOMAIN.intranet
2017-09-12 16:35:31,940 tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
2017-09-12 16:35:31,940 Could not open tdb: No such file or directory
2017-09-12 16:35:31,944 ldb_wrap open of secrets.ldb
2017-09-12 16:35:31,944 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4576 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2017-09-12 16:35:31,994 ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - <00002071: UpdErr: DSID-03050328, problem 6005 (ENTRY_EXISTS), data 0
2017-09-12 16:35:31,994 > <>
2017-09-12 16:35:31,995 File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2017-09-12 16:35:31,995 return self.run(*args, **kwargs)
2017-09-12 16:35:31,995 File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2017-09-12 16:35:31,995 keep_existing=keep_existing)
2017-09-12 16:35:31,995 File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1276, in join_DC
2017-09-12 16:35:31,996 ctx.do_join()
2017-09-12 16:35:31,996 File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1182, in do_join
2017-09-12 16:35:31,996 ctx.join_add_objects()
2017-09-12 16:35:31,996 File "/usr/lib/python2.7/dist-packages/samba/join.py", line 613, in join_add_objects
2017-09-12 16:35:31,996 ctx.samdb.add(rec)
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Join failed - cleaning up
2017-09-12 16:35:31,996 removing samaccount: CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Deleted CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:32,017 Calling: univention-config-registry unset hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Unsetting hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Multifile: /etc/hosts
2017-09-12 16:35:32,131 Calling: /etc/init.d/samba-ad-dc start
2017-09-12 16:35:32,452 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:32,452 Calling: /etc/init.d/univention-s4-connector start
2017-09-12 16:35:37,699 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:37,699 Calling: univention-config-registry set nameserver1=10.16.100.115
2017-09-12 16:35:37,895 Setting nameserver1
2017-09-12 16:35:37,895 File: /etc/resolv.conf
2017-09-12 16:35:37,902 Calling: univention-config-registry unset nameserver1/local
2017-09-12 16:35:38,029 Unsetting nameserver1/local
2017-09-12 16:35:38,029 File: /etc/resolv.conf
2017-09-12 16:35:38,034 Calling: univention-config-registry set dns/backend=samba4
2017-09-12 16:35:38,098 Setting dns/backend
2017-09-12 16:35:38,102 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:48,642 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:48,642 Calling: /etc/init.d/nscd restart
2017-09-12 16:35:48,736 Restarting nscd (via systemctl): nscd.service.
2017-09-12 16:35:48,736 The domain join failed. See /var/log/univention/ad-takeover.log for details.
where there are some lines that catch my attention:
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/[email protected] : kinit for [email protected] failed (Cannot contact any KDC for requested realm)
Then, checking the samba configuration file: /etc/samba/smb.conf I see the following fragment:
[global]
debug level = 1
logging = file
log file = /var/log/samba/log.%m
log level = 3
max log size = 0
netbios name = controller
server role = active directory domain controller
server string = Univention Corporate Server
server services = -dns -smb +s3fs -nbt
server role check:inhibit = yes
# use nmbd; to disable set samba4/service/nmb to s4
nmbd_proxy_logon:cldap_server=127.0.0.1
workgroup = LAGOON
realm = LAGOON.LOCAL
tls enabled = yes
tls keyfile = /etc/univention/ssl/controller.lagoon.local/private.key
tls certfile = /etc/univention/ssl/controller.lagoon.local/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls verify peer = ca_and_name
ldap server require strong auth = allow_sasl_over_tls
dsdb:schema update allowed = no
max open files = 32808
ntlm auth = yes
machine password timeout = 0
acl allow execute always = True
# ignore interfaces in samba/register/exclude/interfaces
bind interfaces only = yes
interfaces = lo eth0
kccsrv:samba_kcc = False
where there is another line that catch my attention:
nmbd_proxy_logon:cldap_server=127.0.0.1
Notice the same 127.0.0.1 as on the error log.
Other details:
- on
Win 2008server I was using the domain:MYDOMAIN.intranet - on
UCS 4.2server I was using the domain:mydomain.intranet
After the failed takeover process I checked the list of users on UCS 4.2 server and there were no imported users from the Win 2008 server (same users as before).
Just as a Memo, I have to say that for some reason, after doing the above, when trying to use the previous server: Win 2008 as local domain and then try to login I got the following error:
The security database on the server does not have a computer account for this workstation trust relationship.
But I solved this by following the steps on the following link:
[Checks]
root@controller:~# ls -la /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 430080 Sep 11 16:08 /var/lib/samba/private/secrets.tdb
Any idea on how to make the takeover process go thru?
Did you take a look at the Documentation? I see two problems in your post.
First, you claim that both Systems have the same domain name, as required. Your screenshot shows though, that your AD Domain Name is
LAGOON.local, notMYDOMAIN.intranetas it is for your Univention Server.Second, your log file shows, that you are - again - trying to use your simple Domain User
myuser, not your AD Domain AdminAdmin. This user simply doesn't have the needed rights to access the Data of your whole AD Domain.It is way easier for us to help you on these Univention specific questions in our forum. We can't guarantee support for our Products on external forums.