Univention UCS 4.2 - Falha no processo 'Takeover do Active Directory' - Solução de problemas [closed]

0

Instalei com sucesso Univention UCS 4.2 .

Neste servidor UCS 4.2 eu instalei os seguintes aplicativos / plugins:

  • Conexão do Active Directory
  • Aquisição do Active Directory
  • Controlador de domínio compatível com o Active Directory
  • servidor DHCP
  • Servidor de impressão (CUPS)

Eu tenho a seguinte distribuição do Linux:

root@ucs:~# cat /etc/*-release
DISTRIB_ID=Univention
DISTRIB_RELEASE="4.2-2 errata159"
DISTRIB_CODENAME=Lesum

DISTRIB_DESCRIPTION="Univention Corporate Server 4.2-2 errata159 (Lesum)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

e a seguinte versão do Samba:

root@ucs:~# samba -V
Version 4.6.1-Debian

Esse UCS 4.2 server está sendo executado no IP: 10.16.100.115 .

Em outro IP: 10.16.100.20 Tenho Microsoft Windows Server 2008 R2 (64-bit) , vamos chamá-lo: Win 2008 , que age como: Active Directory Domain Controller .

O servidor UCS 4.2 está funcionando corretamente como servidor DNS. Além disso, se estiver em um PC Windows na rede local, eu aponto para ele como servidor DNS, como na imagem a seguir:

PossoadicionaroWindowsPCaodomíniousandoasseguintescredenciais:

Domain:mydomain.intranetUsername:AdministratorPassword:<thepassword>

Emseguida,minhapróximaetapafoitentarmigraroActiveDirectoryqueeutinhaemWin2008paraUCS4.2.Paraissoeuuseioaplicativo:ActiveDirectoryTakeoverviainterfaceweb:

QuandoclicaemPróximo,obtenho:

QuandoclicaemPróximo,obtenho:

Emseguida,verificoessearquivoreferenciadonaimagemacima:

/var/log/univention/ad-takeover.log

eeuachooseguinteconteúdo:

2017-09-1216:35:25,671INFO:Timedifferenceislessthan180seconds,skippingresetoflocaltime2017-09-1216:35:25,688StartingphaseIofthetakeoverprocess.2017-09-1216:35:25,688Calling:univention-config-registrysethosts/static/10.16.100.20=DLDC.MYDOMAIN.intranetDLDC2017-09-1216:35:25,791Createhosts/static/10.16.100.202017-09-1216:35:25,791Multifile:/etc/hosts2017-09-1216:35:25,798Calling:/etc/init.d/univention-s4-connectorstop2017-09-1216:35:25,818Stoppingunivention-s4-connector(viasystemctl):univention-s4-connector.service.2017-09-1216:35:25,818Calling:/etc/init.d/samba-ad-dcstop2017-09-1216:35:25,993Stoppingsamba-ad-dc(viasystemctl):samba-ad-dc.service.2017-09-1216:35:25,994Calling:univention-config-registrysetnameserver1/local=10.16.100.115nameserver1=10.16.100.20directory/manager/web/modules/users/user/properties/username/syntax=stringdirectory/manager/web/modules/groups/group/properties/name/syntax=stringdns/backend=ldap2017-09-1216:35:26,082Createnameserver1/local2017-09-1216:35:26,082Settingnameserver12017-09-1216:35:26,082Settingdirectory/manager/web/modules/users/user/properties/username/syntax2017-09-1216:35:26,082Settingdirectory/manager/web/modules/groups/group/properties/name/syntax2017-09-1216:35:26,082Settingdns/backend2017-09-1216:35:26,082File:/etc/resolv.conf2017-09-1216:35:26,090Calling:/etc/init.d/nscdstop2017-09-1216:35:26,113Stoppingnscd(viasystemctl):nscd.service.2017-09-1216:35:26,114Calling:/etc/init.d/bind9restart2017-09-1216:35:31,603Restartingbind9(viasystemctl):bind9.service.2017-09-1216:35:31,603StartingSambadomainjoin.2017-09-1216:35:31,885GENSECbackend'gssapi_spnego'registered2017-09-1216:35:31,885GENSECbackend'gssapi_krb5'registered2017-09-1216:35:31,885GENSECbackend'gssapi_krb5_sasl'registered2017-09-1216:35:31,885GENSECbackend'spnego'registered2017-09-1216:35:31,885GENSECbackend'schannel'registered2017-09-1216:35:31,885GENSECbackend'naclrpc_as_system'registered2017-09-1216:35:31,885GENSECbackend'sasl-EXTERNAL'registered2017-09-1216:35:31,885GENSECbackend'ntlmssp'registered2017-09-1216:35:31,885GENSECbackend'ntlmssp_resume_ccache'registered2017-09-1216:35:31,886GENSECbackend'http_basic'registered2017-09-1216:35:31,886GENSECbackend'http_ntlm'registered2017-09-1216:35:31,886GENSECbackend'krb5'registered2017-09-1216:35:31,886GENSECbackend'fake_gssapi_krb5'registered2017-09-1216:35:31,908resolve_lmhosts:AttemptinglmhostslookupfornameDLDC.MYDOMAIN.intranet<0x20>2017-09-1216:35:31,914Errorreadingsmb_krb5replypacket:NT_STATUS_CONNECTION_REFUSEDfrom127.0.0.12017-09-1216:35:31,914Errorreadingsmb_krb5replypacket:NT_STATUS_CONNECTION_REFUSEDfrom127.0.0.12017-09-1216:35:31,914Errorreadingsmb_krb5replypacket:NT_STATUS_CONNECTION_REFUSEDfrom127.0.0.12017-09-1216:35:31,914CannotreachaKDCwerequiretocontactldap/[email protected]:[email protected](CannotcontactanyKDCforrequestedrealm)2017-09-1216:35:31,915SPNEGO(gssapi_krb5)creatingNEG_TOKEN_INITforldap/DLDC.MYDOMAIN.intranetfailed(next[ntlmssp]):NT_STATUS_NO_LOGON_SERVERS2017-09-1216:35:31,915Gotchallengeflags:2017-09-1216:35:31,915GotNTLMSSPneg_flags=0x628982352017-09-1216:35:31,915NTLMSSP:Setfinalflags:2017-09-1216:35:31,915GotNTLMSSPneg_flags=0x620882352017-09-1216:35:31,915NTLMSSPSign/Seal-Initialisingwithflags:2017-09-1216:35:31,915GotNTLMSSPneg_flags=0x620882352017-09-1216:35:31,916NTLMSSPSign/Seal-Initialisingwithflags:2017-09-1216:35:31,916GotNTLMSSPneg_flags=0x620882352017-09-1216:35:31,926workgroupisMYDOMAIN2017-09-1216:35:31,926realmisMYDOMAIN.intranet2017-09-1216:35:31,940tdb(/var/lib/samba/private/secrets.tdb):tdb_open_ex:couldnotopenfile/var/lib/samba/private/secrets.tdb:Nosuchfileordirectory2017-09-1216:35:31,940Couldnotopentdb:Nosuchfileordirectory2017-09-1216:35:31,944ldb_wrapopenofsecrets.ldb2017-09-1216:35:31,944Couldnotfindmachineaccountinsecretsdatabase:Failedtofetchmachineaccountpasswordfromsecrets.ldb:Couldnotfindentrytomatchfilter:'(&(flatname=MYDOMAIN)(objectclass=primaryDomain))'base:'cn=PrimaryDomains':Nosuchobject:dsdb_searchat../source4/dsdb/common/util.c:4576andfailedtoopen/var/lib/samba/private/secrets.tdb:NT_STATUS_CANT_ACCESS_DOMAIN_INFO2017-09-1216:35:31,994ERROR(ldb):uncaughtexception-LDAPerror68LDAP_ENTRY_ALREADY_EXISTS-<00002071:UpdErr:DSID-03050328,problem6005(ENTRY_EXISTS),data02017-09-1216:35:31,994><>2017-09-1216:35:31,995File"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2017-09-12 16:35:31,995     return self.run(*args, **kwargs)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2017-09-12 16:35:31,995     keep_existing=keep_existing)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1276, in join_DC
2017-09-12 16:35:31,996     ctx.do_join()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1182, in do_join
2017-09-12 16:35:31,996     ctx.join_add_objects()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 613, in join_add_objects
2017-09-12 16:35:31,996     ctx.samdb.add(rec)
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Join failed - cleaning up
2017-09-12 16:35:31,996 removing samaccount: CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Deleted CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:32,017 Calling: univention-config-registry unset hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Unsetting hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Multifile: /etc/hosts
2017-09-12 16:35:32,131 Calling: /etc/init.d/samba-ad-dc start
2017-09-12 16:35:32,452 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:32,452 Calling: /etc/init.d/univention-s4-connector start
2017-09-12 16:35:37,699 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:37,699 Calling: univention-config-registry set nameserver1=10.16.100.115
2017-09-12 16:35:37,895 Setting nameserver1
2017-09-12 16:35:37,895 File: /etc/resolv.conf
2017-09-12 16:35:37,902 Calling: univention-config-registry unset nameserver1/local
2017-09-12 16:35:38,029 Unsetting nameserver1/local
2017-09-12 16:35:38,029 File: /etc/resolv.conf
2017-09-12 16:35:38,034 Calling: univention-config-registry set dns/backend=samba4
2017-09-12 16:35:38,098 Setting dns/backend
2017-09-12 16:35:38,102 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:48,642 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:48,642 Calling: /etc/init.d/nscd restart
2017-09-12 16:35:48,736 Restarting nscd (via systemctl): nscd.service.
2017-09-12 16:35:48,736 The domain join failed. See /var/log/univention/ad-takeover.log for details.

onde há algumas linhas que chamam minha atenção:

2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/[email protected] : kinit for [email protected] failed (Cannot contact any KDC for requested realm)

Em seguida, verifique o arquivo de configuração do samba: /etc/samba/smb.conf Eu vejo o seguinte fragmento:

[global]
    debug level     = 1
    logging         = file
    log file        = /var/log/samba/log.%m
    log level       = 3
    max log size    = 0

    netbios name    = controller
    server role = active directory domain controller
    server string   = Univention Corporate Server
    server services = -dns -smb +s3fs -nbt
    server role check:inhibit = yes
    # use nmbd; to disable set samba4/service/nmb to s4
    nmbd_proxy_logon:cldap_server=127.0.0.1
    workgroup   = LAGOON
    realm       = LAGOON.LOCAL

    tls enabled = yes
    tls keyfile = /etc/univention/ssl/controller.lagoon.local/private.key
    tls certfile    = /etc/univention/ssl/controller.lagoon.local/cert.pem
    tls cafile  = /etc/univention/ssl/ucsCA/CAcert.pem
    tls verify peer = ca_and_name
    ldap server require strong auth = allow_sasl_over_tls
    dsdb:schema update allowed = no
    max open files = 32808
    ntlm auth   = yes
    machine password timeout    = 0
    acl allow execute always = True

    # ignore interfaces in samba/register/exclude/interfaces
    bind interfaces only = yes
    interfaces = lo eth0
    kccsrv:samba_kcc = False

onde há outra linha que chama minha atenção:

nmbd_proxy_logon:cldap_server=127.0.0.1

Observe o mesmo 127.0.0.1 como no log de erros.

Outros detalhes:

  • no servidor Win 2008 que eu estava usando o domínio: MYDOMAIN.intranet
  • no servidor UCS 4.2 que eu estava usando o domínio: mydomain.intranet

Após o processo de aquisição com falha, verifiquei a lista de usuários no UCS 4.2 server e não havia usuários importados do Win 2008 server (mesmos usuários de antes).

Assim como um Memo, eu tenho que dizer que, por algum motivo, depois de fazer o acima, ao tentar usar o servidor anterior: Win 2008 como domínio local e depois tentar logar, recebi o seguinte erro:

The security database on the server does not have a computer account for this workstation trust relationship.

Mas resolvi isso seguindo as etapas no link a seguir:

[link] virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account -for-this-workstation-trust-relationship /

[Verificações]

root@controller:~# ls -la /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 430080 Sep 11 16:08 /var/lib/samba/private/secrets.tdb

Alguma ideia de como fazer o processo de aquisição passar?

    
por Angel 13.09.2017 / 00:22

1 resposta

1

Você leu a Documentação ? Eu vejo dois problemas em sua postagem.

Primeiro, você afirma que os dois sistemas têm o mesmo nome de domínio, conforme necessário. No entanto, a captura de tela mostra que o nome de domínio do AD é LAGOON.local , não MYDOMAIN.intranet , como no seu Univention Server.

Em segundo lugar, seu arquivo de log mostra que você está - novamente - tentando usar seu usuário de domínio simples myuser , não o administrador do domínio do AD Admin . Este usuário simplesmente não possui os direitos necessários para acessar os dados de todo o domínio do AD.

É muito mais fácil para nós ajudá-lo nessas questões específicas do Univention em nosso fórum. Não podemos garantir suporte para nossos produtos em fóruns externos.

    
por 14.09.2017 / 15:08