Univention UCS 4.2 - 失败' Active Directory接管'流程 - 疑难解答

时间:2017-09-12 22:16:19

标签: linux active-directory samba windows-server domaincontroller

我成功安装了Univention UCS 4.2

在这个UCS 4.2服务器上,我安装了以下应用程序/插件:

  • Active Directory连接
  • Active Directory接管
  • 与Active Directory兼容的域控制器
  • DHCP服务器
  • 打印服务器(CUPS)

我有以下Linux发行版:

root@ucs:~# cat /etc/*-release
DISTRIB_ID=Univention
DISTRIB_RELEASE="4.2-2 errata159"
DISTRIB_CODENAME=Lesum

DISTRIB_DESCRIPTION="Univention Corporate Server 4.2-2 errata159 (Lesum)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

以及以下Samba版本:

root@ucs:~# samba -V
Version 4.6.1-Debian

UCS 4.2服务器正在IP上运行:10.16.100.115

在另一个IP:10.16.100.20Microsoft Windows Server 2008 R2 (64-bit)让我们称之为:Win 2008,其作用为:Active Directory Domain Controller

UCS 4.2服务器作为DNS服务器正常运行。除此之外,如果在本地网络上的任何Windows PC上,我将其指向DNS服务器,如下图所示:

enter image description here

我可以使用以下凭据将Windows PC添加到域中:

Domain: mydomain.intranet
User name: Administrator
Password: <thepassword>

然后,我的下一步是尝试将Win 2008上的Active Directory迁移到UCS 4.2。为此我通过Web界面使用了应用程序:Active Directory Takeover

enter image description here

点击下一步后,我得到:

enter image description here

点击下一步后,我得到:

enter image description here

然后,我检查上面图片中引用的文件:

/var/log/univention/ad-takeover.log

我找到以下内容:

2017-09-12 16:35:25,671 INFO: Time difference is less than 180 seconds, skipping reset of local time
2017-09-12 16:35:25,688 Starting phase I of the takeover process.
2017-09-12 16:35:25,688 Calling: univention-config-registry set hosts/static/10.16.100.20=DLDC.MYDOMAIN.intranet DLDC
2017-09-12 16:35:25,791 Create hosts/static/10.16.100.20
2017-09-12 16:35:25,791 Multifile: /etc/hosts
2017-09-12 16:35:25,798 Calling: /etc/init.d/univention-s4-connector stop
2017-09-12 16:35:25,818 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:25,818 Calling: /etc/init.d/samba-ad-dc stop
2017-09-12 16:35:25,993 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:25,994 Calling: univention-config-registry set nameserver1/local=10.16.100.115 nameserver1=10.16.100.20 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2017-09-12 16:35:26,082 Create nameserver1/local
2017-09-12 16:35:26,082 Setting nameserver1
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/users/user/properties/username/syntax
2017-09-12 16:35:26,082 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2017-09-12 16:35:26,082 Setting dns/backend
2017-09-12 16:35:26,082 File: /etc/resolv.conf
2017-09-12 16:35:26,090 Calling: /etc/init.d/nscd stop
2017-09-12 16:35:26,113 Stopping nscd (via systemctl): nscd.service.
2017-09-12 16:35:26,114 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:31,603 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:31,603 Starting Samba domain join.
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5' registered
2017-09-12 16:35:31,885 GENSEC backend 'gssapi_krb5_sasl' registered
2017-09-12 16:35:31,885 GENSEC backend 'spnego' registered
2017-09-12 16:35:31,885 GENSEC backend 'schannel' registered
2017-09-12 16:35:31,885 GENSEC backend 'naclrpc_as_system' registered
2017-09-12 16:35:31,885 GENSEC backend 'sasl-EXTERNAL' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp' registered
2017-09-12 16:35:31,885 GENSEC backend 'ntlmssp_resume_ccache' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_basic' registered
2017-09-12 16:35:31,886 GENSEC backend 'http_ntlm' registered
2017-09-12 16:35:31,886 GENSEC backend 'krb5' registered
2017-09-12 16:35:31,886 GENSEC backend 'fake_gssapi_krb5' registered
2017-09-12 16:35:31,908 resolve_lmhosts: Attempting lmhosts lookup for name DLDC.MYDOMAIN.intranet<0x20>
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/DLDC.MYDOMAIN.intranet@MYDOMAIN.INTRANET : kinit for myuser@MYDOMAIN.INTRANET failed (Cannot contact any KDC for requested realm)
2017-09-12 16:35:31,915 SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DLDC.MYDOMAIN.intranet failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
2017-09-12 16:35:31,915 Got challenge flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62898235
2017-09-12 16:35:31,915 NTLMSSP: Set final flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,915 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,915 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,916 NTLMSSP Sign/Seal - Initialising with flags:
2017-09-12 16:35:31,916 Got NTLMSSP neg_flags=0x62088235
2017-09-12 16:35:31,926 workgroup is MYDOMAIN
2017-09-12 16:35:31,926 realm is MYDOMAIN.intranet
2017-09-12 16:35:31,940 tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
2017-09-12 16:35:31,940 Could not open tdb: No such file or directory
2017-09-12 16:35:31,944 ldb_wrap open of secrets.ldb
2017-09-12 16:35:31,944 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4576 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2017-09-12 16:35:31,994 ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -  <00002071: UpdErr: DSID-03050328, problem 6005 (ENTRY_EXISTS), data 0
2017-09-12 16:35:31,994 > <>
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2017-09-12 16:35:31,995     return self.run(*args, **kwargs)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2017-09-12 16:35:31,995     keep_existing=keep_existing)
2017-09-12 16:35:31,995   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1276, in join_DC
2017-09-12 16:35:31,996     ctx.do_join()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1182, in do_join
2017-09-12 16:35:31,996     ctx.join_add_objects()
2017-09-12 16:35:31,996   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 613, in join_add_objects
2017-09-12 16:35:31,996     ctx.samdb.add(rec)
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Adding CN=CONTROLLER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Join failed - cleaning up
2017-09-12 16:35:31,996 removing samaccount: CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:31,996 Deleted CN=CONTROLLER,OU=Domain Controllers,DC=MYDOMAIN,DC=intranet
2017-09-12 16:35:32,017 Calling: univention-config-registry unset hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Unsetting hosts/static/10.16.100.20
2017-09-12 16:35:32,126 Multifile: /etc/hosts
2017-09-12 16:35:32,131 Calling: /etc/init.d/samba-ad-dc start
2017-09-12 16:35:32,452 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2017-09-12 16:35:32,452 Calling: /etc/init.d/univention-s4-connector start
2017-09-12 16:35:37,699 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2017-09-12 16:35:37,699 Calling: univention-config-registry set nameserver1=10.16.100.115
2017-09-12 16:35:37,895 Setting nameserver1
2017-09-12 16:35:37,895 File: /etc/resolv.conf
2017-09-12 16:35:37,902 Calling: univention-config-registry unset nameserver1/local
2017-09-12 16:35:38,029 Unsetting nameserver1/local
2017-09-12 16:35:38,029 File: /etc/resolv.conf
2017-09-12 16:35:38,034 Calling: univention-config-registry set dns/backend=samba4
2017-09-12 16:35:38,098 Setting dns/backend
2017-09-12 16:35:38,102 Calling: /etc/init.d/bind9 restart
2017-09-12 16:35:48,642 Restarting bind9 (via systemctl): bind9.service.
2017-09-12 16:35:48,642 Calling: /etc/init.d/nscd restart
2017-09-12 16:35:48,736 Restarting nscd (via systemctl): nscd.service.
2017-09-12 16:35:48,736 The domain join failed. See /var/log/univention/ad-takeover.log for details.

哪里有一些引起我注意的行:

2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 127.0.0.1
2017-09-12 16:35:31,914 Cannot reach a KDC we require to contact ldap/DLDC.MYDOMAIN.intranet@MYDOMAIN.INTRANET : kinit for myuser@MYDOMAIN.INTRANET failed (Cannot contact any KDC for requested realm)

然后,检查samba配置文件:/etc/samba/smb.conf我看到以下片段:

[global]
    debug level     = 1
    logging         = file
    log file        = /var/log/samba/log.%m
    log level       = 3
    max log size    = 0

    netbios name    = controller
    server role = active directory domain controller
    server string   = Univention Corporate Server
    server services = -dns -smb +s3fs -nbt
    server role check:inhibit = yes
    # use nmbd; to disable set samba4/service/nmb to s4
    nmbd_proxy_logon:cldap_server=127.0.0.1
    workgroup   = LAGOON
    realm       = LAGOON.LOCAL

    tls enabled = yes
    tls keyfile = /etc/univention/ssl/controller.lagoon.local/private.key
    tls certfile    = /etc/univention/ssl/controller.lagoon.local/cert.pem
    tls cafile  = /etc/univention/ssl/ucsCA/CAcert.pem
    tls verify peer = ca_and_name
    ldap server require strong auth = allow_sasl_over_tls
    dsdb:schema update allowed = no
    max open files = 32808
    ntlm auth   = yes
    machine password timeout    = 0
    acl allow execute always = True

    # ignore interfaces in samba/register/exclude/interfaces
    bind interfaces only = yes
    interfaces = lo eth0
    kccsrv:samba_kcc = False

还有另一条引起我注意的路线:

nmbd_proxy_logon:cldap_server=127.0.0.1

请注意与错误日志相同的127.0.0.1

其他细节:

  • Win 2008服务器上我使用的是域名:MYDOMAIN.intranet
  • UCS 4.2服务器上我使用的是域名:mydomain.intranet

在失败的接管过程之后,我检查了UCS 4.2服务器上的用户列表,并且Win 2008服务器中没有导入的用户(与之前用户相同)。

就像备忘录一样,我不得不说,出于某种原因,在执行上述操作后,尝试使用以前的服务器:Win 2008作为本地域,然后尝试登录时出现以下错误:< / p> 

The security database on the server does not have a computer account for this workstation trust relationship.

enter image description here

但是我按照以下链接中的步骤解决了这个问题:

https://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/

[检查] 

root@controller:~# ls -la /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 430080 Sep 11 16:08 /var/lib/samba/private/secrets.tdb

关于如何通过收购过程的任何想法?

1 个答案:

答案 0 :(得分:1)

你看过Documentation了吗? 我发现你的帖子中有两个问题。

首先,您声称两个系统都根据需要具有相同的域名。您的屏幕截图显示,您的AD域名为LAGOON.local,而不是MYDOMAIN.intranet,因为它适用于您的Univention Server。

其次,您的日志文件显示,您再次 - 尝试使用简单的域用户myuser,而不是您的AD域管理员Admin。该用户根本没有访问整个AD域数据所需的权限。

我们更容易在论坛中帮助您解决这些Univention特定问题。我们无法保证在外部论坛上支持我们的产品。

相关问题
最新问题