Error connecting to NS8: ns8-join: error: the following arguments are required: user_domain

NethServer Version: NethServer 7.9.2009, NS8 qcow2 Image from today (sorry, it is NOT possible to find a version in webgui/cli)
Module: nethserver-ns8-migration

Hi there,

I successfully already tested the migration from NS7 to NS8 which worked quiet well. But now I had to reinstall the NS8 from scratch.

I disabled/aborted all migrations from NS7 and reinstalled the module on NS7:

sudo yum remove nethserver-ns8-migration
REBOOT
sudo yum install nethserver-ns8-migration

Installation of NS8 and modification of SSH port and sshd_config
I installed the NS8 from qcow2 and made the basic things (admin, LDAP, …).
I also changed the SSH port from 22 to another and disabled password llogin in sshd_config:

firewall-cmd --permanent --add-forward-port=port=MYPORT:proto=tcp:toport=22
firewall-cmd --permanent --service=ssh --add-port=MYPORT/tcp
firewall-cmd --permanent --service=ssh --remove-port=22/tcp
firewall-cmd --reload

# diff /etc/ssh/sshd_config  /etc/ssh/sshd_config.orig
40c40
< PermitRootLogin prohibit-password
---
> #PermitRootLogin prohibit-password
65,66c65,66
< PasswordAuthentication no
< PermitEmptyPasswords yes
---
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
69c69
< KbdInteractiveAuthentication no
---
> #KbdInteractiveAuthentication yes
96c96
< UsePAM no
---
> #UsePAM no

ERROR
Then I opened up the migration app in the webgui of NS7:

• LDAP user domain: exact same like on NS7 (this is prefilled)
  .- NS8 leader node [1]: IP of NS8
• NS8 admin username [2]: name of admin (LADAP) / Builtin administrator user
• NS8 admin password: hence the PW of admin
• TLS validation: NOT Checked

Some remarks, which also bothered me the first time:
[1] “NS8 leader node” is VERY confusing and could force users to fill in the FQDN (node1.yourserver.com). Why not name it like it should be: “IP of NS8-installation”?
[2]“NS8 admin username” is misleading: which “admin” exactly? Confusion. You have to read the documentation and also there is is not 100% clear. Why not name it, like it should be “Builtin administrator user (LDAP)”

When trying to connect from NS7 I get the following errors:

• “Error connecting to NS8: ns8-join: error: the following arguments are required: user_domain”
• “Enter a unique domain name for OpenLDAP migration within the NS8 cluster.”

I know, this worked. What am I doing wrong?

Do I have to create the domain"user_domain" in the first run on NS8? I can not remember, that I did this the last time-.

I also tested the FQDN, included and also not included a leading “ldapservice.”. I also tried other domain names.This should be in internal domain, right (I used to have something like “myserver.int” on NS7).

Any help appreciated
Cheers Axel

On NS7 you don’t need sudo.
To revert the NS7 to the state before migration, you need to go through the steps in nethserver-ns8-migration — NethServer 7 documentation
I don’t know if it’s needed to start over the migration.

The LDAP user domain is there to change the LDAP to a new name, see also NethServer 7 migration — NS8 documentation and Rename of directory.nh for multiple migrations · Issue #7103 · NethServer/dev · GitHub
If you don’t change the name it will be directory.nh which was the default in NS7.

It’s possible to use the FQDN or the IP.

It’s about the NS8 cluster admin, see also Cluster management — NS8 documentation
The NS8 to migrate to should be fresh installed without any user domain, see also NethServer 7 migration — NS8 documentation

As explained above, please use a new name or delete the user domain on NS8 if it’s already there.

Hi Markus,

thanks for the quick reply !

The LDAP user domain is there to change the LDAP to a new name, see also NethServer 7 migration — NS8 documentation and Rename of directory.nh for multiple migrations · Issue #7103 · NethServer/dev · GitHub
If you don’t change the name it will be directory.nh which was the default in NS7.

Changed it.

It’s about the NS8 cluster admin, see also Cluster management — NS8 documentation
The NS8 to migrate to should be fresh installed without any user domain, see also NethServer 7 migration — NS8 documentation’

Then we should name it like so, I think.

When I use the cluster admins account (Settings → Cluster admins), I get the error:

• "Error connecting to NS8: Access denied. Please verify your credentials. "

I have to say: these are the exact same credentials I used in the former installation, the only contain “-” “#” and “_” for special characters (since I hat problems). The pass hat 64 digits.

To revert the NS7 to the state before migration, you need to go through the steps in nethserver-ns8-migration — NethServer 7 documentation

I am testing this now …

best regards, AxelΩ

You could try to change the password for the cluster admin to a simple one without special chars on NS8.

You could try to change the password for the cluster admin to a simple one without special chars on NS8.

NS8 requires special chars for the cluster admin password.
Tried to change to 24 chars, no luck.

Log on NS7 says:

=========== Join cluster Fri, 21 Feb 2025 18:16:48 +0100
ns8-join: HTTP Error 401: Unauthorized

On

Please try something like My-pass1 just to exclude special char issues.

Unfortunately:

• Error connecting to NS8: Access denied. Please verify your credentials.

Also verified: there had not been created an additional domain yet.

I am using this admin:

grafik1384×974 68.6 KB

I am using 2FA for the cluster admin. Could this be a problem?

Yes, please try to disable it.
Another way is to create another cluster admin without 2FA.

OK folks, that’s it, let’s sum up:

1. You MUST not have “2FA” enabled when joining NS7 and NS8 for initial migration. If you have only one cloud admin, you can temporally create another cloud admin without 2FA for the migration.
2. You can use IP or FQDN for the leader node.
3. You have to use the cluster admin
4. If you like to have a new LDAP domain name, you should alter the old on which is prefilled in the WebGUI
5. Passwords with 64 chars are OK (be careful with special chars “|” you must not use
6. It seems not to be necessary to clean up the migration, as Markus linked to above. If so, then I will report.

Thanks a lot @mrmarkuz, I hope this helps others.
Cheers, Axel