Unable to Join Nethserver to another Nethserver AD: invalid credentials to join domain

oneitonitram · March 13, 2022, 4:29am

I have Installed and setup Samba AD on a nethserver VM, defined all parameters and AD is running fine.
On a second computer, i connected to the first computer via ipsec tunnel.

I am however unable to joing to the AD of the first Nethserver from the second Nethserver instance.
invalid credentials to join domain

this is the error i am getting

Sometimes it acts as if it is joining correctly, then shows this error

Here is the output

[root@my ~]#  echo '{"action":"remote-ad","AdRealm":"ad.example.org","AdDns":"10.44.11.11","AdUsername":"ldapservice@AD.EXAMPLE.ORG","AdPassword":"oE9OiXEXEJiXfL_X"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-accounts-provider/update | jq
{
  "steps": 3,
  "pid": 31999,
  "args": "",
  "event": "nethserver-sssd-leave"
}
{
  "step": 1,
  "pid": 31999,
  "action": "S01nethserver-sssd-leave",
  "event": "nethserver-sssd-leave",
  "state": "running"
}
{
  "progress": "0.33",
  "time": "0.061486",
  "exit": 0,
  "event": "nethserver-sssd-leave",
  "state": "done",
  "step": 1,
  "pid": 31999,
  "action": "S01nethserver-sssd-leave"
}
{
  "step": 2,
  "pid": 31999,
  "action": "S02nethserver-sssd-cleanup",
  "event": "nethserver-sssd-leave",
  "state": "running"
}
{
  "progress": "0.67",
  "time": "0.009345",
  "exit": 0,
  "event": "nethserver-sssd-leave",
  "state": "done",
  "step": 2,
  "pid": 31999,
  "action": "S02nethserver-sssd-cleanup"
}
{
  "step": 3,
  "pid": 31999,
  "action": "S05generic_template_expand",
  "event": "nethserver-sssd-leave",
  "state": "running"
}
{
  "progress": "1.00",
  "time": "0.093989",
  "exit": 0,
  "event": "nethserver-sssd-leave",
  "state": "done",
  "step": 3,
  "pid": 31999,
  "action": "S05generic_template_expand"
}
{
  "pid": 31999,
  "status": "success",
  "event": "nethserver-sssd-leave"
}
{
  "steps": 3,
  "pid": 32034,
  "args": "",
  "event": "nethserver-dnsmasq-save"
}
{
  "step": 1,
  "pid": 32034,
  "action": "S02nethserver-dnsmasq-adjustdb",
  "event": "nethserver-dnsmasq-save",
  "state": "running"
}
{
  "progress": "0.33",
  "time": "0.063266",
  "exit": 0,
  "event": "nethserver-dnsmasq-save",
  "state": "done",
  "step": 1,
  "pid": 32034,
  "action": "S02nethserver-dnsmasq-adjustdb"
}
{
  "step": 2,
  "pid": 32034,
  "action": "S05generic_template_expand",
  "event": "nethserver-dnsmasq-save",
  "state": "running"
}
{
  "progress": "0.67",
  "time": "0.109924",
  "exit": 0,
  "event": "nethserver-dnsmasq-save",
  "state": "done",
  "step": 2,
  "pid": 32034,
  "action": "S05generic_template_expand"
}
{
  "step": 3,
  "pid": 32034,
  "action": "S90adjust-services",
  "event": "nethserver-dnsmasq-save",
  "state": "running"
}
{
  "progress": "1.00",
  "time": "0.167344",
  "exit": 0,
  "event": "nethserver-dnsmasq-save",
  "state": "done",
  "step": 3,
  "pid": 32034,
  "action": "S90adjust-services"
}
{
  "pid": 32034,
  "status": "success",
  "event": "nethserver-dnsmasq-save"
}
{
  "type": "EventFailed",
  "id": 1647146290,
  "message": " * Resolving: _ldap._tcp.ad.example.org\n"
}

Shane_Treweek · March 13, 2022, 5:01am

stupid question but on the second nethserver can you resolve the ad container on the first Nethserver

oneitonitram · March 13, 2022, 5:04am

meaning?
if you mean whether the second nethserver can be able to see the first one, yes it can, till it gets to the section of asking for password

Shane_Treweek · March 13, 2022, 5:51am

Sorry I mean if you ping the the address for the ad container or ad.yourdomain.tld or nsdc-host.ad.domain.tld

oneitonitram · March 13, 2022, 5:53am

the two servers are able to ping each other very well.

Shane_Treweek · March 13, 2022, 5:57am

ok so resolution is not the issue ill spin up a Nethserver image on proxmox and see if I can replicate the issue or at least compare notes between both and figure out the issue

ok that’s installing ill let you know when it’s up…ok done ill try to join this one as a secondary and see if I get the same issue and yes same issue Ill debug and give you an answer

Andy_Wismer · March 13, 2022, 7:44am

You must NOT use LDAPservice@ to connect, as LDAPservice is Read-Only.
You MUST use admin@ from your AD server!

My 2 cents
Andy

oneitonitram · March 13, 2022, 7:58am

thanks Andy.

I setup a password for the administrator user and used that one.

i think the reason why it failed the previous time is because i was using

administrator@domain.tld (did not work)

instead of

administrator@ad.domain.tld (worked)

Andy_Wismer · March 13, 2022, 8:00am

I NEVER activate the administrator user, only the admin user.

Security reasons, as administrator is the “standard” for Windows.

oneitonitram · March 13, 2022, 8:02am

my thinking is this.
the bind user password should not be changed. and since admin user is used by almost all the other tools in nethserver, nextcloud, webtop etc. i thought, thats the one that would be used for those kind of things, while the administrator account, is setup with hard and complex password, not to be used anywhere.

Andy_Wismer · March 13, 2022, 8:13am

In NextCloud it’s you who set’s who has admin permission from the AD, this does NOT have to be “admin”.

The local admin user of NC is the only user by default which has admin permissions.