Hey,
I’m not too sure about what to do about this. The situation looks like this:
- On the S4 side there used to be a domain
cmm.localbeneath theCN=Systemsub-tree. That one has been removed. Now the connector tries to remove the domain on the OpenLDAP side, too. This is evident from the output ofunivention-s4connector-list-rejectedand theunivention-s4searchyou did. - On the OpenLDAP side the domain entry itself still contains children and can therefore not be removed. That’s evident from the log file and the
univention-ldapsearchyou ran. In fact, those entries must not be removed from the OpenLDAP side, otherwise all your DNS entries will be gone. - Now it gets interesting: on the S4 side the domain
ccm.localdoes still exist, albeit under theDC=DomainDnsZonessub-tree — and that’s the location I would have expected the domain to reside under in the first place.
Based on those facts I would probably remove those S4 connector rejects (not the LDAP entries — only the reject files!).
However, before you do that: you said that you have a second DC, running Samba4, too? Can you please post the output of univention-s4search --cross-ncs dc=@ dn from that second DC?
How was the setup created in the first place? By an AD takeover per chance?
Afterwards we can tackle the Kerberos problem.