Hey,
what are the actual error messages in /var/log/univention/connector-s4.log for those entries?
Kind regards,
mosu
tail -f /var/log/univention/connector-s4.log
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 326, in delete_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
NOT_ALLOWED_ON_NONLEAF: {'info': '00002015: subtree_delete: Unable to delete a non-leaf node (it has 27 children)!', 'desc': 'Operation not allowed on non-leaf'}
29.03.2018 12:19:15,873 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1522319929.837764
29.03.2018 12:19:15,881 LDAP (PROCESS): sync from ucs: [ dns] [ delete] DC=@,DC=ccm.local,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
29.03.2018 12:19:15,901 LDAP (WARNING): sync failed, saved as rejected
Hey,
wow, that looks like your whole DNS structure has been removed on one side. Please post the output of the following:
univention-ldapsearch -b zoneName=$(ucr get domainname),cn=dns,$(ucr get ldap/base) dn|ldapsearch-wrapper
univention-s4search --cross-ncs dc=@ dn
Kind regards,
mosu
Yes… i’m trying solve the issue of kerberos critical like in this post (Critical: Check kerberos authenticated DNS update (on DC Master))
First command
# extended LDIF
#
# LDAPv3
# base <zoneName=ccm.local,cn=dns,dc=ccm,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: dn
#
# ccm.local, dns, ccm.local
dn: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# CCMDC01, ccm.local, dns, ccm.local
dn: relativeDomainName=CCMDC01,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# feldc01, ccm.local, dns, ccm.local
dn: relativeDomainName=feldc01,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _gc._tcp, ccm.local, dns, ccm.local
dn: relativeDomainName=_gc._tcp,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# gc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=gc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kpasswd._tcp, ccm.local, dns, ccm.local
dn: relativeDomainName=_kpasswd._tcp,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kpasswd._udp, ccm.local, dns, ccm.local
dn: relativeDomainName=_kpasswd._udp,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kerberos._tcp, ccm.local, dns, ccm.local
dn: relativeDomainName=_kerberos._tcp,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kerberos._udp, ccm.local, dns, ccm.local
dn: relativeDomainName=_kerberos._udp,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# DomainDnsZones, ccm.local, dns, ccm.local
dn: relativeDomainName=DomainDnsZones,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# ForestDnsZones, ccm.local, dns, ccm.local
dn: relativeDomainName=ForestDnsZones,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.dc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.dc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.gc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.gc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kerberos._tcp.dc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_kerberos._tcp.dc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.DomainDnsZones, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.DomainDnsZones,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.ForestDnsZones, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.ForestDnsZones,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _gc._tcp.Default-First-Site-Name._sites, ccm.local, dns, ccm.local
dn: relativeDomainName=_gc._tcp.Default-First-Site-Name._sites,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.Default-First-Site-Name._sites, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.Default-First-Site-Name._sites,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# 5150540b-6efc-4159-abb7-f4452288f2e2._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=5150540b-6efc-4159-abb7-f4452288f2e2._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kerberos._tcp.Default-First-Site-Name._sites, ccm.local, dns, ccm.local
dn: relativeDomainName=_kerberos._tcp.Default-First-Site-Name._sites,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# _ldap._tcp.17435187-b154-4c14-a46f-69ab309d1823.domains._msdcs, ccm.local, dns, ccm.local
dn: relativeDomainName=_ldap._tcp.17435187-b154-4c14-a46f-69ab309d1823.domains._msdcs,zoneName=ccm.local,cn=dns,dc=ccm,dc=local
# search result
search: 3
result: 0 Success
# numResponses: 28
# numEntries: 27
Second
univention-s4search --cross-ncs dc=@ dn
# record 1
dn: DC=@,DC=ccm.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ccm,DC=local
# record 2
dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ccm,DC=local
# record 3
dn: DC=@,DC=_msdcs.ccm.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ccm,DC=local
# record 4
dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 5
dn: DC=@,DC=motasc.gogest.pt,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 6
dn: DC=@,DC=esxi.local,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 7
dn: DC=@,DC=vcenter6.esxi.local,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 8
dn: DC=@,DC=120.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 9
dn: DC=@,DC=100.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 10
dn: DC=@,DC=unifi.int.mota-sc.com,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# returned 10 records
# 10 entries
# 0 referrals
In system diagnostic right now besides the samba replication and rejects i have kerberos critical warning
Errors occured while running `kinit` or `nsupdate`.
`nsupdate` check for domain ccm.local failed (CCMDC01.ccm.local).
`nsupdate` check for domain ccm.local failed (CCMDC01).
Hey,
I’m not too sure about what to do about this. The situation looks like this:
- On the S4 side there used to be a domain
cmm.localbeneath theCN=Systemsub-tree. That one has been removed. Now the connector tries to remove the domain on the OpenLDAP side, too. This is evident from the output ofunivention-s4connector-list-rejectedand theunivention-s4searchyou did. - On the OpenLDAP side the domain entry itself still contains children and can therefore not be removed. That’s evident from the log file and the
univention-ldapsearchyou ran. In fact, those entries must not be removed from the OpenLDAP side, otherwise all your DNS entries will be gone. - Now it gets interesting: on the S4 side the domain
ccm.localdoes still exist, albeit under theDC=DomainDnsZonessub-tree — and that’s the location I would have expected the domain to reside under in the first place.
Based on those facts I would probably remove those S4 connector rejects (not the LDAP entries — only the reject files!).
However, before you do that: you said that you have a second DC, running Samba4, too? Can you please post the output of univention-s4search --cross-ncs dc=@ dn from that second DC?
How was the setup created in the first place? By an AD takeover per chance?
Afterwards we can tackle the Kerberos problem.
Here the result from the comand in the second DC, is a dc that is in other site
FELDC01:~# univention-s4search --cross-ncs dc=@ dn
# record 1
dn: DC=@,DC=ccm.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ccm,DC=local
# record 2
dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ccm,DC=local
# record 3
dn: DC=@,DC=_msdcs.ccm.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ccm,DC=local
# record 4
dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 5
dn: DC=@,DC=esxi.local,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 6
dn: DC=@,DC=vcenter6.esxi.local,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 7
dn: DC=@,DC=120.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# record 8
dn: DC=@,DC=100.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=ccm,DC=local
# returned 8 records
# 8 entries
# 0 referrals
Yes, the first DC was created almost 3 years ago with ad takeover on a windows server 2003
Hey,
it’s possible that the entries for ccm.local beneath CN=System were due to that AD takeover. I think I’d go ahead with the removal of the reject files in this case.
You do have update-to-date backups from the DC, right?
Kind regards,
mosu
Yes i have… but the domain from the ad takeover is the same, as previous… CCM, nver was CMM
Just to clarify…
The main DC is a VM and i have daily snapshots. If possible i would like to restore the dns files and not the all the VM
Yeah, cmm was a typo on my end. Sorry about that. I always meant to talk about ccm(.local).
I don’t know how to do it… right know i’m having issues that i don’t have before… can’t login in intranet (my guest is because ad /dns issues)
Anyone can indicate the files where the dns entrys are stored? in samba side… because from ldap side appear to be ok
Hey,
I’ve posted a link above to a support article where removing those rejects is explained.
Kind regards,
mosu
But removing the rejects don’t will be destroy even more the dns structure?
Is my understanding that for some reason the dns entries disappear from samba but should stay there… if i remove the rejects that will not interfer with the ldap dns
Hey,
you’re only removing the reject files which tell the S4 connector to re-try applying those modifications. You’re not removing the LDAP objects themselves.
Kind regards,
mosu
But my rejects are from ldap… or not?
/var/log/univention# univention-s4connector-list-rejected
UCS rejected
1: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.525067
2: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.563395
3: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.575114
4: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.623042
5: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.644692
6: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.656966
7: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.707915
8: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.729991
9: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.742196
10: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.790098
11: UCS DN: zoneName=ccm.local,cn=dns,dc=ccm,dc=local
S4 DN: dc=@,dc=ccm.local,cn=microsoftdns,cn=system,DC=ccm,DC=local
Filename: /var/lib/univention-connector/s4/1522319929.837764
S4 rejected
last synced USN: 278132
Hey,
again, the article I’ve linked to tells you how to remove UCS rejects. Only the files where the intended modifications are stored in are removed, not the objects they’re supposed to be applied to.
m.
Now i have the following
Found 1 UCS rejects and 0 S4 rejects. See Univention Support Database - How to deal with s4-connector rejects for more information.
UCS rejected:
UCS DN: ;unknown, S4 DN: not found, Filename: /var/lib/univention-connector/s4/.1522319929.525067.swp
Hey,
well, don’t use vim in that directory… Exit vim, and the swap file should vanish.
m.
I don’t use vim… use nano, and nothing is open…
That’s a swap file that’s usually created by vim. If you don’t use vim, maybe someone else does. If no one has vim open on the machine and the file still exists, remove it.