AD-Abgleich mit NAS schlägt fehl nach Update auf UCS 4.1.2

german

#1

Seit dem Update auf UCS 4.1.2 funktioniert der Abgleich der AD-Daten zwischen UCS und meinem ReadyNAS 516 nicht mehr. Im Log sehe ich folgendes:

[16-05-23 13:32:01] 3031 rndb_account.c:2374 error: ******************ADS Import Starts*********************. [16-05-23 13:32:01] 3031 rndb_ads_utils.c:152 info: ADS CMD::get domain sid: net getdomainsid [16-05-23 13:32:01] 3031 rndb_ads_utils.c:574 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [16-05-23 13:32:01] 3031 rndb_account.c:1262 info: 44 domain group found [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Pre-Windows 2000 Compatible Access sid=S-1-5-32-554 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Windows Authorization Access Group sid=S-1-5-32-560 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Certificate Service DCOM Access sid=S-1-5-32-574 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Network Configuration Operators sid=S-1-5-32-556 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Terminal Server License Servers sid=S-1-5-32-561 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Incoming Forest Trust Builders sid=S-1-5-32-557 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Performance Monitor Users sid=S-1-5-32-558 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Cryptographic Operators sid=S-1-5-32-569 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Distributed COM Users sid=S-1-5-32-562 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Performance Log Users sid=S-1-5-32-559 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Remote Desktop Users sid=S-1-5-32-555 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Account Operators sid=S-1-5-32-548 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Event Log Readers sid=S-1-5-32-573 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Backup Operators sid=S-1-5-32-551 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Server Operators sid=S-1-5-32-549 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Printer-Admins sid=S-1-5-32-550 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:01] 3031 rndb_account.c:1299 debug: sAMAccountName=Administrators sid=S-1-5-32-544 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:02] 3031 rndb_account.c:1299 debug: sAMAccountName=Replicator sid=S-1-5-32-552 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:02] 3031 rndb_account.c:1299 debug: sAMAccountName=IIS_IUSRS sid=S-1-5-32-568 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:02] 3031 rndb_account.c:1299 debug: sAMAccountName=Guests sid=S-1-5-32-546 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:02] 3031 rndb_account.c:1299 debug: sAMAccountName=Users sid=S-1-5-32-545 is not domain object. domain sid is S-1-5-21-1210389088-1291126767-1298570957 [16-05-23 13:32:02] 3031 rndb_account.c:1398 info: 44/44 groups imported in 394ms. [16-05-23 13:32:02] 3031 rndb_ads_utils.c:574 info: ADS CMD::ldap search open: LANG=C net -P ads search \(\&\(objectClass=user\)\(\!\(sAMAccountType=805306369\)\)\(\!\(sAMAccountType=805306370\)\)\) sAMAccountName objectSid distinguishedName mail primaryGroupID memberOf cn [16-05-23 13:32:02] 3031 rndb_account.c:963 info: 10 domain user found [16-05-23 13:32:02] 3031 rndb_account.c:1204 info: 10/10 users imported in 463ms. [16-05-23 13:32:02] 3031 rndb_account.c:2262 error: Error. Fail to insert $home_folder/$user/$group/$group_has_user [16-05-23 13:32:02] 3031 rndb_account.c:2405 error: rndb_ads_account_import() ==> 3 (917ms) [16-05-23 13:32:02] 3031 rndb_api.c:956 error: rndb_import_nolock() ==> 3 (917ms)

Das Problem scheint in der drittletzten Zeile zu liegen:

[16-05-23 13:32:02] 3031 rndb_account.c:2262 error: Error. Fail to insert $home_folder/$user/$group/$group_has_user

Irgendetwas scheint sich hier zwischen 4.1-1 und 4.1-2 bei der Übergabe der Parameter geändert zu haben, aber leider habe ich keine Idee, wie ich das debuggen könnte oder den Entwicklern des NAS bei NETGEAR einen Hinweis weitergebe, wie sich das Problem abstellen lässt.

Vielleicht weiss ja hier jemand Rat.


#2

Moin,

können Sie mal den folgenden Befehl auf dem UCS DC Master ausführen und die Ausgabe posten?

univention-s4search '(&(objectClass=user)(!(sAMAccountType=805306369))(!(sAMAccountType=805306370)))'

Sie sind auch nicht der erste, der dieses Problem hat, auch außerhalb von UCS. Leider enthält der Post dort keine weiteren Infos.

Gruß,
mosu


#3

Bitteschön:

[code]# record 1
dn: CN=dns-who-ucs-01,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: dns-who-ucs-01
instanceType: 4
whenCreated: 20150726100954.0Z
uSNCreated: 3813
name: dns-who-ucs-01
objectGUID: c7835cdb-5fea-48f3-9890-80e4c63ea203
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1110
logonCount: 0
sAMAccountName: dns-who-ucs-01
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
pwdLastSet: 130823789940000000
userAccountControl: 66048
servicePrincipalName: DNS/who-ucs-01.redacted.private
displayName: none
sn: none
whenChanged: 20150726101005.0Z
userPrincipalName: dns-who-ucs-01@REDACTED.PRIVATE
accountExpires: 9223372036854775807
uSNChanged: 3820
distinguishedName: CN=dns-who-ucs-01,CN=Users,DC=redacted,DC=private

record 2

dn: CN=Administrator,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20150726100744.0Z
uSNCreated: 3547
name: Administrator
objectGUID: 11a4e835-add7-4c87-8327-95790c75908f
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
objectSid: S-1-5-21-1210389088-1291126767-1298570957-500
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=redacted,DC=private
memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=redacted,DC=private
memberOf: CN=Enterprise Admins,CN=Groups,DC=redacted,DC=private
memberOf: CN=Schema Admins,CN=Groups,DC=redacted,DC=private
memberOf: CN=Domain Users,CN=Groups,DC=redacted,DC=private
memberOf: CN=DC Backup Hosts,CN=Groups,DC=redacted,DC=private
userPrincipalName: Administrator@REDACTED.PRIVATE
pwdLastSet: 130823787400000000
displayName: Administrator
sn: Administrator
primaryGroupID: 512
lastLogonTimestamp: 131084751678425230
whenChanged: 20160523110607.0Z
uSNChanged: 16950
lastLogon: 131084752146136570
distinguishedName: CN=Administrator,CN=Users,DC=redacted,DC=private

record 3

dn: CN=join-backup,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: join-backup
sn: Joinuser
instanceType: 4
whenCreated: 20150726100938.0Z
whenChanged: 20150726100938.0Z
displayName: Joinuser
uSNCreated: 3758
name: join-backup
objectGUID: bdb4edfb-7d37-4b37-8dc8-64dbb873f147
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 1106
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1108
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: join-backup
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
userAccountControl: 512
userPrincipalName: join-backup@REDACTED.PRIVATE
pwdLastSet: 130823787540000000
uSNChanged: 3760
memberOf: CN=DC Backup Hosts,CN=Groups,DC=redacted,DC=private
memberOf: CN=DC Slave Hosts,CN=Groups,DC=redacted,DC=private
memberOf: CN=Slave Join,CN=Groups,DC=redacted,DC=private
distinguishedName: CN=join-backup,CN=Users,DC=redacted,DC=private

record 4

dn: CN=join-slave,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: join-slave
sn: Joinuser
instanceType: 4
whenCreated: 20150726100938.0Z
whenChanged: 20150726100938.0Z
displayName: Joinuser
uSNCreated: 3764
name: join-slave
objectGUID: e3adbc89-a403-4a46-b551-69575ead022b
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 1107
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1109
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: join-slave
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
userAccountControl: 512
userPrincipalName: join-slave@REDACTED.PRIVATE
pwdLastSet: 130823787540000000
uSNChanged: 3766
memberOf: CN=DC Slave Hosts,CN=Groups,DC=redacted,DC=private
distinguishedName: CN=join-slave,CN=Users,DC=redacted,DC=private

record 5

dn: CN=krbtgt,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
instanceType: 4
whenCreated: 20150726100744.0Z
uSNCreated: 3549
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID: dda79c08-f2a8-4a5b-8908-8c15c30ecb05
userAccountControl: 514
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130823788640000000
primaryGroupID: 513
objectSid: S-1-5-21-1210389088-1291126767-1298570957-502
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
isCriticalSystemObject: TRUE
memberOf: CN=Denied RODC Password Replication Group,CN=Groups,DC=whocares,DC=h
ome
displayName: none
sn: none
whenChanged: 20150726100946.0Z
userPrincipalName: krbtgt@REDACTED.PRIVATE
uSNChanged: 3812
distinguishedName: CN=krbtgt,CN=Users,DC=redacted,DC=private

record 6

dn: CN=sandra,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sandra
sn: Rubner
givenName: Sandra
instanceType: 4
whenCreated: 20150726113254.0Z
displayName: Sandra Rubner
uSNCreated: 3878
name: sandra
objectGUID: 4aee11e4-3ad5-407a-b184-4c8424bee1cb
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1113
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: sandra
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
userAccountControl: 512
userPrincipalName: sandra@REDACTED.PRIVATE
lockoutTime: 0
memberOf: CN=Family,CN=Groups,DC=redacted,DC=private
pwdLastSet: 130995191920000000
lastLogonTimestamp: 131076101472627100
whenChanged: 20160513104907.0Z
uSNChanged: 16017
lastLogon: 131078964704959190
distinguishedName: CN=sandra,CN=Users,DC=redacted,DC=private

record 7

dn: CN=stefan,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: stefan
sn: Rubner
givenName: Stefan
instanceType: 4
whenCreated: 20150726102711.0Z
displayName: Stefan Rubner
uSNCreated: 3868
name: stefan
objectGUID: 1816f66a-c133-4dd3-807b-c16360ffcc1f
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1111
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: stefan
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
userAccountControl: 512
company: We fix IT GbR
userPrincipalName: stefan@REDACTED.PRIVATE
lockoutTime: 0
memberOf: CN=Administrators,CN=Builtin,DC=redacted,DC=private
memberOf: CN=Domain Admins,CN=Groups,DC=redacted,DC=private
memberOf: CN=Enterprise Admins,CN=Groups,DC=redacted,DC=private
memberOf: CN=Family,CN=Groups,DC=redacted,DC=private
memberOf: CN=Eltern,CN=Groups,DC=redacted,DC=private
pwdLastSet: 130834954040000000
lastLogon: 131084119880341240
lastLogonTimestamp: 131084644718819070
whenChanged: 20160523080751.0Z
uSNChanged: 16921
distinguishedName: CN=stefan,CN=Users,DC=redacted,DC=private

record 8

dn: CN=Guest,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
instanceType: 4
whenCreated: 20150726100744.0Z
uSNCreated: 3548
name: Guest
objectGUID: 7e0fa8e1-a982-4ec0-953c-c25688b9259c
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 514
objectSid: S-1-5-21-1210389088-1291126767-1298570957-501
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Guest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
isCriticalSystemObject: TRUE
memberOf: CN=Guests,CN=Builtin,DC=redacted,DC=private
displayName: none
sn: none
whenChanged: 20150726100945.0Z
userPrincipalName: Guest@REDACTED.PRIVATE
pwdLastSet: 130823789800000000
uSNChanged: 3810
distinguishedName: CN=Guest,CN=Users,DC=redacted,DC=private

record 9

dn: CN=petra,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: petra
sn: Rubner
givenName: Petra
instanceType: 4
whenCreated: 20150726113225.0Z
displayName: Petra Rubner
uSNCreated: 3875
name: petra
objectGUID: 9b7c9ce1-0d18-4bf4-a1e8-aa8cf5b90a9a
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1112
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: petra
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
userAccountControl: 512
userPrincipalName: petra@REDACTED.PRIVATE
lockoutTime: 0
memberOf: CN=Family,CN=Groups,DC=redacted,DC=private
memberOf: CN=Eltern,CN=Groups,DC=redacted,DC=private
memberOf: CN=Administrators,CN=Builtin,DC=redacted,DC=private
memberOf: CN=Domain Admins,CN=Groups,DC=redacted,DC=private
memberOf: CN=Enterprise Admins,CN=Groups,DC=redacted,DC=private
pwdLastSet: 130967516110000000
lastLogonTimestamp: 131082845239986480
whenChanged: 20160521060843.0Z
uSNChanged: 16669
lastLogon: 131084754685036570
distinguishedName: CN=petra,CN=Users,DC=redacted,DC=private

record 10

dn: CN=kim,CN=Users,DC=redacted,DC=private
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: kim
sn: Rubner
givenName: Kim
instanceType: 4
whenCreated: 20150726113317.0Z
displayName: Kim Rubner
uSNCreated: 3881
name: kim
objectGUID: 29d7abb2-ead3-4526-81c0-228aa2b6de9c
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1210389088-1291126767-1298570957-1114
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: kim
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=private
userAccountControl: 512
userPrincipalName: kim@REDACTED.PRIVATE
lockoutTime: 0
memberOf: CN=Family,CN=Groups,DC=redacted,DC=private
pwdLastSet: 130952914140000000
lastLogonTimestamp: 131083203217525950
whenChanged: 20160521160521.0Z
uSNChanged: 16738
lastLogon: 131083229352216330
distinguishedName: CN=kim,CN=Users,DC=redacted,DC=private

Referral

ref: ldap://redacted.private/CN=Configuration,DC=redacted,DC=private

Referral

ref: ldap://redacted.private/DC=DomainDnsZones,DC=redacted,DC=private

Referral

ref: ldap://redacted.private/DC=ForestDnsZones,DC=redacted,DC=private

returned 13 records

10 entries

3 referrals

[/code]

Grüße,
Stefan


#4

Moin,

Hmm, fällt mir jetzt auch nichts Spezielles auf. Google hat zu der Fehlermeldung auch nur den von mir verlinkten Post gefunden.

Von welcher Samba-Version haben Sie denn aktualisiert, und welche ist jetzt gerade installiert?

Gruß,
mosu


#5

Huh? Ich habe den UCS aktualisiert entsprechend halt die bei letzten Update enthaltenen Samba-Versionen. Auf dem ReadyNAS macht es keinen Unterschied, ob ich Firmware 6.4.2 oder 6.5.0 nehme, der Fehler bleibt der gleiche auch wenn sich da ebenfalls die Samba-Version geändert hat
.
Wo könnte ich denn auf die Schnelle sehen, welche Samba-Aktualisierung beim UCS vorgenommen wurde? Ich tippe mal 4.3.3 -> 4.3.7 wie in den Erratas beschrieben.

Ich kann ja parallel auch mal den Project Lead für die ReadyNAS-Firmware fragen, ob er mir verrät, was in den betreffenden Codezeilen des readynasd steht oder ob er eine Idee hat.

Grüße,
Stefan


#6

Dem Problem von UCS-Seite aus auf die Schliche zu kommen wird extrem schwierig werden, da die Fehlermeldung für Leute, die die ReadyNAS-Firmware inter nicht kennen, alles andere aus aussagekräftig ist. Daher wäre eine Auskunft von ReadyNAS-Entwicklern definitiv hilfreich.


#7

Mail ist schon raus. Dauert aber in der Regel ein paar Tage, bis er mir antwortet.