AD Connector not syncing new users

UCS - Univention Corporate Server
#1

I have a UCS 5.0-2 system that has for several years been a member of a Microsoft AD Domain (Windows Server 2016 Std). Recently I realized that new user accounts created in the MS AD were not being synced into the User module in the UCS UMC. I’m assuming (but cannot say definitely) that this has occurred with the upgrade of UCS from version 4 to 5.

So if I do an univention-adsearch from the ucs console I get:-

root@kopano:/# univention-adsearch cn=administrator
kdestroy: krb_cc_destroy: Did not find a plugin for ccache_ops
kinit: Password incorrect
WARNING: The option -k|--kerberos is deprecated!
Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
Failed to connect to 'ldap://myserver.mydomain.lan:389' with backend 'ldap': LDAP client internal error: NT_STATUS_UNSUCCESSFUL
Failed to connect to ldap://myserver.mydomain.lan:389 - LDAP client internal error: NT_STATUS_UNSUCCESSFUL

So I take it that UCS is failing password auth to the MS-AD. I’ve seen various similar reports in other posts here stating that the password needs to be set in /etc/machine.secret , but I’m unaware of whether that’s a clear text password or a password hash of some description?

My thinking was that I might be able to re-run the AD Connector domain join wizard but cannot find how to do that through the UMC. I’ve uninstalled & re-installed the AD Connector but this neither remedies the situation or provides me with an opportunity to re-enter domain credentials for the AD join.

So I’m just looking to see if someone can gently steer me in the correct direction to resolve the issue?

#2

Further to the above, connector.log shows many entries like this:-

20.08.2022 02:28:03.658 MAIN        (------ ): DEBUG_EXIT
20.08.2022 02:28:03.658 MAIN        (------ ): DEBUG_INIT
20.08.2022 02:28:03.814 LDAP        (PROCESS): Building internal group membership cache
20.08.2022 02:28:03.842 LDAP        (PROCESS): Internal group membership cache was created
20.08.2022 02:28:03.849 LDAP        (PROCESS): Using MYDOMAIN as AD Netbios domain name
20.08.2022 10:58:11.188 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=myuser,cn=users,dc=mydomain,dc=lan
20.08.2022 12:28:04.641 LDAP        (WARNING): Exception during search_ad_changes
20.08.2022 12:28:04.642 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2395, in poll
    changes = self.__search_ad_changes(show_deleted=show_deleted)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1402, in __search_ad_changes
    returnObjects = search_ad_changes_by_attribute('uSNCreated', lastUSN + 1)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1393, in search_ad_changes_by_attribute
    return self.__search_ad(filter=usnFilter, show_deleted=show_deleted)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1350, in __search_ad
    rtype, rdata, rmsgid, serverctrls = self.lo_ad.lo.result3(msgid)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
UNAVAILABLE: {'desc': 'Server is unavailable'}

The most recent entries are more than a month old.

#3

For anyone that happens across this post & is in the same situation, the problem & solution can be found here - Problem: Shares and AD-Connector are not working anymore

Mastodon