After upgrade to 4.3-3 errata448 new users cannot sign into the ad

jminton · March 1, 2019, 3:09pm

root@ad:/# univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2808
dn: uid=gmills,cn=users,dc=tlc-galveston,dc=org
uid: gmills
krb5PrincipalName: gmills@TLC-GALVESTON.ORG
objectClass: krb5KDCEntry
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: person
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: univentionNetworkAccess
objectClass: univentionMail
objectClass: krb5Principal
objectClass: univentionPolicyReference
objectClass: univentionPasswordSelfService
objectClass: univentionObject
uidNumber: 2808
sambaAcctFlags: [U          ]
sambaPasswordHistory: 0FD73777E5D41940A44F61850C406CCD8D989137D90426EA74098801206BC7C6
sambaBadPasswordCount: 0
krb5MaxLife: 86400
shadowLastChange: 17955
cn: Glenda Mills
krb5PasswordEnd: 20190529000000Z
userPassword:: e2NyeXB0fSQ2JHRyaFdJWE5IUkVuWHVUU3kkS2c5Mzh1OU0xTXV1MFVaM3NWWDdNQzhEZ2liaTg5Mjk3R25IeGJvcEhPR2o0R0YxTlloWGZyQUNUVTVjREtVOEVwZ2dwM1g5TGJIREwyZzM5eG9zaDE=
krb5Key:: MFGhKzApoAMCARKhIgQgdCRxbckEcHIrjfFy9CVdLsfU8aIjJiQIjZzdy6BVFVuiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MDmhEzARoAMCAQOhCgQIeWcqPbXC2ryiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MEmhIzAhoAMCARChGgQYSl51XavNKgS2yLNzfL/4x1uzWM169HDcoiIwIKADAgEDoRkEF1RMQy1HQUxWRVNUT04uT1JHZ21pbGxz
krb5Key:: MEGhGzAZoAMCARGhEgQQFpg6N7/FhjxDAKKUK3l71aIiMCCgAwIBA6EZBBdUTEMtR0FMVkVTVE9OLk9SR2dtaWxscw==
krb5Key:: MDmhEzARoAMCAQKhCgQIeWcqPbXC2ryiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MDmhEzARoAMCAQGhCgQIeWcqPbXC2ryiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MEGhGzAZoAMCARehEgQQlqY1D1t0je07MF070kKdnKIiMCCgAwIBA6EZBBdUTEMtR0FMVkVTVE9OLk9SR2dtaWxscw==
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
sambaLogonScript: postoffice.bat
sambaBadPasswordTime: 0
univentionNetworkAccess: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: 1551371567
univentionPasswordSelfServiceEmail: gmills@tlcgalveston.org
sambaNTPassword: 96A6350F5B748DED3B305D3BD2429D9C
displayName: Glenda Mills
sambaSID: S-1-4-2808
gecos: Glenda Mills
sn: Mills
pwhistory: $6$Kv.d0mFVf0EDR3ol$LiYMuKZEN.fRYAtTRREuEnhczPHJwC8ADnj4Zk0f3v6mEAdIEVOjzCSLdqp0gQvT0epwrkVHOPIKGMdE5wUep.
homeDirectory: /home/gmills
givenName: Glenda
univentionPolicyReference: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=tlc-galveston,dc=org
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-3205981455-2263415228-305674225-513

jminton · March 15, 2019, 3:48pm

now the batch files containing the drive mapping is not working for new employees. Is there any way to backup the user data and do a fresh install to get around this?

Moritz_Bunkus · March 15, 2019, 3:50pm

Not really, no.

If you have a subscription, I highly recommend opening a support ticket for your issue. If you do not have a subscription, I highly suggest getting one for issues such as this one.

Moritz_Bunkus · March 15, 2019, 3:57pm

I just saw this one. Well, that seems to indicate that the S4 connector isn’t running. Please post the output of

univention-check-templates
ls -l /etc/univention/connector/s4
dpkg -l univention-s4-connector

and try starting it with

systemctl restart univention-s4-connector.service

Afterwards verify that it is actually running:

systemctl status univention-s4-connector.service

should contain Active: active (running)…

If not, post the output of

journalctl -u univention-s4-connector.service --since '1h ago'

jminton · March 15, 2019, 5:06pm

root@ad:~# univention-check-templates
root@ad:~# ls -l /etc/univention/connector/s4
total 40
-rw-r--r-- 1 root root 39361 Nov 27 13:28 mapping
root@ad:~# dpkg -l univention-s4-connector
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version         Architecture    Description
+++-=====================-===============-===============-================================================
ii  univention-s4-connect 12.0.2-40A~4.3. all             UCS - Modules for sync UCS and Samba4 LDB direct
root@ad:~# systemctl restart univention-s4-connector.service
Failed to restart univention-s4-connector.service: Unit univention-s4-connector.service is masked.
root@ad:~# systemctl status univention-s4-connector.service
● univention-s4-connector.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)
root@ad:~# journalctl -u univention-s4-connector.service --since '1h ago'
-- No entries --
root@ad:~#

jminton · March 15, 2019, 8:35pm

I checked by backup ucs server the file /var/log/univention/connector-s4.log exists and is not empty. I thought the s4 connector only runs on the master. Any suggestions on what do I do next?

Moritz_Bunkus · March 15, 2019, 11:09pm

That is correct, it must only run on the DC Master. It is installed on the DC Backup so that the DC Backup can be promoted to being the new DC Master if the original DC Master ever suffers a catastrophic failure.

On your server ad the unit is masked — that’s interesting. What’s ad's server role (see ucr get server/role)? If it is domaincontroller_master, I don’t see a good reason for masking the S4 connector (masking a unit prevents it from ever being started). In that case unmask & start it. Then observe /var/log/univention/connector-s4.log which should show the S4 connector processing a lot of outstanding objects including your new users. Afterwards the users should have proper SIDs and be able to log in.

If it’s a domaincontroller_master:

# Unmask the unit:
systemctl unmask univention-s4-connector.service
# Start & enable it:
systemctl enable univention-s4-connector.service
systemctl restart univention-s4-connector.service
# Check if it's running now:
systemctl status univention-s4-connector.service

jminton · March 19, 2019, 9:08pm

root@ad:~# ucr get server/role
domaincontroller_master
root@ad:~# systemctl unmask univention-s4-connector.service
Removed /etc/systemd/system/univention-s4-connector.service.
root@ad:~# systemctl enable univention-s4-connector.service
univention-s4-connector.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable univention-s4-connector
insserv: warning: current start runlevel(s) (empty) of script `univention-s4-connector' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `univention-s4-connector' overrides LSB defaults (0 1 6).
root@ad:~# systemctl restart univention-s4-connector.service
Job for univention-s4-connector.service failed because of unavailable resources or another system error.
See "systemctl status univention-s4-connector.service" and "journalctl -xe" for details.
root@ad:~# systemctl status univention-s4-connector.service
● univention-s4-connector.service - LSB: Univention S4 Connector
   Loaded: loaded (/etc/init.d/univention-s4-connector; generated; vendor preset: enabled)
   Active: failed (Result: resources) since Tue 2019-03-19 16:02:09 CDT; 47s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 13295 ExecStart=/etc/init.d/univention-s4-connector start (code=exited, status=0/SUCCESS)
      CPU: 92ms

Mar 19 16:02:09 ad systemd[1]: Starting LSB: Univention S4 Connector...
Mar 19 16:02:09 ad univention-s4-connector[13295]: s4-connector disabled by ucr var connector/s4/autostart=no
Mar 19 16:02:09 ad systemd[1]: univention-s4-connector.service: PID file /var/run/univention-s4-connector not r
Mar 19 16:02:09 ad systemd[1]: Failed to start LSB: Univention S4 Connector.
Mar 19 16:02:09 ad systemd[1]: univention-s4-connector.service: Unit entered failed state.
Mar 19 16:02:09 ad systemd[1]: univention-s4-connector.service: Failed with result 'resources'.

jminton · March 19, 2019, 9:09pm

root@ad:~# journalctl -xe
Mar 19 16:05:04 ad CRON[14504]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share
                                 - ignoring line
Mar 19 16:05:04 ad CRON[14504]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univent
                                 - ignoring line
Mar 19 16:05:04 ad CRON[14504]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-p
                                 - ignoring line
Mar 19 16:05:04 ad CRON[14604]: (root) CMD (/usr/sbin/jitter 60 /usr/share/univention-samba4/scripts/sysvol-syn
Mar 19 16:05:04 ad CRON[14608]: (root) CMD (  /usr/share/univention-directory-policy/univention-directory-polic
Mar 19 16:05:04 ad CRON[14612]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d "$(grep '^[
Mar 19 16:05:04 ad CRON[14501]: pam_unix(cron:session): session closed for user root
Mar 19 16:05:04 ad CRON[14616]: (root) CMD (  [ -x /usr/share/univention-updater/univention-updater-check ] && 
Mar 19 16:05:16 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/MX/IN': 98.139.247.1
Mar 19 16:05:16 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/MX/IN': 67.195.1.92#
Mar 19 16:05:17 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/A/IN': 98.139.247.19
Mar 19 16:05:17 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/A/IN': 67.195.1.92#5
Mar 19 16:05:27 ad CRON[14502]: pam_unix(cron:session): session closed for user root
Mar 19 16:05:41 ad PAM-univentionsambadomain[14663]: continuing as user D7VTRNQ1$
Mar 19 16:05:41 ad smbd[14663]: pam_unix(samba:session): session opened for user D7VTRNQ1$ by (uid=0)
Mar 19 16:05:42 ad ldapsearch[14679]: DIGEST-MD5 common mech free
Mar 19 16:05:51 ad PAM-univentionsambadomain[14704]: continuing as user LUB-WIN7-14$
Mar 19 16:05:51 ad smbd[14704]: pam_unix(samba:session): session opened for user LUB-WIN7-14$ by (uid=0)
Mar 19 16:05:52 ad ldapsearch[14721]: DIGEST-MD5 common mech free
Mar 19 16:05:55 ad PAM-univentionsambadomain[14750]: continuing as user DESKTOP-CQ53FAS$
Mar 19 16:05:55 ad smbd[14750]: pam_unix(samba:session): session opened for user DESKTOP-CQ53FAS$ by (uid=0)
Mar 19 16:05:55 ad smbd[14750]: pam_mkhomedir(samba:session): User unknown.
Mar 19 16:05:56 ad ldapsearch[14775]: DIGEST-MD5 common mech free
Mar 19 16:05:57 ad smbd[14753]: pam_env(samba:session): No such user!?
Mar 19 16:05:57 ad smbd[14753]: pam_unix(samba:session): session closed for user TLC-GALVESTON+DESKTOP-CQ53FAS$
Mar 19 16:05:57 ad smbd[14663]: pam_unix(samba:session): session closed for user TLC-GALVESTON+D7VTRNQ1$
Mar 19 16:05:58 ad ldapsearch[14818]: DIGEST-MD5 common mech free
Mar 19 16:05:58 ad smbd[14750]: pam_env(samba:session): No such user!?
Mar 19 16:05:58 ad smbd[14750]: pam_unix(samba:session): session closed for user TLC-GALVESTON+DESKTOP-CQ53FAS$

stoeckigt · March 20, 2019, 8:21am

Hi @jminton,

in the logs it is mentioned that the ucr-Variable connector/s4/autostart is set to no. Are you able to start the connector when setting this to yes?

root@ucs:~# ucr set connector/s4/autostart=yes
root@ucs:~# systemctl start univention-s4-connector.service
root@ucs:~# systemctl status univention-s4-connector.service
root@ucs:~# tail -f -n100 /var/log/univention/connector-s4.log

Kind regards

Moritz_Bunkus · March 20, 2019, 8:29am

I’m really surprised that the UCR variable is set to no on your DC Master. I’d like to know why. Maybe the UCR replog still contains the info when the variable was changed. Please post the output of

{ zcat /var/log/univention/config-registry.replog*gz ;
  ls /var/log/univention/config-registry.replog*|grep -v '\.gz$'|xargs cat
} | grep connector/s4/autostart

Apart from that do what Nico said about changing the variable & restarting the service.

jminton · March 20, 2019, 8:45pm

univention-s4-connector.service - LSB: Univention S4 Connector
   Loaded: loaded (/etc/init.d/univention-s4-connector; generated; vendor preset: enabled)
   Active: active (running) since Wed 2019-03-20 15:28:55 CDT; 14min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 13014 ExecStart=/etc/init.d/univention-s4-connector start (code=exited, status=0/SUCCESS)
 Main PID: 13182 (python2.7)
    Tasks: 1 (limit: 4915)
   Memory: 65.0M
      CPU: 1min 49.260s
   CGroup: /system.slice/univention-s4-connector.service
           └─13182 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py

Mar 20 15:28:47 ad systemd[1]: Starting LSB: Univention S4 Connector...
Mar 20 15:28:55 ad univention-s4-connector[13014]: Starting Univention S4 Connector: univention-s4-connector.
Mar 20 15:28:55 ad systemd[1]: univention-s4-connector.service: PID file /var/run/univention-s4-connector not r
Mar 20 15:28:55 ad systemd[1]: univention-s4-connector.service: Supervising process 13182 which is not our chil
Mar 20 15:28:55 ad systemd[1]: Started LSB: Univention S4 Connector.

jminton · March 20, 2019, 8:47pm

It started! and is running

jminton · March 20, 2019, 9:12pm

But unfortunatley,a new user set up in the Univention Corporate Server still does not show up so that Microsoft active directory and users can see them.

SirTux · March 20, 2019, 10:32pm

What’s the output of

univention-s4connector-list-rejected

jminton · March 21, 2019, 4:22pm

root@ad:~# univention-s4connector-list-rejected

UCS rejected

S4 rejected

There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.

    last synced USN: 307897

jminton · March 25, 2019, 5:14pm

now users created since the problem can no longer log into the active directory or their machines. I am re-importing a backed up appliance from 3/12 so that at least my users can access their machines and files

Christian_Voelker · March 26, 2019, 5:16pm

Hi,

just to mention:

There is not need to have the s4-connector running on the master. You can have it running on the backup as well.

The limitation is it is allowed to run only on a single server in the domain!

If it is running on your backup it is totally fine being masked and autostart=no on the master…

/CV

jminton · March 27, 2019, 4:04pm

● univention-directory-notifier.service - LSB: Univention Directory Notifier Daemon
   Loaded: loaded (/etc/init.d/univention-directory-notifier; generated; vendor preset: enabled)
   Active: active (exited) since Wed 2019-03-27 10:34:34 CDT; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6619 ExecStop=/etc/init.d/univention-directory-notifier stop (code=exited, status=0/SUCCESS)
  Process: 6777 ExecStart=/etc/init.d/univention-directory-notifier start (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/univention-directory-notifier.service

Mar 27 10:34:34 ad systemd[1]: Starting LSB: Univention Directory Notifier Daemon...
Mar 27 10:34:34 ad univention-directory-notifier[6777]: Starting Univention Directory Notifier Daemon: univenti
Mar 27 10:34:34 ad univention-directory-notifier[6777]: .
Mar 27 10:34:34 ad systemd[1]: Started LSB: Univention Directory Notifier Daemon.

● univention-directory-listener.service - LSB: Univention Directory Listener Daemon
   Loaded: loaded (/etc/init.d/univention-directory-listener; generated; vendor preset: enabled)
   Active: active (exited) since Wed 2019-03-27 10:34:34 CDT; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6622 ExecStop=/etc/init.d/univention-directory-listener stop (code=exited, status=0/SUCCESS)
  Process: 6788 ExecStart=/etc/init.d/univention-directory-listener start (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/univention-directory-listener.service

Mar 27 10:34:34 ad systemd[1]: Starting LSB: Univention Directory Listener Daemon...
Mar 27 10:34:34 ad univention-directory-listener[6788]: Starting Univention Directory Listener Daemon: univenti
Mar 27 10:34:34 ad systemd[1]: Started LSB: Univention Directory Listener Daemon.

root@ad:~# univention-check-join-status
Warning: 'nextcloud-uninstall' is not configured.
Error: Not all install files configured: 1 missing
root@ad:~# tail -f /var/log/univention/listener.log /var/log/univention/notifier.log
==> /var/log/univention/listener.log <==
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: ldap_server (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: nfs-homes (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: nss (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: quota (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: license_uuid (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: univention-saml-simplesamlphp-configuration (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: s4-connector (prepared=-1)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: keytab-member (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: nfs-shares (prepared=0)
27.03.19 10:41:51.547  LISTENER    ( INFO    ) : postrun handler: portal_category (prepared=0)

==> /var/log/univention/notifier.log <==
27.03.19 10:41:36.699  TRANSFILE   ( ALL     ) : ------------------------------

27.03.19 10:41:36.699  TRANSFILE   ( ALL     ) : Listener fd = 4

27.03.19 10:41:36.699  TRANSFILE   ( ALL     ) : Listener fd = 7

27.03.19 10:41:36.699  TRANSFILE   ( ALL     ) : Listener fd = 8

27.03.19 10:41:36.699  TRANSFILE   ( ALL     ) : ------------------------------

jminton · March 27, 2019, 4:31pm

new users are now showing up in active directory users and computers in my windows 10! How ever, I cannot sign in a newly created user up on a laptop. but the older users can be signed in. Its almost there. Any suggestions?