After upgrade newly created users cannot sign into a windows 10 and log into the domain. the error is “the username or password is incorrect.Try again .” I have removed the users and re-added them back into the the active directory and still was not able to log in. Previously created users id’s can log in on a machine new to them without a problem. when I checked the Active Directory Users and Computers tool in windows 10 the user was not there. When I manually added her login I was able to log her in.
Hey,
this sounds similar to the problem described in this thread.
Please post the output of the following commands. Before running them, replace the <UID> markers with the user ID of one of those new users. Each line contains that token once.
wbinfo --uid-to-sid <UID>
wbinfo --sid-to-uid $(wbinfo --uid-to-sid <UID>)
ldbsearch -H /var/lib/samba/private/idmap.ldb '(xidnumber=<UID>)'
univention-ldapsearch -LLLo ldif-wrap=no uidnumber=<UID> sambaSID
univention-s4search objectSid=$( univention-ldapsearch -LLLo ldif-wrap=no uidnumber=<UID> sambaSID | awk '/^sambaSID:/ { print $2 }') dn
#wbinfo --uid-to-sid 2808
S-1-4-2808
#wbinfo --sid-to-uid $(wbinfo --uid-to-sid 2808)
2808
ldbsearch -H /var/lib/samba/private/idmap.ldb '(xidnumber=2808)'
#record 1
dn: CN=S-1-4-2808\cn: S-1-4-2008
objectClass: sidMap
objectSid: S-1-4-2808
type: ID_TYPE_UID
xidNumber: 2808
distinguishedName: CN=S-1-4-2808
univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2808 sambaSID
dn: uid=gmills,cn=users,dc=tlc-galvesston,dc=org
univention-s4search objectSid=$( univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2808 sambaSID | awk '/^sambaSID:/ { print $2 }') dn
#Referral
ref: ldap://tlc-galveston.org/CN=Configuration,DC=tlc-galveston.DC=org
#Referral
ref: ldap://tlc-galveston.org/DC=DomainDnsZones,DC=tlc-galveston.DC=org
#Referral
ref: ldap://tlc-galveston.org/DC=ForrestDnsZones,DC=tlc-galveston.DC=org
Is there really no sambaSID attribute given? That’s even stranger than the case I linked to above. The other results are just logical consequences of this particular problem.
Can you please post all relevant lines from /var/log/univention/connector-s4.log pertaining to this user account? Please also post the output of:
univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2808
Thanks.
sambaSID: S-1-4-2808 I must have left that out of my post
the file /var/log/univention/connector-s4.log is empty
root@ad:/# univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2808
dn: uid=gmills,cn=users,dc=tlc-galveston,dc=org
uid: gmills
krb5PrincipalName: gmills@TLC-GALVESTON.ORG
objectClass: krb5KDCEntry
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: person
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: univentionNetworkAccess
objectClass: univentionMail
objectClass: krb5Principal
objectClass: univentionPolicyReference
objectClass: univentionPasswordSelfService
objectClass: univentionObject
uidNumber: 2808
sambaAcctFlags: [U ]
sambaPasswordHistory: 0FD73777E5D41940A44F61850C406CCD8D989137D90426EA74098801206BC7C6
sambaBadPasswordCount: 0
krb5MaxLife: 86400
shadowLastChange: 17955
cn: Glenda Mills
krb5PasswordEnd: 20190529000000Z
userPassword:: e2NyeXB0fSQ2JHRyaFdJWE5IUkVuWHVUU3kkS2c5Mzh1OU0xTXV1MFVaM3NWWDdNQzhEZ2liaTg5Mjk3R25IeGJvcEhPR2o0R0YxTlloWGZyQUNUVTVjREtVOEVwZ2dwM1g5TGJIREwyZzM5eG9zaDE=
krb5Key:: MFGhKzApoAMCARKhIgQgdCRxbckEcHIrjfFy9CVdLsfU8aIjJiQIjZzdy6BVFVuiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MDmhEzARoAMCAQOhCgQIeWcqPbXC2ryiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MEmhIzAhoAMCARChGgQYSl51XavNKgS2yLNzfL/4x1uzWM169HDcoiIwIKADAgEDoRkEF1RMQy1HQUxWRVNUT04uT1JHZ21pbGxz
krb5Key:: MEGhGzAZoAMCARGhEgQQFpg6N7/FhjxDAKKUK3l71aIiMCCgAwIBA6EZBBdUTEMtR0FMVkVTVE9OLk9SR2dtaWxscw==
krb5Key:: MDmhEzARoAMCAQKhCgQIeWcqPbXC2ryiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MDmhEzARoAMCAQGhCgQIeWcqPbXC2ryiIjAgoAMCAQOhGQQXVExDLUdBTFZFU1RPTi5PUkdnbWlsbHM=
krb5Key:: MEGhGzAZoAMCARehEgQQlqY1D1t0je07MF070kKdnKIiMCCgAwIBA6EZBBdUTEMtR0FMVkVTVE9OLk9SR2dtaWxscw==
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
sambaLogonScript: postoffice.bat
sambaBadPasswordTime: 0
univentionNetworkAccess: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: 1551371567
univentionPasswordSelfServiceEmail: gmills@tlcgalveston.org
sambaNTPassword: 96A6350F5B748DED3B305D3BD2429D9C
displayName: Glenda Mills
sambaSID: S-1-4-2808
gecos: Glenda Mills
sn: Mills
pwhistory: $6$Kv.d0mFVf0EDR3ol$LiYMuKZEN.fRYAtTRREuEnhczPHJwC8ADnj4Zk0f3v6mEAdIEVOjzCSLdqp0gQvT0epwrkVHOPIKGMdE5wUep.
homeDirectory: /home/gmills
givenName: Glenda
univentionPolicyReference: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=tlc-galveston,dc=org
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-3205981455-2263415228-305674225-513
now the batch files containing the drive mapping is not working for new employees. Is there any way to backup the user data and do a fresh install to get around this?
Not really, no.
If you have a subscription, I highly recommend opening a support ticket for your issue. If you do not have a subscription, I highly suggest getting one for issues such as this one.
I just saw this one. Well, that seems to indicate that the S4 connector isn’t running. Please post the output of
univention-check-templates
ls -l /etc/univention/connector/s4
dpkg -l univention-s4-connector
and try starting it with
systemctl restart univention-s4-connector.service
Afterwards verify that it is actually running:
systemctl status univention-s4-connector.service
should contain Active: active (running)…
If not, post the output of
journalctl -u univention-s4-connector.service --since '1h ago'
root@ad:~# univention-check-templates
root@ad:~# ls -l /etc/univention/connector/s4
total 40
-rw-r--r-- 1 root root 39361 Nov 27 13:28 mapping
root@ad:~# dpkg -l univention-s4-connector
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================-===============-===============-================================================
ii univention-s4-connect 12.0.2-40A~4.3. all UCS - Modules for sync UCS and Samba4 LDB direct
root@ad:~# systemctl restart univention-s4-connector.service
Failed to restart univention-s4-connector.service: Unit univention-s4-connector.service is masked.
root@ad:~# systemctl status univention-s4-connector.service
● univention-s4-connector.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
root@ad:~# journalctl -u univention-s4-connector.service --since '1h ago'
-- No entries --
root@ad:~#
I checked by backup ucs server the file /var/log/univention/connector-s4.log exists and is not empty. I thought the s4 connector only runs on the master. Any suggestions on what do I do next?
That is correct, it must only run on the DC Master. It is installed on the DC Backup so that the DC Backup can be promoted to being the new DC Master if the original DC Master ever suffers a catastrophic failure.
On your server ad the unit is masked — that’s interesting. What’s ad's server role (see ucr get server/role)? If it is domaincontroller_master, I don’t see a good reason for masking the S4 connector (masking a unit prevents it from ever being started). In that case unmask & start it. Then observe /var/log/univention/connector-s4.log which should show the S4 connector processing a lot of outstanding objects including your new users. Afterwards the users should have proper SIDs and be able to log in.
If it’s a domaincontroller_master:
# Unmask the unit:
systemctl unmask univention-s4-connector.service
# Start & enable it:
systemctl enable univention-s4-connector.service
systemctl restart univention-s4-connector.service
# Check if it's running now:
systemctl status univention-s4-connector.service
root@ad:~# ucr get server/role
domaincontroller_master
root@ad:~# systemctl unmask univention-s4-connector.service
Removed /etc/systemd/system/univention-s4-connector.service.
root@ad:~# systemctl enable univention-s4-connector.service
univention-s4-connector.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable univention-s4-connector
insserv: warning: current start runlevel(s) (empty) of script `univention-s4-connector' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `univention-s4-connector' overrides LSB defaults (0 1 6).
root@ad:~# systemctl restart univention-s4-connector.service
Job for univention-s4-connector.service failed because of unavailable resources or another system error.
See "systemctl status univention-s4-connector.service" and "journalctl -xe" for details.
root@ad:~# systemctl status univention-s4-connector.service
● univention-s4-connector.service - LSB: Univention S4 Connector
Loaded: loaded (/etc/init.d/univention-s4-connector; generated; vendor preset: enabled)
Active: failed (Result: resources) since Tue 2019-03-19 16:02:09 CDT; 47s ago
Docs: man:systemd-sysv-generator(8)
Process: 13295 ExecStart=/etc/init.d/univention-s4-connector start (code=exited, status=0/SUCCESS)
CPU: 92ms
Mar 19 16:02:09 ad systemd[1]: Starting LSB: Univention S4 Connector...
Mar 19 16:02:09 ad univention-s4-connector[13295]: s4-connector disabled by ucr var connector/s4/autostart=no
Mar 19 16:02:09 ad systemd[1]: univention-s4-connector.service: PID file /var/run/univention-s4-connector not r
Mar 19 16:02:09 ad systemd[1]: Failed to start LSB: Univention S4 Connector.
Mar 19 16:02:09 ad systemd[1]: univention-s4-connector.service: Unit entered failed state.
Mar 19 16:02:09 ad systemd[1]: univention-s4-connector.service: Failed with result 'resources'.
root@ad:~# journalctl -xe
Mar 19 16:05:04 ad CRON[14504]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share
- ignoring line
Mar 19 16:05:04 ad CRON[14504]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univent
- ignoring line
Mar 19 16:05:04 ad CRON[14504]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-p
- ignoring line
Mar 19 16:05:04 ad CRON[14604]: (root) CMD (/usr/sbin/jitter 60 /usr/share/univention-samba4/scripts/sysvol-syn
Mar 19 16:05:04 ad CRON[14608]: (root) CMD ( /usr/share/univention-directory-policy/univention-directory-polic
Mar 19 16:05:04 ad CRON[14612]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d "$(grep '^[
Mar 19 16:05:04 ad CRON[14501]: pam_unix(cron:session): session closed for user root
Mar 19 16:05:04 ad CRON[14616]: (root) CMD ( [ -x /usr/share/univention-updater/univention-updater-check ] &&
Mar 19 16:05:16 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/MX/IN': 98.139.247.1
Mar 19 16:05:16 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/MX/IN': 67.195.1.92#
Mar 19 16:05:17 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/A/IN': 98.139.247.19
Mar 19 16:05:17 ad named[1338]: REFUSED unexpected RCODE resolving 'HEALTHPARTNERSPLUS.COM/A/IN': 67.195.1.92#5
Mar 19 16:05:27 ad CRON[14502]: pam_unix(cron:session): session closed for user root
Mar 19 16:05:41 ad PAM-univentionsambadomain[14663]: continuing as user D7VTRNQ1$
Mar 19 16:05:41 ad smbd[14663]: pam_unix(samba:session): session opened for user D7VTRNQ1$ by (uid=0)
Mar 19 16:05:42 ad ldapsearch[14679]: DIGEST-MD5 common mech free
Mar 19 16:05:51 ad PAM-univentionsambadomain[14704]: continuing as user LUB-WIN7-14$
Mar 19 16:05:51 ad smbd[14704]: pam_unix(samba:session): session opened for user LUB-WIN7-14$ by (uid=0)
Mar 19 16:05:52 ad ldapsearch[14721]: DIGEST-MD5 common mech free
Mar 19 16:05:55 ad PAM-univentionsambadomain[14750]: continuing as user DESKTOP-CQ53FAS$
Mar 19 16:05:55 ad smbd[14750]: pam_unix(samba:session): session opened for user DESKTOP-CQ53FAS$ by (uid=0)
Mar 19 16:05:55 ad smbd[14750]: pam_mkhomedir(samba:session): User unknown.
Mar 19 16:05:56 ad ldapsearch[14775]: DIGEST-MD5 common mech free
Mar 19 16:05:57 ad smbd[14753]: pam_env(samba:session): No such user!?
Mar 19 16:05:57 ad smbd[14753]: pam_unix(samba:session): session closed for user TLC-GALVESTON+DESKTOP-CQ53FAS$
Mar 19 16:05:57 ad smbd[14663]: pam_unix(samba:session): session closed for user TLC-GALVESTON+D7VTRNQ1$
Mar 19 16:05:58 ad ldapsearch[14818]: DIGEST-MD5 common mech free
Mar 19 16:05:58 ad smbd[14750]: pam_env(samba:session): No such user!?
Mar 19 16:05:58 ad smbd[14750]: pam_unix(samba:session): session closed for user TLC-GALVESTON+DESKTOP-CQ53FAS$
Hi @jminton,
in the logs it is mentioned that the ucr-Variable connector/s4/autostart is set to no. Are you able to start the connector when setting this to yes?
root@ucs:~# ucr set connector/s4/autostart=yes
root@ucs:~# systemctl start univention-s4-connector.service
root@ucs:~# systemctl status univention-s4-connector.service
root@ucs:~# tail -f -n100 /var/log/univention/connector-s4.log
Kind regards
I’m really surprised that the UCR variable is set to no on your DC Master. I’d like to know why. Maybe the UCR replog still contains the info when the variable was changed. Please post the output of
{ zcat /var/log/univention/config-registry.replog*gz ;
ls /var/log/univention/config-registry.replog*|grep -v '\.gz$'|xargs cat
} | grep connector/s4/autostart
Apart from that do what Nico said about changing the variable & restarting the service.
univention-s4-connector.service - LSB: Univention S4 Connector
Loaded: loaded (/etc/init.d/univention-s4-connector; generated; vendor preset: enabled)
Active: active (running) since Wed 2019-03-20 15:28:55 CDT; 14min ago
Docs: man:systemd-sysv-generator(8)
Process: 13014 ExecStart=/etc/init.d/univention-s4-connector start (code=exited, status=0/SUCCESS)
Main PID: 13182 (python2.7)
Tasks: 1 (limit: 4915)
Memory: 65.0M
CPU: 1min 49.260s
CGroup: /system.slice/univention-s4-connector.service
└─13182 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py
Mar 20 15:28:47 ad systemd[1]: Starting LSB: Univention S4 Connector...
Mar 20 15:28:55 ad univention-s4-connector[13014]: Starting Univention S4 Connector: univention-s4-connector.
Mar 20 15:28:55 ad systemd[1]: univention-s4-connector.service: PID file /var/run/univention-s4-connector not r
Mar 20 15:28:55 ad systemd[1]: univention-s4-connector.service: Supervising process 13182 which is not our chil
Mar 20 15:28:55 ad systemd[1]: Started LSB: Univention S4 Connector.
It started! and is running
But unfortunatley,a new user set up in the Univention Corporate Server still does not show up so that Microsoft active directory and users can see them.
What’s the output of
univention-s4connector-list-rejected