DNS Problem with DC Backup Server

UCS - Univention Corporate Server
#1

Übersetzt, bitte in Englisch.
Hello,
I have recently installed a second UCS server to be able to distribute my data to 2 network cards…
I thought a DC-Backup wouldn’t be bad and so I chose this one… in itself the shares on both servers work fine - but I have problems with the certificate of Kopano (installed on the first (main) server).
I keep getting only the private certificate (and therefore a security warning in Firefox) instead of Letsencrypt. If I switch the DNS server to an external one, it works. But the UCS DNS should be, of course, which doesn’t work reliably.
The system diagnosis reports the following on the (main) server:

root@ucs:~# univention-s4connector-list-rejected 

UCS rejected


S4 rejected

    1: S4 DN: CN=dns-srv16,CN=Users,DC=intranet,DC=my domain,DC=at
         UCS DN: uid=dns-srv16,cn=users,dc=intranet,dc=my domain,dc=at

Could that be the cause? And how can I fix this?
Thank you very much for your help! (or could I alternatively remove the DC backup and make it a normal member server??)

===========================================================
Hallo,
ich habe vor kurzem einen zweiten UCS Server installiert um meine Daten auf 2 Netzwerkkarten verteilen zu können…
Ich dachte mir ein DC-Backup wäre nicht schlecht und habe daher diesen gewählt… an sich funktionieren die Freigaben auf beiden Servern gut - jedoch habe ich Probleme mit dem Zertifikat von Kopano (auf dem ersten (Haupt-)server installiert.
Ich bekomme immer wieder nur das private Zertifikat (und daher eine Sicherheitswarnung in Firefox) statt dem Letsencrypt. Stelle ich den DNS Server auf einen externen um, funktioniert es. Der UCS DNS sollte es aber natürlich sein, was nicht zuverlässig funktioniert.
Die System Diagnose meldet auf dem (Haupt-)server folgendes:

root@ucs:~# univention-s4connector-list-rejected 

UCS rejected


S4 rejected

    1:    S4 DN: CN=dns-srv16,CN=Users,DC=intranet,DC=meinedomain,DC=at
         UCS DN: uid=dns-srv16,cn=users,dc=intranet,dc=meinedomain,dc=at

Könnte das die Ursache sein? Und wie kann ich diesen Fehler beheben??
Vielen Dank für eure Hilfe! (oder könnte ich alternativ den DC Backup wieder entfernen und einen normalen Member Server daraus machen??)

#2

Hi,

and regarding the issue:
You Let’s encrypt certificate is attached to your external IP address or hostname. So when you access to the external IP everything is fine otherwise you are trying to access the internal IP where the LE Cert does not match.

This is due to SSL concept and not an error nor a failure.
To workaround I would suggest to create an additional A-record in DNS settings with the same name you are accessing your Kopano server from external pointing to the external IP. This way you will always have the same name and therefore you will get LE certs.

/CV

#3

Thank you for your answer, but that’s not the problem. Bevor I installed the DC Backup Server everything (including Kopano) work’s perfect on the main server.
On my windows PC I make a “ping” command to intranet.mydomain.at -< works correct with the answer “192.168.1.6”
When I set the DNS Server on my Windows PC to 192.168.1.6 (=UCS Main Server) and make the “ping” command I get the answer “192.168.1.106” (=new Backup DC Server) and not 192.168.1.6

Strange for me… did I make a mistake? (and what about the s4 error above)

#4

In an Active Directory it’s normal (and even required) to have all DCs be present as A records for the domain name (e.g. intranet.mydomain.at). This is done for workload distribution and error resiliency purposes.

If you want to access a certain host, use it’s hostname (e.g. ucsmaster.intranet.mydomain.at if your server is called ucsmaster).

1 Like
#5

Okay, thank you - I misunderstood that!
And what about this error message?

[quote="item, post:1, topic:11722"]
root@ucs:~# univention-s4connector-list-rejected UCS rejected S4 rejected 1: S4 DN: CN=dns-srv16,CN=Users,DC=intranet,DC=meinedomain,DC=at UCS DN: uid=dns-srv16,cn=users,dc=intranet,dc=meinedomain,dc=at
[/quote]
#6

Please post the content of /var/log/univention/connector-s4.log that’s relevant for this reject.

#7

about every minute I get this logs:

03.04.2019 15:27:53,689 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=dns-srv16,CN=Users,DC=intranet,DC=mydomain,DC=at
03.04.2019 15:27:53,695 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=dns-srv16,cn=users,dc=intranet,dc=mydomain,dc=at
03.04.2019 15:27:53,748 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
03.04.2019 15:27:53,748 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1674, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 635, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1269, in _modify
    self.call_udm_property_hook('hook_ldap_pre_modify', self)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1032, in call_udm_property_hook
    func(module)
Mastodon