LDAP error on UCS system

UCS - Univention Corporate Server
#21

[quote=“Grandjean”]Hello fmp,

sorry, I haven’t been around the last days. I’ve seen your e-mails to feedback@ and your entry in our bugtracker. My colleagues will check your case and get back to you. For now, we should wait for this.
All I can say now is, that imho it’s very unlikely that the “connector/ad/*” variables have anything to do with the problem.

Best regards,
Michael Grandjean[/quote]
Hi Michael,

Thank you so much. As my understanding, the UCS system must have more variables which related to AD more than current variables of our system. The join UCS to an AD domain progress will make UCS having some info like: domain DC, in this case is: abc-dc1.abc.com, etc… Below is information when I execute univention-ad-connector command:

This is univention-adsearch

Univention-adsearch uses the settings of "univention-ad-connector" to ldap-search an Active-Directory Server.

The Settings are not complete, please check the following univention-config-registry Values:
connector/ad/ldap/host, connector/ad/ldap/port,
connector/ad/ldap/binddn, connector/ad/ldap/bindpw,
connector/ad/ldap/base

I think UCS system after taking over from Windows AD must have above variables in UCR. Hope that you and your colleagues found the reason and a solution for this issue. Thanks again

#22

Dear fmp,
We would really like to help you with your issue, unfortunatly it apppears that we are at a point where the forum is not the best and applicable means to this end.
To help you effectivly in this case we strongly suggest contacting our salesteam at sales@univention.de to procure a base subscription and a sales call - our salesteam will be glad to assist you in this matter. Then our supportteam will have the means to focus on your issue and bring to a satisfactory conclusion.

I am sure this will be more helpful then forum messages at this point.

Kind regards,
Jens Thorp-Hansen

Head of Support
Univention GmbH

#23

[quote=“Thorp-Hansen”]Dear fmp,
We would really like to help you with your issue, unfortunatly it apppears that we are at a point where the forum is not the best and applicable means to this end.
To help you effectivly in this case we strongly suggest contacting our salesteam at sales@univention.de to procure a base subscription and a sales call - our salesteam will be glad to assist you in this matter. Then our supportteam will have the means to focus on your issue and bring to a satisfactory conclusion.

I am sure this will be more helpful then forum messages at this point.

Kind regards,
Jens Thorp-Hansen

Head of Support
Univention GmbH[/quote]
Dear Univention Team,

Honestly, we have plan to purchase a subscription but we need time to test UCS for stability. This is a future plan if we feel that this is a good product. But in fact, UCS still have a lot of bugs, at least for us. About this issue, it comes to us without any warnings from system or via UMC, so we must spent a lot of times to troubleshoot by ourselves. If noone in this forum can help us, we will find another choice to use Samba4 for our system and come back to try products of Univention in some future day. Thank you.

Regards,
FMP

#24

Dear fmp,
I still have eyes on your issue and as I said we want to help you. I want to give some inside in the progress and most likely causes of your present issue.
Since it is rather hard to solve your issues permanently without trying to find the underlying problem, I try to paint the way of the issue for clarification till now:

In july you had a failed AD-Takeover because of a service principal that was where it should not be at this point of the process. There was a workaround, so the AD-Takeover could commence.
Following this, there was a workaround, because the DNS Data was not where expected. Then a workaround for the S4 connector, so that it does not interfere with previous workarounds and additional help via forum and feedback all regarding the system in its present state.

We want to make the system work for you, but we need to first fix the underlying problems.

Can you confirm/check and send the following output from the console? We suspect that there is an issue that interfered with your AD-Takeover process and if that is the case we want to fix this issue and make you able to create a working system.

eval “$(ucr shell)”
univention-s4search --cross-ncs DC=“gc._msdcs”
univention-s4search --cross-ncs DC=“gc”
univention-s4search --cross-ncs DC="_gc._tcp.FMPHN._sites"
univention-s4search --cross-ncs DC="$domainname"

IF our suspicion turns out true the next step to really solve your issues and not create workaround after workaround would be to start over in a test environment first by doing the following steps:

  1. We provide a bugfix
  2. Start over with a UCS 4.0-3 Master with installed Bugfix
  3. Install S4 Connector (Important: Installation HAS to commence AFTER the installation of the bugfix)
  4. next steps as usual

Kind Regards,
Jens Thorp-Hansen

#25

[quote=“Thorp-Hansen”]Dear fmp,
I still have eyes on your issue and as I said we want to help you. I want to give some inside in the progress and most likely causes of your present issue.
Since it is rather hard to solve your issues permanently without trying to find the underlying problem, I try to paint the way of the issue for clarification till now:

In july you had a failed AD-Takeover because of a service principal that was where it should not be at this point of the process. There was a workaround, so the AD-Takeover could commence.
Following this, there was a workaround, because the DNS Data was not where expected. Then a workaround for the S4 connector, so that it does not interfere with previous workarounds and additional help via forum and feedback all regarding the system in its present state.

We want to make the system work for you, but we need to first fix the underlying problems.

Can you confirm/check and send the following output from the console? We suspect that there is an issue that interfered with your AD-Takeover process and if that is the case we want to fix this issue and make you able to create a working system.

eval “$(ucr shell)”
univention-s4search --cross-ncs DC=“gc._msdcs”
univention-s4search --cross-ncs DC=“gc”
univention-s4search --cross-ncs DC="_gc._tcp.FMPHN._sites"
univention-s4search --cross-ncs DC="$domainname"

IF our suspicion turns out true the next step to really solve your issues and not create workaround after workaround would be to start over in a test environment first by doing the following steps:

  1. We provide a bugfix
  2. Start over with a UCS 4.0-3 Master with installed Bugfix
  3. Install S4 Connector (Important: Installation HAS to commence AFTER the installation of the bugfix)
  4. next steps as usual

Kind Regards,
Jens Thorp-Hansen[/quote]
Dear Jens Thorp-Hansen,

Appericate for your reply. Honestly, we are not familiar with UCS and Samba4 so we met a lot of trouble at the first time using UCS. In July, we had an error during the AD takeover progress. It’s true, and with help from an UCS specialist, we finished the AD takeover progress successfully. But we had problems in SSO between UCS and a system of us, so we came back to Windows AD. At the end of September, after finding out a solution for our SSO requirement, we came back to UCS. We got problems and started posting here, this thread. After a few days without a solution, we decied to re-install a new UCS server, turn on Windows AD and start everything from beginning (I’ve mentioned this at https://help.univention.com/t/windows-vertrauensstellung/118/1). So we think there’s no underlying problems here. Below is the result of commands as your requests:

root@ucs:~# [b]univention-s4search --cross-ncs DC="gc._msdcs"[/b]
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[IPC$]"
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[global]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255
# record 1
dn: DC=gc._msdcs,DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20151010151635.0Z
uSNCreated: 10380
showInAdvancedViewOnly: TRUE
name: gc._msdcs
objectGUID: 4eb572d1-3fd6-4453-bf2f-30abc46022d2
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dc: gc._msdcs
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAAwKgBDw==
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAAwKgBDg==
whenChanged: 20151010171516.0Z
uSNChanged: 10673
distinguishedName: DC=gc._msdcs,DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com

# returned 1 records
# 1 entries
# 0 referrals
root@ucs:~# 
# 0 referrals
root@ucs:~# [b]univention-s4search --cross-ncs DC="gc"[/b]
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[IPC$]"
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[global]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255
# record 1
dn: DC=gc,DC=_msdcs.fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150827172740.0Z
uSNCreated: 9893
showInAdvancedViewOnly: TRUE
name: gc
objectGUID: 21a9c627-ffe6-44d7-a635-5804f3b12c79
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSTombstoned: FALSE
dc: gc
whenChanged: 20151010150729.0Z
uSNChanged: 10217
dnsRecord:: BAABAAXwAABQAAAAAAACWAAAAABoejcAwKgBDg==
dnsRecord:: BAABAAXwAABQAAAAAAADhAAAAABvejcAwKgBDw==
distinguishedName: DC=gc,DC=_msdcs.fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones ,DC=fmphn,DC=com

# returned 1 records
# 1 entries
# 0 referrals
root@ucs:~# 
# 0 referrals
root@ucs:~# [b]univention-s4search --cross-ncs DC="_gc._tcp.FMPHN._sites"[/b]
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[IPC$]"
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[global]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255
# record 1
dn: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150727102250.0Z
whenChanged: 20150830161541.0Z
uSNCreated: 9867
uSNChanged: 9867
showInAdvancedViewOnly: TRUE
name: _gc._tcp.FMPHN._sites
objectGUID: 28632a27-874d-4434-89eb-f887cd0a8836
dnsRecord:: GwAhAAXwAACsNAAAAAACWAAAAAAAAAAAAAAAZAzEEwMHdWJxLXN2cgVmbXBobgNjb2
 0A
dnsRecord:: GgAhAAXwAACsNAAAAAACWAAAAAAAAAAAAAAAZAzEEgMGZm1wLWFkBWZtcGhuA2NvbQ
 A=
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSTombstoned: FALSE
dc: _gc._tcp.FMPHN._sites
distinguishedName: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,DC=Do
 mainDnsZones,DC=fmphn,DC=com

# record 2
dn: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150828040039.0Z
uSNCreated: 4765
showInAdvancedViewOnly: TRUE
name: _gc._tcp.FMPHN._sites
objectGUID: efd23287-34cf-4877-acb9-6c8864e77ee4
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSTombstoned: FALSE
dc: _gc._tcp.FMPHN._sites
dnsRecord:: GwAhAAXwAAABAAAAAAADhAAAAAAAAAAAAAAAZAzEEwMHZm1wLWRjMQVmbXBobgNjb2
 0A
dnsRecord:: FwAhAAXwAAABAAAAAAADhAAAAAAAAAAAAAAAZAzEDwMDdWNzBWZtcGhuA2NvbQA=
whenChanged: 20151010151742.0Z
uSNChanged: 10453
distinguishedName: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,CN=Sy
 stem,DC=fmphn,DC=com

# returned 2 records
# 2 entries
# 0 referrals
root@ucs:~# 
root@ucs:~# [b]univention-s4search --cross-ncs DC="$domainname"[/b]
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[IPC$]"
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[global]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255
# returned 0 records
# 0 entries
# 0 referrals
root@ucs:~#

About this issue, we think that this is a special situation because the system told us that everything was successfully via UMC but in fact, BIND cannot access to update Samba internal DNS records which we can reach via DNS or LDAP in UMC. If you need any further information, please let us know. Thank you for your support.

Regards,
FMP

#26

Dear fmp,
It is possible, that we need to provide a bugfix for a specific case before you can commence with the AD Takeover as you did. So if you did this before we got the chance to fix this issue, the behaviour wont be better.
Please wait till we provided the bugfix for this case (which could be fixing your underlying problem) and commence then with the actions:

  1. Start over with a UCS 4.0-3 Master !with installed Bugfix!
  2. Install S4 Connector (Important: Installation HAS to commence AFTER the installation of the bugfix)
  3. proceed as normal

Kind regards,
Jens Thorp-Hansen

#27

[quote=“Thorp-Hansen”]Dear fmp,
It is possible, that we need to provide a bugfix for a specific case before you can commence with the AD Takeover as you did. So if you did this before we got the chance to fix this issue, the behaviour wont be better.
Please wait till we provided the bugfix for this case (which could be fixing your underlying problem) and commence then with the actions:

  1. Start over with a UCS 4.0-3 Master !with installed Bugfix!
  2. Install S4 Connector (Important: Installation HAS to commence AFTER the installation of the bugfix)
  3. proceed as normal

Kind regards,
Jens Thorp-Hansen[/quote]
Dear Jens Thorp-Hansen,

We will wait for your bugfix. Appreciate for your help. Thank you.

Regards,
FMP

#28

Dear All,

An Univention specialist move our bug request to this one: forge.univention.org/bugzilla/s … i?id=34184 which is marked as resolved. What should we do now? Our UCS server has not been updated because Jens Thorp-Hansen from Univention told us not to do anything and wait for bugfix. Please help us. Thank you.

Regards,
FMP

#29

Hi FMP,
The Bug is marked as “resolved” because it is a duplicate. The bugfix is not ready at the moment, though we work on it for a release in the near future.

regards,
Jens Thorp-Hansen

#30

Hello, is IT Bizz, we are have done with the OP the test:

eval “$(ucr shell)”
univention-s4search --cross-ncs DC=“gc._msdcs”
univention-s4search --cross-ncs DC=“gc”
univention-s4search --cross-ncs DC="_gc._tcp.FMPHN._sites"
univention-s4search --cross-ncs DC="$domainname"
---------------------------------------- the following results:
root@ucs:~# eval “$(ucr shell)”
root@ucs:~# univention-s4search --cross-ncs DC=“gc._msdcs”
Processing section “[netlogon]”
Processing section “[sysvol]”
Processing section “[IPC$]”
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section “[homes]”
Processing section “[printers]”
Processing section “[print$]”
Processing section “[global]”
pm_process() returned Yes
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can’t open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255

record 1

dn: DC=gc._msdcs,DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20151010151635.0Z
uSNCreated: 10380
showInAdvancedViewOnly: TRUE
name: gc._msdcs
objectGUID: 4eb572d1-3fd6-4453-bf2f-30abc46022d2
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dc: gc._msdcs
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAAwKgBDw==
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAAwKgBDg==
whenChanged: 20151010171516.0Z
uSNChanged: 10673
distinguishedName: DC=gc._msdcs,DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmph
n,DC=com

returned 1 records

1 entries

0 referrals

xxxxx@ucs:~# univention-s4search --cross-ncs DC=“gc”
Processing section “[netlogon]”
Processing section “[sysvol]”
Processing section “[IPC$]”
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section “[homes]”
Processing section “[printers]”
Processing section “[print$]”
Processing section “[global]”
pm_process() returned Yes
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can’t open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255

record 1

dn: DC=gc,DC=_msdcs.fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150827172740.0Z
uSNCreated: 9893
showInAdvancedViewOnly: TRUE
name: gc
objectGUID: 21a9c627-ffe6-44d7-a635-5804f3b12c79
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSTombstoned: FALSE
dc: gc
whenChanged: 20151010150729.0Z
uSNChanged: 10217
dnsRecord:: BAABAAXwAABQAAAAAAACWAAAAABoejcAwKgBDg==
dnsRecord:: BAABAAXwAABQAAAAAAADhAAAAABvejcAwKgBDw==
distinguishedName: DC=gc,DC=_msdcs.fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones
,DC=fmphn,DC=com

returned 1 records

1 entries

0 referrals

root@ucs:~# univention-s4search --cross-ncs DC="_gc._tcp.FMPHN._sites"
Processing section “[netlogon]”
Processing section “[sysvol]”
Processing section “[IPC$]”
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section “[homes]”
Processing section “[printers]”
Processing section “[print$]”
Processing section “[global]”
pm_process() returned Yes
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can’t open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255

record 1

dn: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150727102250.0Z
whenChanged: 20150830161541.0Z
uSNCreated: 9867
uSNChanged: 9867
showInAdvancedViewOnly: TRUE
name: _gc._tcp.FMPHN._sites
objectGUID: 28632a27-874d-4434-89eb-f887cd0a8836
dnsRecord:: GwAhAAXwAACsNAAAAAACWAAAAAAAAAAAAAAAZAzEEwMHdWJxLXN2cgVmbXBobgNjb2
0A
dnsRecord:: GgAhAAXwAACsNAAAAAACWAAAAAAAAAAAAAAAZAzEEgMGZm1wLWFkBWZtcGhuA2NvbQ
A=
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSTombstoned: FALSE
dc: _gc._tcp.FMPHN._sites
distinguishedName: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,DC=Do
mainDnsZones,DC=fmphn,DC=com

record 2

dn: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150828040039.0Z
uSNCreated: 4765
showInAdvancedViewOnly: TRUE
name: _gc._tcp.FMPHN._sites
objectGUID: efd23287-34cf-4877-acb9-6c8864e77ee4
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSTombstoned: FALSE
dc: _gc._tcp.FMPHN._sites
dnsRecord:: GwAhAAXwAAABAAAAAAADhAAAAAAAAAAAAAAAZAzEEwMHZm1wLWRjMQVmbXBobgNjb2
0A
dnsRecord:: FwAhAAXwAAABAAAAAAADhAAAAAAAAAAAAAAAZAzEDwMDdWNzBWZtcGhuA2NvbQA=
whenChanged: 20151010151742.0Z
uSNChanged: 10453
distinguishedName: DC=_gc._tcp.FMPHN._sites,DC=fmphn.com,CN=MicrosoftDNS,CN=Sy
stem,DC=fmphn,DC=com

returned 2 records

2 entries

0 referrals

xxxxxx@ucs:~# univention-s4search --cross-ncs DC="$domainname"
Processing section “[netlogon]”
Processing section “[sysvol]”
Processing section “[IPC$]”
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section “[homes]”
Processing section “[printers]”
Processing section “[print$]”
Processing section “[global]”
pm_process() returned Yes
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0:1 ip=192.168.1.14 bcast=192.168.1.255 netmask=255.255.255.0
added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucs.fmphn.com<0x20>
startlmhosts: Can’t open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 268
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1259
Received smb_krb5 packet of length 1255

record 1

dn: DC=fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=fmphn,DC=com
objectClass: top
objectClass: dnsZone
cn: Zone
instanceType: 4
whenCreated: 20150712002521.0Z
whenChanged: 20150823155739.0Z
uSNCreated: 9325
uSNChanged: 9325
showInAdvancedViewOnly: TRUE
name: fmphn.com
objectGUID: a9de81cb-816e-4e55-be04-8ee4c84a2e71
objectCategory: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSProperty:: CAAAAAAAAAAAAAAAAQAAAAgAAAB1PbILAwAAAAAAAAA=
dNSProperty:: BAAAAB8AAgAAAAAAAQAAABAAAACoAAAAAAAAAA==
dNSProperty:: BAAAAAAAAAAAAAAAAQAAACAAAACoAAAAAAAAAA==
dNSProperty:: BAAAAAAAAAAAAAAAAQAAAAEAAAABAAAAYjeVdw==
dNSProperty:: AQAAAHA/iwAAAAAAAQAAAAIAAAAC48YAAA==
dNSProperty:: BAAAAAAAAAAAAAAAAQAAAEAAAAABAAAACOTGAA==
dNSProperty:: AAAAAADoxgAAAAAAAQAAAJAAAAAo5cYA
dNSProperty:: BAAAAGhTAAAAAAAAAQAAABIAAACXdjcAAAAAAA==
dNSProperty:: AAAAAGBTAAAAAAAAAQAAAJIAAAAAAAAA
dc: fmphn.com
distinguishedName: DC=fmphn.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=fmphn,DC=
com

record 2

dn: DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com
objectClass: top
objectClass: dnsZone
instanceType: 4
whenCreated: 20150718195946.0Z
whenChanged: 20150830181857.0Z
uSNCreated: 3702
uSNChanged: 3702
showInAdvancedViewOnly: TRUE
name: fmphn.com
objectGUID: 2f1d31ae-8341-4e39-8f09-453ca05baf80
objectCategory: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=fmphn,DC=com
dNSProperty:: BAAAAB8AAgAAAAAAAQAAABAAAACoAAAAAAAAAA==
dNSProperty:: BAAAAAAAAAAAAAAAAQAAACAAAACoAAAAAAAAAA==
dNSProperty:: CAAAAAAAAAAAAAAAAQAAAAgAAADM2PMLAwAAAAAAAAA=
dNSProperty:: BAAAAAAAAAAAAAAAAQAAAAEAAAABAAAA4jdKdw==
dNSProperty:: AQAAABwAAAAAAAAAAQAAAAIAAAAC5zwDAA==
dNSProperty:: AAAAAMDrPAMAAAAAAQAAAJAAAADo6DwD
dNSProperty:: BAAAAAAAAAAAAAAAAQAAAEAAAAABAAAAyOc8Aw==
dNSProperty:: AAAAAGhRAAAAAAAAAQAAAJIAAAAAAAAA
dNSProperty:: BAAAAGRRAAAAAAAAAQAAABIAAABCdzcAAAAAAA==
dc: fmphn.com
distinguishedName: DC=fmphn.com,CN=MicrosoftDNS,CN=System,DC=fmphn,DC=com

returned 2 records

2 entries

0 referrals

xxxxx@ucs:~#

Hope, it Helps.

#31

Dear FMP,
The Bugfix is now released: errata.software-univention.de/ucs/4.0/344.html
You need to have this Fix/Errata installed before attempting the AD-Takeover / installing the S4 connector. Please do this and get back to us if the issue is resolved or not.

Kind regards,
Jens Thorp-Hansen

#32

[quote=“Thorp-Hansen”]Dear FMP,
The Bugfix is now released: errata.software-univention.de/ucs/4.0/344.html
You need to have this Fix/Errata installed before attempting the AD-Takeover / installing the S4 connector. Please do this and get back to us if the issue is resolved or not.

Kind regards,
Jens Thorp-Hansen[/quote]
Hi Jens Thorp-Hansen, it means that we have to turn off UCS server, remove them and then turn on the Windows AD again and start the AD take over progress from beginning? Do you have any other way to solve this issue?

#33

Dear FMP,
The best practice at this point is to set up a new test-environment that is very near your current environment (before Takeover) where you can check if everything works smoothly with the new errata.
After that you would come back to us and we would proceed on this information.

Edit: you could even build a test environment that mirrors your current environment with the failed Takeover. But it is imperative, that you do not attempt to re-Takeover, etc. without having tested every step before in a test environment.

Regards,
Jens Thorp-Hansen

#34

[quote=“Thorp-Hansen”]Dear FMP,
The best practice at this point is to set up a new test-environment that is very near your current environment (before Takeover) where you can check if everything works smoothly with the new errata.
After that you would come back to us and we would proceed on this information.

Edit: you could even build a test environment that mirrors your current environment with the failed Takeover. But it is imperative, that you do not attempt to re-Takeover, etc. without having tested every step before in a test environment.

Regards,
Jens Thorp-Hansen[/quote]
Dear Univention,

It’s not working. After the new UCS join do AD domain, everything is ok. The result of “net ads info” and script to check DNS is perfect. But after the successful AD takeover, funny things appear. At the time before the AD takeover, we have only 1 Windows AD server. But now, in the UCS:

  • the primary DC is an old primary Windows DC in the DNS record
  • all DNS records in UCS now is the old records from a long time ago
  • now the DNS records show that we have 2 DC but in fact, we have only 1 UCS
    It seems that the bugfix 343 and 344 did something wrong which made the deleted/old record return like zombie!
#35

Hello,

could you please try to explain, what you are experiencing?

Could you please give us some detail? What exactly do you check (and how?) and what is the behaviour? How do the wrong records look like?

[quote=“fmp”]
It seems that the bugfix 343 and 344 did something wrong which made the deleted/old record return like zombie![/quote]

Does everything work like expected if you correct these records in your DNS?

Kind regards,
Tim Petersen

#36

Hope it’ll help someone else too.

I’d same DNS problem on every AD Take Overs I did with UCS 4.1
It seems that some DNS entries are not put to samba dns with univention AD Take Over app (the DNS entries are still in Univention LDAP DNS but a windows Pc can’t join Domain - error = the network name is no longer available)
So I ran the following re_privisioning procedure after AD take over an it works - now all DNS entries are there in the SAMBA DNS for Clients to join
sdb.univention.de/content/6/274/ … aster.html

greetings
Christian

#37

Sorry for late respond. We solved this problem nearly 2 months ago (on Nov 6th 2015). After several testing, we found that the AD Takeover of UCS is not fully successful with Windows AD system which having a lot of “old” records of Primary DC or any DC in the past. For our case, we had some DCs before migrating to UCS, so I had to demote them or even seized the 5 master roles to another DC, etc… We tried many times to find out why and finally found that we need to delete all records/objects/data in the _msdcs zone. And then, everything is ok after the AD Takeover progress.

Example:

800×319

#38

Hello fmp,

thanks for sharing! Glad to hear it’s finally working for you :slight_smile:

Just to make sure I understand correctly: It was necessary to delete the entries from the _msdcs zone even after demoting the old Windows DCs?

Best regards,
Michael Grandjean

#39

[quote=“Grandjean”]Hello fmp,

thanks for sharing! Glad to hear it’s finally working for you :slight_smile:

Just to make sure I understand correctly: It was necessary to delete the entries from the _msdcs zone even after demoting the old Windows DCs?

Best regards,
Michael Grandjean[/quote]
Hi Michael,

Yes. It was necessary to delete the entries from the _msdcs zone on Active Directory Users and Computers before the AD Takeover action. For my case, the primary DC had been changed several times for some reasons (one reason you knew is the ex-IT guy set the file server to be the primary DC od the AD). If I do not delete the entries in _msdcs zone, after the AD Takeover progress, there will be a lot of “old” entries in the past, appear in the UCS records (even some “old” records of last year), that’s why I said they (old records) returned like zombies. Honestly, our Windows AD was having some internal issues before I started working for this organization but I solved all of them. After checking by dcdiag command with many options, replication status, Event Viewer, ntdsutils command, etc… there were no old records existing or no problems with Windows AD anymore, and then started the AD Takeover progress but I still got problem like above comments.

Anyway, thank God, it’s ok now :slight_smile:

Regards,

Mastodon