Newly created users cannot login

Hi all,

I have an interesting situation and unfortunately i ran out of option. I’m stuck and hopeless
We have two sites A and B with an univention corporate server in each of the sites linked together. We have around 130 users, whose “Desktop” and “Documents” directories are syncronized to the corresponding server in each location. It was configured by group policy. It is a windows active directory domain achived with samba.

Up until the middle of the week everything was working rock solid for months now but we had a serious power outage and Site B went down. After starting it ucs wasn’t working. No hostname, could not join the master, full with errors.

We restored a backup from previous week. Seemingly everything worked. Joined the second server again to the master, gave an error on first try, but did on the second. We noticed however that if we create d a new user after the restore those user could not login. They are able to login to the umc, but cannot login into the computers which are joined to the domain. Interestingly they can login on Site A, but not on Site B.

I cannot find any authentication errors in the logs, the replication is working fine between the two servers, and system diagnostics is clean too.

Do anybody have some tips where i should look at for the culprint.

Thanks a lot in advance

Regards
Raymond

Ok I think I found the problem, but have no idea how to solve it.

Master DC:

univention-s4search --cross-ncs 'ridnextrid=*'
# record 1
dn: CN=RID Set,CN=UCS,OU=Domain Controllers,DC=dgaspc,DC=local
objectClass: top
objectClass: rIDSet
cn: RID Set
instanceType: 4
whenCreated: 20200109083150.0Z
uSNCreated: 3667
showInAdvancedViewOnly: TRUE
name: RID Set
objectGUID: b3ae0322-2f90-498e-bc0d-6969190ee207
objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=dgaspc,DC=local
rIDAllocationPool: 4600-5099
rIDPreviousAllocationPool: 4600-5099
rIDUsedPool: 1
whenChanged: 20200519212315.0Z
uSNChanged: 44621
rIDNextRID: 4618
distinguishedName: CN=RID Set,CN=UCS,OU=Domain Controllers,DC=dgaspc,DC=local

# record 2
dn: CN=RID Set,CN=BDC,OU=Domain Controllers,DC=dgaspc,DC=local
objectClass: top
objectClass: rIDSet
cn: RID Set
instanceType: 4
whenCreated: 20200522172117.0Z
whenChanged: 20200522172117.0Z
uSNCreated: 45690
uSNChanged: 45690
showInAdvancedViewOnly: TRUE
name: RID Set
objectGUID: 90fe4f99-0c2e-4883-b56a-619cda01d472
rIDAllocationPool: 6100-6599
rIDPreviousAllocationPool: 0-0
rIDUsedPool: 0
rIDNextRID: 0
objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=dgaspc,DC=local
distinguishedName: CN=RID Set,CN=BDC,OU=Domain Controllers,DC=dgaspc,DC=local

# returned 2 records
# 2 entries
# 0 referrals

Same command on the Backup DC from Site:B

univention-s4search --cross-ncs 'ridnextrid=*'
# returned 0 records
# 0 entries
# 0 referrals

Investigating site b further:

ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" -b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
# record 1
dn: CN=RID Set,CN=BDC,OU=Domain Controllers,DC=dgaspc,DC=local
objectClass: top
objectClass: rIDSet
cn: RID Set
instanceType: 4
whenCreated: 20200522172117.0Z
whenChanged: 20200522172117.0Z
uSNCreated: 6004
uSNChanged: 6004
showInAdvancedViewOnly: TRUE
name: RID Set
objectGUID: 90fe4f99-0c2e-4883-b56a-619cda01d472
rIDAllocationPool: 6100-6599
rIDUsedPool: 0
objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=dgaspc,DC=local
distinguishedName: CN=RID Set,CN=BDC,OU=Domain Controllers,DC=dgaspc,DC=local

# returned 1 records
# 1 entries
# 0 referrals

So i noticed on the backup dc that i have no “rIDNextRID” and "uSNChanged: is different from the master DC

I have run the join script, everything went ok, and executed samba-tool drs replicate succesfully. New users still cannot login.