Join gives an error or users can not login frequently.
User logon works for a while but fails suddenly. Different users are be affected but the users change. When trying to login through Windows they get “No Authentication Server available”.
The join of a system fails (likely in
98univention-samba4slavepdc-dns.inst, but not only) with the following written in the file
Failed to get Kerberos credentials, falling back to samba-tool: (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
Check your DNS Settings.
Verify your to-be-joined computer can resolve domain controller DNS entries:
root@master:~# host gc._msdcs.$(ucr get domainname) 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: gc._msdcs.multi.ucs has address 10.250.200.101 gc._msdcs.multi.ucs has address 10.250.200.102 gc._msdcs.multi.ucs has address 10.250.200.100
Check for legacy DNS zones.
root@ucs:~# univention-s4search CN=MicrosoftDNS --cross-ncs dn | grep -i "cn=system" dn: DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs
There should NOT be an entry in the “System” container (CN=system).
Verify existence of additional zones by the DNS service in
Mar 12 13:26:20 slave named: samba_dlz: Ignoring duplicate zone 'multi.ucs' from 'DC=@,DC=multi.ucs,CN=MicrosoftDNS,DC=DomainDnsZones,DC=multi,DC=ucs' Mar 12 13:26:20 slave named: samba_dlz: Ignoring dnsZone _msdcs.multi.ucs
The S4 connector by default synchronizes DNS entries from OpenLDAP to up-to-date location in Microsoft DNS. Previously (in Windows 2000) the DNS zones have been at a different location. Verify the S4 connector does not use legacy zones:
ucr get connector/s4/mapping/dns/position
There exists a duplicate zone in the legacy tree of “
CN=System” which gets loaded first by the named service. But as the S4 connector by default does not sync into the legacy tree this zone is very likely outdated.
On the master (or @school-slave) migrate existing zone info to new location with the script migrate_legacy_dns_zones attached to
the Bug 43692 - Migrate Samba 4 DNS data from the legacy to the default partition. It is also essential that the unmodified script is used, please avoid Copy&Paste and rather use wget or similar methods.
Now make sure the S4 connector does not sync to legacy branches:
ucr unset connector/s4/mapping/dns/position systemctl restart univention-s4-connector
If the issue still exists and you still find entries in your
/var/log/daemon.log regarding duplicate zone, start over with step 1.
Remove the duplicate entry:
ldbdel -H /var/lib/samba/private/sam.ldb DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs systemctl restart bind9
Now the join should be possible again and users should not notice any issues during logins.
legacy, dns , CN=MicrosoftDNS,CN=System , connector/s4/mapping/dns/position, migrate_legacy_dns_zones