Problem: Join Gives Error or Users Can Not Login Sometimes or Join Fails

Knowledge Base Community
, , , , ,
#1

Problem:

Symptom 1:

Join gives an error or users can not login frequently.
User logon works for a while but fails suddenly. Different users are be affected but the users change. When trying to login through Windows they get “No Authentication Server available”.

Symptom 2:

The join of a system fails (likely in 98univention-samba4slavepdc-dns.inst, but not only) with the following written in the file /var/log/univention/join.log:

Failed to get Kerberos credentials, falling back to samba-tool: (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')

Investigation

Step 1

Check your DNS Settings.

Step 2

Verify your to-be-joined computer can resolve domain controller DNS entries:

root@master:~# host gc._msdcs.$(ucr get domainname) 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

gc._msdcs.multi.ucs has address 10.250.200.101
gc._msdcs.multi.ucs has address 10.250.200.102
gc._msdcs.multi.ucs has address 10.250.200.100

Step 3

Check for legacy DNS zones.

root@ucs:~# univention-s4search CN=MicrosoftDNS --cross-ncs dn | grep -i "cn=system"
dn: DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs

There should NOT be a DC=_msdcs object entry below the CN=MicrosoftDNS,CN=System container.

Verify existence of additional zones by the DNS service in /var/log/daemon.log:

Mar 12 13:26:20 slave named[18248]: samba_dlz: Ignoring duplicate zone 'multi.ucs' from 'DC=@,DC=multi.ucs,CN=MicrosoftDNS,DC=DomainDnsZones,DC=multi,DC=ucs'
Mar 12 13:26:20 slave named[18248]: samba_dlz: Ignoring dnsZone _msdcs.multi.ucs

Step 4

The S4 connector by default synchronizes DNS entries from OpenLDAP to up-to-date location in Microsoft DNS. Previously (in Windows 2000) the DNS zones have been at a different location. Verify the S4 connector does not use legacy zones:

ucr get connector/s4/mapping/dns/position

Conclusion

There exists a duplicate zone in the legacy tree of CN=MicrosoftDNS,CN=System which gets loaded first by the named service. But as the S4 connector by default does not sync into the legacy tree this zone is very likely outdated.

Solution

Step 1

On the master (or @school-slave) migrate existing zone info to new location with the script migrate_legacy_dns_zones attached to
the Bug 43692 - Migrate Samba 4 DNS data from the legacy to the default partition. It is also essential that the unmodified script is used, please avoid Copy&Paste and rather use wget or similar methods.

Step 2

Now make sure the S4 connector does not sync to legacy branches:

ucr unset connector/s4/mapping/dns/position
systemctl restart univention-s4-connector

Step 3

If the issue still exists and you still find entries in your /var/log/daemon.log regarding duplicate zone, start over with step 1.
Remove the duplicate entry:

ldbdel -H /var/lib/samba/private/sam.ldb DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs
systemctl restart bind9

Now the join should be possible again and users should not notice any issues during logins.

legacy, dns , CN=MicrosoftDNS,CN=System , connector/s4/mapping/dns/position, migrate_legacy_dns_zones

KDC und Samba4 läuft nicht mehr auf DC
Problems with existing AD UCS domain in combination with Windows 11
Windows Users not able to Join Univention 4.4.1
Clients erkennen Netzwerk nur noch als "öffentliches Netzwerk", nicht als "Domain Netzwerk"
DNS-Probleme in älteren Samba/AD Domänen
Strange DNS record: Two PDCs?
samba.NTSTATUSError: (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
Mastodon