Problem: Join Gives Error or Users Can Not Login Sometimes




Join gives an error or users can not login frequently.
User logon works for a while but fails suddenly. Different users are be affected but the users change. When trying to login through Windows they get “No Authentication Server available”.


Step 1

Check your DNS Settings.

Step 2

Verify your to-be-joined computer can resolve domain controller DNS entries:

root@master:~# host gc._msdcs.$(ucr get domainname)
Using domain server:

gc._msdcs.multi.ucs has address
gc._msdcs.multi.ucs has address
gc._msdcs.multi.ucs has address

Step 3

Check for legacy DNS zones.

root@ucs:~# univention-s4search DC=_msdcs --cross-ncs dn
# record 1
dn: DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,DC=DomainDnsZones,DC=multi,DC=ucs

# record 2
dn: DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs

There should NOT be an entry in the “System” container (CN=system).

Verify existence of additional zones by the DNS service in /var/log/daemon.log:

Mar 12 13:26:20 slave named[18248]: samba_dlz: Ignoring duplicate zone 'multi.ucs' from 'DC=@,DC=multi.ucs,CN=MicrosoftDNS,DC=DomainDnsZones,DC=multi,DC=ucs'
Mar 12 13:26:20 slave named[18248]: samba_dlz: Ignoring dnsZone _msdcs.multi.ucs

Step 4

The S4 connector by default synchronizes DNS entries from OpenLDAP to up-to-date location in Microsoft DNS. Previously (in Windows 2000) the DNS zones have been at a different location. Verify the S4 connector does not use legacy zones:

ucr get connector/s4/mapping/dns/position


There exists a duplicate zone in the legacy tree of “CN=System” which gets loaded first by the named service. But as the S4 connector by default does not sync into the legacy tree this zone is very likely outdated.


Step 1

On the master (or @school-slave) migrate existing zone info to new location with this script

Step 2

Now make sure the S4 connector does not sync to legacy branches:

ucr unset connector/s4/mapping/dns/position
systemctl restart univention-s4-connector

Step 3

Remove the duplicate entry:

ldbdel -H /var/lib/samba/private/sam.ldb DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs
systemctl restart bind9

Now the join should be possible again and users should not notice any issues during logins.