Problem

There are problems with the login of Windows clients to LDAP and the system diagnosis in UCS shows you warnings for the Samba replication status.

If you check the status of the samba-replication on the Primary-Node (DC-Master) and get following erros with WERR_File_NOT_FOUND

samba-tool drs showrepl

CN=Schema,CN=Configuration,DC=miro,DC=intranet
	Default-First-Site-Name\UCS5BACKUP via RPC
		DSA object GUID: 15159457-c6ca-4e1a-b056-45aeb7cf2590
		Last attempt @ Fri Nov 17 13:48:54 2023 CET failed, result (WERR_FILE_NOT_FOUND)
		6 consecutive failure(s).
		Last success @ Fri Nov 17 04:56:36 2023 CET

CN=Schema,CN=Configuration,DC=univention,DC=intranet
	Default-First-Site-Name\UCS5REPLICA via RPC
		DSA object GUID: 2078be6b-4c36-4eec-857c-5f1ee22bcbd0
		Last attempt @ Fri Nov 17 13:48:57 2023 CET failed, result  (WERR_FILE_NOT_FOUND)
		212 consecutive failure(s).
		Last success @ Tue Nov 14 21:39:49 2023 CET

CN=Configuration,DC=univention,DC=intranet
	Default-First-Site-Name\UCS5BACKUP via RPC
		DSA object GUID: 15159457-c6ca-4e1a-b056-45aeb7cf2590
		Last attempt @ Fri Nov 17 13:49:00 2023 CET failed, result  (WERR_FILE_NOT_FOUND)
		6 consecutive failure(s).
		Last success @ Fri Nov 17 04:56:39 2023 CET

CN=Configuration,DC=univention,DC=intranet
	Default-First-Site-Name\UCS5REPLICA via RPC
		DSA object GUID: 2078be6b-4c36-4eec-857c-5f1ee22bcbd0
		Last attempt @ Fri Nov 17 13:49:03 2023 CET failed, result  (WERR_FILE_NOT_FOUND)
		212 consecutive failure(s).
		Last success @ Tue Nov 14 21:39:50 2023 CET

DC=ForestDnsZones,DC=univention,DC=intranet
	Default-First-Site-Name\UCS5BACKUP via RPC
		DSA object GUID: 15159457-c6ca-4e1a-b056-45aeb7cf2590
		Last attempt @ Fri Nov 17 13:48:41 2023 CET failed, result  (WERR_FILE_NOT_FOUND)
		6 consecutive failure(s).
		Last success @ Fri Nov 17 04:56:30 2023 CET

DC=ForestDnsZones,DC=univention,DC=intranet
	Default-First-Site-Name\UCS5REPLICA via RPC
		DSA object GUID: 2078be6b-4c36-4eec-857c-5f1ee22bcbd0
		Last attempt @ Fri Nov 17 13:48:45 2023 CET failed, result  (WERR_FILE_NOT_FOUND)
		212 consecutive failure(s).
		Last success @ Tue Nov 14 21:39:49 2023 CET

Solutions

There are several approaches to resolving the WERR_File_NOT_FOUND error.

1. Solution

Check whether the systems that have a replication error exist or have been started. If the systems are not accessible because they are powered off, the werr_file_not_found error may also occur.
For example a slave (sambaDC) has been removed, but there are still remnants in /var/log/samba/log.samba

[2018/05/24 14:42:49.067912,  1, pid=6885] ../source4/dsdb/common/util.c:4747(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4747: Failed to find account dn (serverReference) for CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention
,DC=intranet, parent of DSA with objectGUID 9448995b-760b-4b21-b79d-d1f70ad93bd0, sid S-1-5-21-2667565611-2524971858-1014765971-1112
[2018/05/24 14:42:49.067964,  0, pid=6885] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2667565611-2524971858-1014765971-1112 with GUID 9448995b-760b-4b21-b79d-d1
f70ad93bd0

What does samba-tool dbcheck --cross-ncs say about this system.

samba-tool dbcheck --cross-ncs

root@master:~# samba-tool dbcheck --cross-ncs
Checking 3564 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=univention,DC=intranet - <GUID=b2f1e995-52df-436f-a707-5861c51889b0>;<RMD_ADDTIME=131611006280
000000>;<RMD_CHANGETIME=131611006280000000>;<RMD_FLAGS=0>;<RMD_INVOCID=7c07799c-b13b-4706-b0b3-840f2f1feb02>;<RMD_LOCAL_USN=3732>;<RMD_ORIGINATING_USN=3732>;<RMD_VERSION=
0>;CN=Administrator,CN=Users,DC=univention,DC=intranet
Not fixing SID component mismatch

Try to fix the error with samba-tool dbcheck.

samba-tool dbcheck --cross-ncs --fix --yes

root@master:~# samba-tool dbcheck --cross-ncs --fix --yes
Checking 3564 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=sunshine,DC=me - <GUID=b2f1e995-52df-436f-a707-5861c51889b0>;<RMD_ADDTIME=131611006280
000000>;<RMD_CHANGETIME=131611006280000000>;<RMD_FLAGS=0>;<RMD_INVOCID=7c07799c-b13b-4706-b0b3-840f2f1feb02>;<RMD_LOCAL_USN=3732>;<RMD_ORIGINATING_USN=3732>;<RMD_VERSION=
0>;CN=Administrator,CN=Users,DC=sunshine,DC=me
Change DN to <GUID=b2f1e995-52df-436f-a707-5861c51889b0>;<SID=S-1-5-21-2667565611-2524971858-1014765971-500>;CN=Administrator,CN=Users,DC=sunshine,DC=me? [YES]
Fixed incorrect DN SID on attribute member

Search for the GUID from the system in Samba.

univention-s4search <objectGUID-Slave> --cross-ncs

root@master:~# univention-s4search objectguid=9448995b-760b-4b21-b79d-d1f70ad93bd0 --cross-ncs
# record 1
dn: CN=NTDS Settings,CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=intranet
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings
instanceType: 4
whenCreated: 20180122133227.0Z
whenChanged: 20180122133227.0Z
hasMasterNCs: DC=sunshine,DC=me
hasMasterNCs: CN=Configuration,DC=univention,DC=intranet
hasMasterNCs: CN=Schema,CN=Configuration,DC=univention,DC=intranet
uSNCreated: 3944
dMDLocation: CN=Schema,CN=Configuration,DC=univention,DC=intranet
invocationId: 21c4b090-adf5-42f9-8612-db9ac3973deb
uSNChanged: 3944
showInAdvancedViewOnly: TRUE
name: NTDS Settings
objectGUID: 9448995b-760b-4b21-b79d-d1f70ad93bd0
options: 1
systemFlags: 33554432
objectCategory: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=univention,DC=intranet
msDS-Behavior-Version: 4
msDS-HasDomainNCs: DC=univention,DC=intranet
msDS-hasMasterNCs: DC=univention,DC=intranet
msDS-hasMasterNCs: CN=Configuration,DC=univention,DC=intranet
msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=univention,DC=intranet
msDS-hasMasterNCs: DC=DomainDnsZones,DC=univention,DC=intranet
msDS-hasMasterNCs: DC=ForestDnsZones,DC=univention,DC=intranet
distinguishedName: CN=NTDS Settings,CN=SLAVE,CN=Servers,CN=Default-First-Site-
 Name,CN=Sites,CN=Configuration,DC=univention,DC=intranet

Hint

The output is not complete like from other systems. In our case, it is the remnant of a deleted server that has been removed from the domain.

Delete the object in the sam.ldb

ldbdel -H /var/lib/samba/private/sam.ldb --cross-ncs "CN=NTDS Settings,CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=intranet" -r
Deleted 3 records

2. Solution

Check the domain’s DNS settings. If the resolution is not working properly, the systems cannot be found or resolved correctly. This leads to Samba replication errors.
In UCS, this can be done using the DNS module.
Administration of DNS data with BIND

3. Solution

Due to a corrupted DNS zone caused by the AD takeover, Samba replication errors have occurred since the UCS update.

DC=@,DC=_msdcs.univention.intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=univention,DC=intranet

Check the ns_records of correct zone values.

udm dns/ns_record list | grep _msdcs

DN: relativeDomainName=_msdcs,zoneName=univention.intranet,cn=dns,dc=univention,dc=intranet
  nameserver: ucs-primary.univention.intranet.
  zone: @. _msdcs

In the connector-s4.log you will read this traceback.

/var/log/univention/connector-s4.log

27.09.2023 05:50:13.659 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=@,DC=univention.net,CN=MicrosoftDNS,DC=DomainDnsZones,DC=univention,DC=net'
27.09.2023 05:50:13.662 LDAP        (PROCESS): sync AD > UCS: [           dns] [    modify] 'zonename=univention.net,cn=dns,dc=univention,dc=net'
27.09.2023 05:50:13.664 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
27.09.2023 05:50:13.664 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 1458, in sync_to_ucs
    result = self.property[property_type].ucs_sync_function(self, property_type, object)
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/dns.py", line 1644, in con2ucs
    ucs_zone_create(s4connector, object, dns_type)
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/dns.py", line 1337, in ucs_zone_create
    soa['serial'] = str(max(int(soa['serial']), int(msdcs_soa['serial'])))
KeyError: 'serial'

The ns_record must be modified as follows to solve the issue.

 udm dns/ns_record modify --dn "relativeDomainName=@._msdcs,zoneName=univention.net,cn=dns,dc=univention,dc=intranet" --set zone="_msdcs"

Run the join-script for 98univention-samba4-dns

univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst