Problem: Windows Clients Cannot Join or Authenticate to the Domain

Knowledge Base Community
, , , ,
1

Windows Clients Cannot Join or Authenticate to the Domain Due to Missing Samba Database Objects

Problem:

Windows clients are unable to correctly join the UCS domain, and existing users cannot log in because the domain trust relationship is broken.

Observed Behavior

During a domain join attempt, the following occurs:

  • The client (e.g., WKS-TEST01) attempts to join the domain school-example.loc.
  • The password prompt for the domain administrator appears as expected.
  • After entering valid credentials, the join fails with an error indicating that a computer account already exists and that duplicate computer names are prohibited by policy.
  • On the Primary Domain Node (PDN), the corresponding computer object is visible in the correct organizational unit.
  • However, the Windows client remains in WORKGROUP mode and is not part of the domain.

This also impacts user logins, as domain authentication fails.

Root Cause

The objects (users and computers) exist in the LDAP directory, but are missing from the Samba (S4) database.
As a result, Windows domain clients cannot establish trust, and user authentication via Active Directory mechanisms fails.

Verification Example

User Objects in LDAP

root@primary-node:~/univention-support# univention-ldapsearch ucsschoolRole='student:school:example' 1.1 | less

# numResponses: 1005
# numEntries: 1004

User Objects in Samba

root@primary-node:~/univention-support# univention-s4search --cross-ncs -b CN=students,CN=users,OU=example,DC=school-example,DC=loc 1.1 | less

# returned 2 records
# 2 entries
# 0 referrals

Computer Objects in LDAP

root@primary-node:~/univention-support# univention-ldapsearch ucsschoolRole='win_computer:school:example' 1.1 | less

# numResponses: 177
# numEntries: 176

Computer Objects in Samba

root@primary-node:~/univention-support# univention-s4search --cross-ncs -b CN=computers,OU=example,DC=school-example,DC=loc 1.1 | less

# returned 2 records
# 2 entries
# 0 referrals

Solution:

There are two possible methods to resolve this issue:

  1. Reinitializing the S4 Connector to perform a complete resynchronization of all LDAP objects into Samba
  2. Restoring the missing Samba data from a recent nightly backup

Option 1: Full Resynchronization via S4 Connector

Step 1: Reinitialize the Listener Module

univention-directory-listener-ctrl resync s4-connector

Step 2: Start the S4 Connector

/etc/init.d/univention-s4-connector start

Step 3: Verify the Connector Status

Check the following log files for synchronization progress and possible errors:

/var/log/univention/connector-s4-status.log
/var/log/univention/connector-s4.log

Reference: Univention Help: Problem - Reinitialize the S4 Connector

Option 2: Restore Samba Database from Backup

Step 1: List Available Samba Backups

ls -lahrt /var/univention-backup/samba/samba-backup-2025-09-08T03-00-02.541383.tar.bz2

Step 2: Extract the Backup Archive

tar xjf samba-backup-2025-09-08T03-00-02.541383.tar.bz2

Step 3: Inspect the Extracted sam.ldb

ldbsearch -H private/sam.ldb -b CN=computers,OU=example,DC=school-example,DC=loc 1.1 | less

Step 4: Verify LDAP Objects

univention-ldapsearch ucsschoolRole='win_computer:school:example' 1.1 | less

Step 5: Resynchronize Objects Using the LDAP Filter

/usr/share/univention-s4-connector/resync_object_from_ucs.py --filter ucsschoolRole='win_computer:school:example'

Step 6: Verify the Result in Samba

univention-s4search --cross-ncs -b CN=computers,OU=example,DC=school-example,DC=loc 1.1 | less

Expected Result

After the resynchronization or Samba database restoration:

  • User and computer objects are again present in the Samba (S4) directory.
  • Windows clients successfully rejoin the domain.
  • Domain trust and authentication are fully restored.

Verification Example

root@primary-node:~/univention-support# univention-s4search --cross-ncs -b CN=computers,OU=example,DC=school-example,DC=loc 1.1 | less

# returned 179 records
# 179 entries
# 0 referrals

univention-s4search --cross-ncs -b CN=students,CN=users,OU=example,DC=school-example,DC=loc 1.1 | tail

# returned 1005 records
# 1005 entries
# 0 referrals

Conclusion

This issue occurs when LDAP objects exist but have not been synchronized to the Samba 4 database, resulting in missing domain entries.
Reinitializing the S4 Connector or restoring Samba data from backup ensures the synchronization is restored and domain functionality is recovered.

See also: