Problems migrating from Zentyal to UCS

Moin / Hello.

I am building a lab environment to test migration from Zentyal 6 and 7 to UCS. I will be migrating about 15 systems in total.
I clone the original production Zentyal VM and create a new UCS server VM, from downloaded qcow file. Isolated network (NAT access to Internet). KVM virtualization.

UCS version is 5.0-2 errata467
Zentyal version is 6.2.9 (samba version 4.7.6 on Ubuntu 18.04.6 LTS)

This problems happen consistently, and I can repeat, with all my lab tests:

All users and all groups migrate to UCS. But most of the users do not transfer all group memberships.
Some users retain some group memberships, some other users loose all group memberships.
I cannot find any obvious errors in ad-takeover log (I can post log if requested).
I cannot find any relation between users and groups, it seems to be completely random. Example: original user was member of 8 groups on original server, but only member of 4 groups in UCS after migration
If I check a user with “samba-tool user edit USERNAME” on UCS server, memberships are already missing, just after migration.

Also, after migration, ALL users fail to synchronize with the S4 connector. All are rejected.

The problem seems to be the “homeDirectory” attribute.

Error message in log is: “InvalidSyntax: Unix home directory: Not an absolute path!

Original values of “homeDirectory” are in the form “\originalserver.domain.ext\username
If I change value to any other string (with samba-tool), there is still the synchronization issue

If I manually DELETE the attribute with “samba-tool user edit USERNAME” (delete the WHOLE attribute line) the user gets synchronized, with warning “__set_values: The attributes for unixhome have not been removed as it represents a mandatory attribute”

I can edit again the user with “samba-tool user edit USERNAME” and insert the EXACT SAME ORIGINAL attribute, and the S4 connector synchronizes correctly the user.

Actually, I made a script to do this: delete all homeDirectory attribute from all users, pause to give time for S4 connector synchronization, and re-insert THE SAME homeDirectory attribute and value. S4 makes synchronization without any problem. After re-inserting the attribute, S4 has no problem synchronizing. (For the script, I use ldapmodify)

Two more minor problems:

After the migration, in System diagnostics, There are two warnings:

Warning: Check nameserver entries on DNS zones
Found errors in the nameserver entries of the following zones. Please refer to Univention Support Database - Bind: zone transfer failed for further information.
In forward zone dsr.lan (see “DNS” module):
Found illegal alias record (CNAME record) for nameserver srv01.dsr.lan.

If I change the DNS record for the old server from CNAME to HOST, problem goes away.

Warning: Check file permissions
File ‘/etc/univention/connector/s4internal.sqlite’ has mode 600, 644 was expected.

If I chmod the suggested permissions, warning goes away.

Please, I would greatly appreciate any clues, specially with users’ group membership and S4 connector rejects.

Thank you very much for your time.

Hi peptoniET,

I came all the way here to ask how did the migration go. Any problems and how did you deal with the above?


Basically, all process is explained above.
Did some scripts, and automated everything with Ansible.
In total, I made 17 Zentyal to Univention migrations. All perfect.
Do you have any specific questions I can help with?

Just started playing with UCS so need to test few things outside my environment.

I’ll report back if I stumble on any issues.


could you tell me how did you deal with users and groups migrated from Zentyal?
(System groups and users - not something we created)

I see about a dozen of groups/users that appeared after the migration, did you try to clear them?

I used the migration tool from Univention software store: Active Directory Takeover.
After “cleaning” Zentyal samba database with “samba-tool dbcheck --cross-ncs --fix --yes”, I just followed instructions from Active Directory Takeover assistant.
It did migrate all my users and groups. I did not see any other groups other than the ones I created, plus all the default groups created by Samba (domain users, etc.).
What groups are you talking about…? Can you give me some examples?
There are system groups created by Samba by default…
As far as I know, system groups are NOT migrated by Takeover, they already exist in base AD created from Samba.

You might be right that they are Samba default groups. It just looks somewhat messy with nearly 45 system groups.