I solved my problem yesterday. It’s kind of a hack, so I don’t advise to follow these steps as long as you are not out of options (as I was).
- First step was to force krbtgt to sync again.
- Then I basically repeated that with the DNS branch. But this time just renamed the branch in S4, waited for a sync, then renamed it back.
- Afterwards, I stopped bind9.service and samba-ad-dc.service and restarted bind9.service (which Wants samba-ad-dc.service and starts it automatically).
What’s still mysterious how so many errors could accumulate. Nobody moved the groups and still they turned up in the Users branch. Why were there any sync errors at all? And why won’t I get notified of sync errors?
If I had some feature wishes, I’d wish for notifying admins of any sync errors and for better logging what the s4-connector does. At the moment I suspect the s4-connector to be the culprit of our directory corruptions.