UCS 4.4-5 member server not seeing changes to MS AD user attributes

tose · July 19, 2020, 9:22am

I recently installed a UCS 4.4-5 host as a Hyper-V guest in a MS AD environment. The UCS host was configured as a Member Server in the AD Domain, with the purpose of running it as a Kopano4UCS server.

The problem I am having is that changes to MS AD user attributes are not being seen in the UCS system. Specifically, if I add a “mail” attribute (email address) for a user within the MS tools, it does not show up as the “Primary Email Address” for the user in the “Users” section of the Univention UMC.

A number of pre-existing AD users that already had a “mail” attribute assigned during the UCS install/domain join, display valid “Primary Email Address” details in UMC as expected. But adding a MS AD “Mail” attribute for a user after the install will not update the “Primary Email Address” for the user in UMC.

Running a System diagnostic in UMC gives an error:-

Critical: Check kerberos authenticated DNS updates

I’ve followed the trail of related forum posts but they seem to relate more to DC’s than Member Servers. I have only a very modest understanding of how kerberos works & would appreciate some gentle prompting as to how to go about troubleshooting this situation.

tose · July 21, 2020, 12:19am

Adding some detail to this, after attempting to add the AD “mail” attribute to a new user, I see the following in the logfile /var/log/univention/connector.log:-

20.07.2020 23:55:38.796 LDAP        (PROCESS): Building internal group membership cache
20.07.2020 23:55:38.811 LDAP        (PROCESS): Internal group membership cache was created
20.07.2020 23:55:38.820 LDAP        (PROCESS): Using MYDOMAIN as AD Netbios domain name
21.07.2020 09:07:15.353 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=myuser,cn=users,dc=MYDOMAIN,dc=local
21.07.2020 09:07:16.474 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=myuser,cn=users,dc=MYDOMAIN,dc=local
21.07.2020 09:33:49.969 LDAP        (PROCESS): sync to ucs:   [          user] [    delete] uid=myuser,cn=users,dc=MYDOMAIN,dc=local
21.07.2020 09:34:57.373 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=myuser,cn=users,dc=MYDOMAIN,dc=local
21.07.2020 09:35:40.041 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=myuser,cn=users,dc=MYDOMAIN,dc=local
21.07.2020 09:55:42.970 LDAP        (WARNING): Exception during search_ad_changes
21.07.2020 09:55:42.971 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2378, in poll
    changes = self.__search_ad_changes(show_deleted=show_deleted)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1391, in __search_ad_changes
    returnObjects = search_ad_changes_by_attribute('uSNCreated', lastUSN + 1)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1382, in search_ad_changes_by_attribute
    return self.__search_ad(filter=usnFilter, show_deleted=show_deleted)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1339, in __search_ad
    rtype, rdata, rmsgid, serverctrls = self.lo_ad.lo.result3(msgid)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
UNAVAILABLE: {'desc': 'Server is unavailable'}

21.07.2020 09:55:52.993 MAIN        (------ ): DEBUG_EXIT
21.07.2020 09:55:52.993 MAIN        (------ ): DEBUG_INIT
21.07.2020 09:55:53.247 LDAP        (PROCESS): Building internal group membership cache
21.07.2020 09:55:53.262 LDAP        (PROCESS): Internal group membership cache was created
21.07.2020 09:55:53.272 LDAP        (PROCESS): Using MYDOMAIN as AD Netbios domain name

The AD server is a 2012R2 (actually Server Essentials 2012R2) box. I think I am seeing the same behaviour in another similar setup I have with a Server 2016 Standard DC. Will confirm that & report back.

tose · July 21, 2020, 12:35am

As reported above, in a completely separate MS AD environment running a UCS 4.4-4 member server I see the same behaviour with UCS trying to sync AD user attribute changes:-

20.07.2020 12:25:52.088 LDAP        (PROCESS): Building internal group membership cache
20.07.2020 12:25:52.098 LDAP        (PROCESS): Internal group membership cache was created
20.07.2020 12:25:52.106 LDAP        (PROCESS): Using SVR2016AD as AD Netbios domain name
20.07.2020 15:04:59.874 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=test,cn=users,dc=SVR2016AD,dc=lan
20.07.2020 15:05:42.481 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=test,cn=users,dc=SVR2016AD,dc=lan
20.07.2020 15:08:28.718 LDAP        (PROCESS): sync to ucs:   [          user] [    delete] uid=test,cn=users,dc=SVR2016AD,dc=lan
20.07.2020 22:25:55.363 LDAP        (WARNING): Exception during search_ad_changes
20.07.2020 22:25:55.363 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2378, in poll
    changes = self.__search_ad_changes(show_deleted=show_deleted)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1391, in __search_ad_changes
    returnObjects = search_ad_changes_by_attribute('uSNCreated', lastUSN + 1)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1382, in search_ad_changes_by_attribute
    return self.__search_ad(filter=usnFilter, show_deleted=show_deleted)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1339, in __search_ad
    rtype, rdata, rmsgid, serverctrls = self.lo_ad.lo.result3(msgid)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
UNAVAILABLE: {'desc': 'Server is unavailable'}

Has anyone seen similar issues?

tose · July 21, 2020, 6:56am

Ok, I see now that bug 51647 deals with this:-

https://forge.univention.org/bugzilla/show_bug.cgi?id=51647

I will wait patiently for it to be available in package updates