UCS Backup can't join domain - password too simple

UCS - Univention Corporate Server
#1

Hello all,

my setup have Master, Backup, 2 Slaves and 2 Members. So this day i installed an Intel NUC with UCS as second DC-Backup. The NUC is in an other vlan. So the join fail with errormessage:

Password policy error: is too simple
ERROR: could not create user account dns-dc3
**************************************************************
* ERROR: Failed to create DNS spn account.                   *
*        Please check the samba and the s4-connector logfile.*
**************************************************************

And yes there are global password policies: 10 character, 2 numbers and one special character. Checkbox for password quality check is also enabled. So the joinprocess was not able to create the user “dns-dc3”.

Ok, now i created them manually, and the joinprocess was successfully. But no is an problem with the samba replication.

UCS 4.4-2

Log:

`samba-tool drs showrepl` gibt ein Problem mit der Replikation zurück.
In eingehend 'DC=ForestDnsZones,DC=supertux,DC=lan': Fehler während der DRS Replikation von Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In eingehend 'CN=Schema,CN=Configuration,DC=supertux,DC=lan': Fehler während der DRS Replikation von Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In eingehend 'DC=DomainDnsZones,DC=supertux,DC=lan': Fehler während der DRS Replikation von Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In eingehend 'DC=supertux,DC=lan': Fehler während der DRS Replikation von Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In eingehend 'CN=Configuration,DC=supertux,DC=lan': Fehler während der DRS Replikation von Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In ausgehend 'DC=ForestDnsZones,DC=supertux,DC=lan': Fehler während der DRS Replikation nach Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In ausgehend 'CN=Schema,CN=Configuration,DC=supertux,DC=lan': Fehler während der DRS Replikation nach Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In ausgehend 'DC=DomainDnsZones,DC=supertux,DC=lan': Fehler während der DRS Replikation nach Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In ausgehend 'DC=supertux,DC=lan': Fehler während der DRS Replikation nach Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).
In ausgehend 'CN=Configuration,DC=supertux,DC=lan': Fehler während der DRS Replikation nach Default-First-Site-Name/DC3 (WERR_GEN_FAILURE).

Nagios said: “CRIT - Samba DRS CRITICAL: 180 failures on DC3”

Very thanks.
:slight_smile:

#2

Update: I removed the dc3 from the domain. Delete everything from. Check the Domain, everything is fine. After i set the passwordpolicy back to defaults for the “users” folder. Rebooted Master and Backup. Good.

Now rejoin the server. Same problem:

Password policy error: is too simple
ERROR: could not create user account dns-dc3

So what now? :roll_eyes:

#3

After about an hour, the changes were writen, so passwortpolicy was resetet to extraditable state. So the join has worked fine. But same as before: Servers and Clients from an other vlan obtain a “permission denied” from the DNSserver to external domains. All things internal are succesfully resolved. Very strange.

tcpdump from Client:
20:39:09.115045 IP6 dc3.supertux.lan.domain > box.supertux.lan.55682: 38104 Refused- 0/0/1 (73)

from dc3 DNSserver: (example)
Sep 27 11:23:17 dc3 named[1645]: client 2001:470:XXX#9703 (adservice.google.com): query (cache) 'adservice.google.com/A/IN' denied

Nagioserror on the Master: WARN - S4CONNECTOR WARNING: Found 1 reject(s)! Please check output of univention-s4connector-list-rejected.

S4 rejected

    1:    S4 DN: CN=dns-dc3,CN=Users,DC=supertux,DC=lan
         UCS DN: uid=dns-dc3,cn=users,dc=supertux,dc=lan

        last synced USN: 5799

So what is here wrong?

Thanks a lot

EDIT

Found nice variable: “ucr get dns/allow/query/cache” I set it to “any”. Now it works fine. So only the nagiosmessage ist present.

Mastodon