Univention domain with Additional DC

samba-ad
zentyal

#1

Novice here trying to set up a small business network - I have successfully set up a Univention/Zentyal/Windows network but am running into a problem. I have a Univention PDC setup with Zentyal 5 joined to the domain as an “Additional Domain Controller” (SDC - secondary domain controller). Changes in the Univention PDC directory are replicated TO the Zentyal SDC…no problem there…However, changes on the Zentyal SDC are not replicated back TO the PDC?

For instance - When i try to set up the mail server on the SDC changes to the LDAP directory (on the PDC) are being disallowed? I’m getting this info in the /var/log/zentyal/zentyal.log:

INFO> LDAP.pm:246 EBox::Module::LDAP::_sendSchemaUpdate - Sending schema update: CN=fetchmailAccount,CN=Schema,CN=Configuration,DC=XXXXXX,DC=XXX
2017/08/01 08:39:10 ERROR> LDAP.pm:248 EBox::Module::LDAP::_sendSchemaUpdate - Error sending schema update: CN=fetchmailAccount,CN=Schema,CN=Configuration,DC=XXXXXX,DC=XXX The server is unwilling to perform the requested operation

When i joined Zentyal to the domain I’m using a user account that has Domain Admin privilege on the PDC so I’m unsure why replication can’t make it back the PDC?

The samba log (log.samba) on the Univention PDC:

[2017/07/31 16:31:31.706825, 0, pid=1072] …/source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect)
Failed to connect host XXX.XXX.XXX.XXX on port 135 - NT_STATUS_CONNECTION_REFUSED
[2017/07/31 16:31:31.706870, 0, pid=1072] …/source4/librpc/rpc/dcerpc_sock.c:246(continue_ip_open_socket)
Failed to connect host XXX.XXX.XXX.XXX (4f620fa4-bdfe-4c40-90ce-f84de2e13ecd._msdcs.test.us) on port 135 - NT_STATUS_CONNECTION_REFUSED.
[2017/07/31 16:31:37.342146, 1, pid=1069] …/lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_add: updates are not allowed: reject request

[2017/07/31 16:40:48.498367, 1, pid=1069] …/lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_add: updates are not allowed: reject request

[2017/07/31 16:44:46.596534, 1, pid=1069] …/lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_add: updates are not allowed: reject request

[2017/07/31 16:45:07.182909, 1, pid=1069] …/lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_add: updates are not allowed: reject request

[2017/08/01 08:39:06.677361, 1, pid=1069] …/lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: schema_data_add: updates are not allowed: reject request

Any help would be appreciated!


#2

Can you check if the following directory exists:
/etc/univention/ssl/%fqdnofzentyal%/
and as link /etc/univention/ssl/%hostnameofzentyal%

In the former should be a bunch of certificates for the zentyal host, which it should use to communicate.

Seems like UCS-> Zentyal is okay, but Zental->UCS has a communications issue.


#3

As the consultant that I am I just have to ask, why you combine UCS and Zentyal in the same domain in the first place? :innocent:
Is there something that a second UCS cannot not provide, but a Zentyal box can?


#4

That’s a Fair Question - The answer is three fold:

  1. I’m looking for flexibility in the backend servers (PDC’s and SDC’s)
  2. The Zentyal box bundles SOGo 3.0 pre-installed (kind of) and “some” of my users like the UI better than Kopano.
  3. I’m a novice and sometimes I make things harder for myself!

#5

Ok…after some additional digging into the samba4 docs and a little more testing last night I may have found a solution:

on the UCS PDC setting:

 ucr set samba4/schema/update/allowed=yes

will allow schema updates to occur so when the Zentyal SDC joins the domain and mail is set up the schema updates are sent and allowed by the PDC. Seems to work ok.

I will be doing more testing today just to make sure nothing broke with this solution.