Hello,
Adding new users to the UCS works fine but when the new users put the credentials in Windows, it says Username or password in correct. But old users work fine. The new users however pass the radius authentication test and even work on wifi devices for internet.
The same thing applies to DNS. New DNS records are not resolving. replies with ‘Server not found’ and nslookup says ‘Can’t find xxxxx: Non existent domain’… even though the A record exists.
Please help.
That seems to be a synchronization problem between openLDAP and Samba 4:
univention-s4connector-list-rejected
Ok… this was what I got…
"UCS rejected
S4 rejected
There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.
last synced USN: 21596
"
What do I do please?
Ok, is the connector running?
ps aux|grep conn
Which UCS version you are using?
Yes, it’s running…
4.2-2 errata197 (Lesum)
Are there some relevant messages in /var/log/univention/connector-s4.log?
Yes, a lot.
I can see a lot of these “LDAP (PROCESS): sync to ucs: [ dns] [ modify] relativedomainname”
Also entries regarding the new users?
None at all.
A lot of DEBUG_INIT
…still here please…
Hey,
No disrespect intended, but let’s make sure everything’s really running as it should. Please post the output of the following commands (all should be run as root on your DC Master server):
ps auxw|grep s4connectortail /var/log/univention/connector-s4.log and date
grep -i USERNAME /var/log/univention/connector-s4.log (replace USERNAME with the login name of one of the users who cannot log in to Windows)cat /var/lib/univention-ldap/last_id and cat /var/lib/univention-directory-listener/notifier_id
Please don’t just copy & paste the output here but include it in a preformatted text block so that the forum software won’t reformat the output at will. A preformatted text block consists of one line with three backticks, then the content starting on an empty line and a last line with three backticks. Pressing the </> button in the toolbar above or Ctrl+Shift+C will insert such a structure, too, if you don’t know exactly what I mean. Thanks!
Kind regards,
mosu
Good morning Mosu. No disrespect taken. Thanks for the explanation. Below are the outputs…
root@pdc:~# ps auxw|grep s4connector
root 2572 0.1 2.7 598776 57032 ? S Oct13 5:52 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py
root@pdc:~# tail /var/log/univention/connector-s4.log
root@pdc:~# date
Mon Oct 16 08:54:55 WAT 2017
root@pdc:~# grep -i tested2 /var/log/univention/connector-s4.log
root@pdc:~#
root@pdc:~# cat /var/lib/univention-ldap/last_id
7168root@pdc:~#
root@pdc:~# cat /var/lib/univention-directory-listener/notifier_id
6104root@pdc:~#
Eniola’
Hey,
thanks for the information. The output of the first two commands show that the S4 connector seems to be running and processing data properly. That’s good.
However, the output of the last two commands show that the univention-directory-listener program doesn’t seem to be running. It has to for the domain to work properly, though. It is responsible for acting on changes to the LDAP contents.
Please verify this by running ps uw -u listener. It should output one process called /usr/sbin/univention-directory-listener.
If it isn’t running, as I think it isn’t, you should start it by running service univention-directory-listener start. Afterwards make sure that it is actually running with the ps command mentioned above.
Now observe the content of the file /var/lib/univention-directory-listener/notifier_id. The number should start rising again, slowly approach and finally match the number in /var/lib/univention-ldap/last_id. Explanation: the last_id is incremented each time any change is made in the LDAP, and the notifier_id is incremented each time the univention-directory-listener component has processed the corresponding change. In a regular system both numbers should match (or the notifier_id be at least a few steps behind the last_id if the listener is currently processing data).
You can and should also check the content of the corresponding log file, /var/log/univention/listener.log.
Kind regards,
mosu
Hi Mosu,
I checked for the listener last week. It’s running and still running… this is what the listener log has been reporting.
root@pdc:~# tail -f /var/log/univention/listener.log
UNIVENTION_DEBUG_END : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
16.10.17 09:59:41.735 LISTENER ( ERROR ) : connection to notifier was closed
16.10.17 09:59:41.735 LISTENER ( ERROR ) : failed to recv result
16.10.17 09:59:41.735 LISTENER ( ERROR ) : listener: 1
16.10.17 09:59:47.335 DEBUG_INIT
UNIVENTION_DEBUG_BEGIN : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
UNIVENTION_DEBUG_END : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
16.10.17 09:59:48.450 LISTENER ( ERROR ) : connection to notifier was closed
16.10.17 09:59:48.450 LISTENER ( ERROR ) : failed to recv result
16.10.17 09:59:48.450 LISTENER ( ERROR ) : listener: 1
16.10.17 09:59:54.135 DEBUG_INIT
UNIVENTION_DEBUG_BEGIN : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
UNIVENTION_DEBUG_END : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
16.10.17 09:59:55.499 LISTENER ( ERROR ) : connection to notifier was closed
16.10.17 09:59:55.500 LISTENER ( ERROR ) : failed to recv result
16.10.17 09:59:55.500 LISTENER ( ERROR ) : listener: 1
Eniola’
Hi Mosu,
Still here.
Hey,
this looks like the Listener cannot connect to the LDAP server properly. That’s bad.
Please post the output of the following commands:
dig pdc.ipnxnigeria.net
lsof -PniTCP:7389
iptables -L INPUT -nv
Also try running the following command: telnet pdc.ipnxnigeria.net 7389 It should show output similar to the following (with your own server name, of course):
[0 root@master ~] telnet master.mbu-test.intranet 7389
Trying 10.191.1.1...
Connected to master.mbu-test.intranet.
Escape character is '^]'.
and then it should just sit there waiting for input.
If the telnet command isn’t installed, install it via apt install telnet.
Kind regards,
mosu
root@pdc:~# dig pdc.ipnxnigeria.net
;
These are the outputs…
Regards, Eniola’
Hey,
OK. Is the notifier running at all? Please post the output of ps uw -C univention-directory-notifier
m.
Yes it is…
root@pdc:~# ps uw -C univention-directory-notifier
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 8647 0.6 0.0 8596 1812 ? S 06:26 1:05 /usr/sbin/univention-directory-notifier -o -d 1 -F
root 26276 0.0 0.1 11628 2292 ? S 09:05 0:00 /bin/bash /usr/share/univention-directory-policy/univention-directory-policy-cron
status of the notifier…
root@pdc:~# service univention-directory-notifier status
* univention-directory-notifier.service - LSB: Univention Directory Notifier Daemon
Loaded: loaded (/etc/init.d/univention-directory-notifier)
Active: active (exited) since Tue 2017-10-17 09:46:38 WAT; 5 days ago
Process: 1204 ExecStart=/etc/init.d/univention-directory-notifier start (code=exited, status=0/SUCCESS)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.