Username or password is incorrect. Try again. But Radius authentication is working

radius

#1

Hello,

Adding new users to the UCS works fine but when the new users put the credentials in Windows, it says Username or password in correct. But old users work fine. The new users however pass the radius authentication test and even work on wifi devices for internet.

The same thing applies to DNS. New DNS records are not resolving. replies with ‘Server not found’ and nslookup says ‘Can’t find xxxxx: Non existent domain’… even though the A record exists.

Please help.


#2

That seems to be a synchronization problem between openLDAP and Samba 4:

univention-s4connector-list-rejected

#3

Ok… this was what I got…

"UCS rejected

S4 rejected

There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.

    last synced USN: 21596

"
What do I do please?


#4

Ok, is the connector running?

ps aux|grep conn

Which UCS version you are using?


#5

Yes, it’s running…

4.2-2 errata197 (Lesum)


#6

Are there some relevant messages in /var/log/univention/connector-s4.log?


#7

Yes, a lot.

I can see a lot of these “LDAP (PROCESS): sync to ucs: [ dns] [ modify] relativedomainname”


#8

Also entries regarding the new users?


#9

None at all.

A lot of DEBUG_INIT


#10

…still here please…


#11

Hey,

No disrespect intended, but let’s make sure everything’s really running as it should. Please post the output of the following commands (all should be run as root on your DC Master server):

  1. ps auxw|grep s4connector
  2. tail /var/log/univention/connector-s4.log and date
  3. grep -i USERNAME /var/log/univention/connector-s4.log (replace USERNAME with the login name of one of the users who cannot log in to Windows)
  4. cat /var/lib/univention-ldap/last_id and cat /var/lib/univention-directory-listener/notifier_id

Please don’t just copy & paste the output here but include it in a preformatted text block so that the forum software won’t reformat the output at will. A preformatted text block consists of one line with three backticks, then the content starting on an empty line and a last line with three backticks. Pressing the </> button in the toolbar above or Ctrl+Shift+C will insert such a structure, too, if you don’t know exactly what I mean. Thanks!

Kind regards,
mosu


#12

Good morning Mosu. No disrespect taken. Thanks for the explanation. Below are the outputs…

root@pdc:~# ps auxw|grep s4connector
root      2572  0.1  2.7 598776 57032 ?        S    Oct13   5:52 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py

root@pdc:~# tail /var/log/univention/connector-s4.log


root@pdc:~# date
Mon Oct 16 08:54:55 WAT 2017

root@pdc:~# grep -i tested2 /var/log/univention/connector-s4.log
root@pdc:~#

root@pdc:~# cat /var/lib/univention-ldap/last_id
7168root@pdc:~#

root@pdc:~# cat /var/lib/univention-directory-listener/notifier_id
6104root@pdc:~#

Eniola’


#13

Hey,

thanks for the information. The output of the first two commands show that the S4 connector seems to be running and processing data properly. That’s good.

However, the output of the last two commands show that the univention-directory-listener program doesn’t seem to be running. It has to for the domain to work properly, though. It is responsible for acting on changes to the LDAP contents.

Please verify this by running ps uw -u listener. It should output one process called /usr/sbin/univention-directory-listener.

If it isn’t running, as I think it isn’t, you should start it by running service univention-directory-listener start. Afterwards make sure that it is actually running with the ps command mentioned above.

Now observe the content of the file /var/lib/univention-directory-listener/notifier_id. The number should start rising again, slowly approach and finally match the number in /var/lib/univention-ldap/last_id. Explanation: the last_id is incremented each time any change is made in the LDAP, and the notifier_id is incremented each time the univention-directory-listener component has processed the corresponding change. In a regular system both numbers should match (or the notifier_id be at least a few steps behind the last_id if the listener is currently processing data).

You can and should also check the content of the corresponding log file, /var/log/univention/listener.log.

Kind regards,
mosu


#14

Hi Mosu,

I checked for the listener last week. It’s running and still running… this is what the listener log has been reporting.

root@pdc:~# tail -f /var/log/univention/listener.log
UNIVENTION_DEBUG_END    : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
16.10.17 09:59:41.735  LISTENER    ( ERROR   ) : connection to notifier was closed
16.10.17 09:59:41.735  LISTENER    ( ERROR   ) : failed to recv result
16.10.17 09:59:41.735  LISTENER    ( ERROR   ) : listener: 1
16.10.17 09:59:47.335  DEBUG_INIT
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
UNIVENTION_DEBUG_END    : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
16.10.17 09:59:48.450  LISTENER    ( ERROR   ) : connection to notifier was closed
16.10.17 09:59:48.450  LISTENER    ( ERROR   ) : failed to recv result
16.10.17 09:59:48.450  LISTENER    ( ERROR   ) : listener: 1
16.10.17 09:59:54.135  DEBUG_INIT
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
UNIVENTION_DEBUG_END    : uldap.__open host=pdc.ipnxnigeria.net port=7389 base=dc=ipnxnigeria,dc=net
16.10.17 09:59:55.499  LISTENER    ( ERROR   ) : connection to notifier was closed
16.10.17 09:59:55.500  LISTENER    ( ERROR   ) : failed to recv result
16.10.17 09:59:55.500  LISTENER    ( ERROR   ) : listener: 1

Eniola’


#15

Hi Mosu,

Still here.


#16

Hey,

this looks like the Listener cannot connect to the LDAP server properly. That’s bad.

Please post the output of the following commands:

dig pdc.ipnxnigeria.net
lsof -PniTCP:7389
iptables -L INPUT -nv

Also try running the following command: telnet pdc.ipnxnigeria.net 7389 It should show output similar to the following (with your own server name, of course):

[0 root@master ~] telnet master.mbu-test.intranet 7389
Trying 10.191.1.1...
Connected to master.mbu-test.intranet.
Escape character is '^]'.

and then it should just sit there waiting for input.

If the telnet command isn’t installed, install it via apt install telnet.

Kind regards,
mosu


#17
root@pdc:~# dig pdc.ipnxnigeria.net

; 

These are the outputs…

Regards, Eniola’


#18

Hey,

OK. Is the notifier running at all? Please post the output of ps uw -C univention-directory-notifier

m.


#19

Yes it is…

root@pdc:~# ps uw -C univention-directory-notifier
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      8647  0.6  0.0   8596  1812 ?        S    06:26   1:05 /usr/sbin/univention-directory-notifier -o -d 1 -F
root     26276  0.0  0.1  11628  2292 ?        S    09:05   0:00 /bin/bash /usr/share/univention-directory-policy/univention-directory-policy-cron


#20

status of the notifier…

root@pdc:~# service univention-directory-notifier status
* univention-directory-notifier.service - LSB: Univention Directory Notifier Daemon
   Loaded: loaded (/etc/init.d/univention-directory-notifier)
   Active: active (exited) since Tue 2017-10-17 09:46:38 WAT; 5 days ago
  Process: 1204 ExecStart=/etc/init.d/univention-directory-notifier start (code=exited, status=0/SUCCESS)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.