Windows Client domain logon, against backup samba ad domain controller, is not working

UCS - Univention Corporate Server
1

Hello,

here a short summary:

  • Version of all mentioned UCS-Server here ist UCS 4.4 errata 175
  • one AD DC on Samba4 (primary)
  • one AD DC Samba4 as backup domain controller (backup)
  • one ucs fileserver for windows profiles
  • Windows OS: Windows10 (client)

All is working fine. But when i shutdown the primary domain Controller. You cannot login at the domain with a user, that was not still logged in before. And when I am right samba 4 ad is a multimaster system and must work without promote the backup controller

Samba domain replication is working without failures.
with ldapsearch command on the backup domain controller (primary domain controller is down) i could successfull search after users in ldap and samba.
DNS is also working fine from windows10 client.
I also run the script:
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
all ist okay for every section I see two entrys.

At the windows 10 login. You can successful auth you see the name of the user.
But the login waits at the point “wait for user profile service”

If the primary ucs up again, you can login.

Has anyone an idea?

best regards
tko

2

Have you taken a look at the “system diagnostics” modules on both servers? Sounds like your Samba replication is broken.

You can also run those checks from the command line with univention-run-diagnostic-checks -t all

3

Thanks for help. Here is alle okay:

univention-run-diagnostic-checks -t all
Domain Admin Login:Administrator
Password:
ran 00_check_server_password successfully
ran 02_certificate_check successfully
ran 03_check_notifier_replication successfully
ran 04_saml_certificate_check successfully
ran 10_gateway successfully
ran 11_nameserver successfully
ran 12_proxy successfully
ran 21_check_join_status successfully
ran 22_kdc_service successfully
ran 23_check_update_sites successfully
ran 30_disk_usage successfully
ran 31_file_permissions successfully
ran 32_security_limits successfully
ran 40_samba_tool_dbcheck successfully
ran 41_samba_tool_showrepl successfully
ran 43_connectors4_rejects successfully
ran 44_well_known_sid_check successfully
ran 45_heimdal_on_samba4_dc successfully
ran 46_kerberos_ddns_update successfully
ran 50_check_ucr_templates successfully
ran 51_hostname_check successfully
ran 52_mail_acl_sync successfully
ran 53_package_status successfully
ran 54_sources_list_check successfully
ran 55_user_migration successfully
ran 56_univention_types successfully

You can find the logging messages of the diagnostic modules at /var/log/univention/management-console-module-diagnostic.log
4

You should really run that on both servers.

5

okay, the output above, is from the backup domain controller:
the primary is successfull, but there is a reject at the s4 connector. This reject belongs to the backup domain controller.

univention-run-diagnostic-checks -t all
Domain Admin Login:Administrator
Password:
ran 00_check_server_password successfully
ran 02_certificate_check successfully
ran 03_check_notifier_replication successfully
ran 04_saml_certificate_check successfully
ran 10_gateway successfully
ran 11_nameserver successfully
ran 12_proxy successfully
ran 20_check_nameservers successfully
ran 21_check_join_status successfully
ran 22_kdc_service successfully
ran 23_check_update_sites successfully
ran 30_disk_usage successfully
ran 31_file_permissions successfully
ran 32_security_limits successfully
ran 40_samba_tool_dbcheck successfully
ran 41_samba_tool_showrepl successfully
ran 44_well_known_sid_check successfully
ran 45_heimdal_on_samba4_dc successfully
ran 46_kerberos_ddns_update successfully
ran 50_check_ucr_templates successfully
ran 51_hostname_check successfully
ran 52_mail_acl_sync successfully
ran 53_package_status successfully
ran 54_sources_list_check successfully
ran 55_user_migration successfully
ran 56_univention_types successfully

You can find the logging messages of the diagnostic modules at /var/log/univention/management-console-module-diagnostic.log

############################
## Check failed: 43_connectors4_rejects - Nicht synchronisierte S4 Connector Objekte
0 nicht synchronisierte UCS Objekte und 1 nicht synchronisierte S4 Objekte. Weitere Hinweise finden Sie unter {sdb}.
Nicht synchronisierte S4 Objekte:
S4 DN: CN=dns-pdc2,CN=Users,DC=domain,DC=xj, UCS DN: uid=dns-dc2,cn=users,dc=domain,dc=xj
########### End #############
6

that is something strange. The reject is as follows

05.07.2019 15:57:25.294 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=dns-pdc2,CN=Users,DC=domain,DC=xj
05.07.2019 15:57:25.299 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=dns-pdc2,cn=users,dc=domain,dc=xj
05.07.2019 15:57:25.350 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
05.07.2019 15:57:25.351 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1565, in sync_to_ucs

...
...
File "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/kopano4ucsRole.py", line 122, in hook_ldap_pre_modify
    raise univention.admin.uexceptions.valueError, _("Kopano users must have a primary e-mail address specified.")
valueError: Kopano users must have a primary e-mail address specified.

I have a ucs system with installed kopanotest system. But the uid dns-pdc2. where can i find this uid and can set an primary mail adress ?

7

The failure with the reject is now solved. But the users are still unable to login to the domain.
Nothing has changed. when i solved the reject.

8

Okay i have solved this issue.
if someone is interested in it, there was only one mistake.
The fileserver as i mentioned in my opening, has no second nameserver entry.
After i set the ip of the nameserver or backup domain controller on the fileserver as second nameserver, all is now working fine.
Little mistake, big problem.

Thanks all for your help