[SOLVED] User Synchronization doesn't work

[koecse]

Hi there

I have 2 servers. I want to synchronize users and groups from server1 to server2. Connection worked fine. In server1, it shows me server2 as slave (in module users&groups, synchronization). But in server2 there is no user nor a group. Can I push the synchronization? Or what can I do? I have no idea, why it doesn't work.
Any help or idea is welcome.

[xklones]

Hi koecse,
I did play around with 2 zentyal servers and configured them as domain controllers but not with master/slave setup. I used pdcsrv1 as main domain controller and pdcsrv2 as additional domain controller, and it worked very well.

Please follow a step-by-step video tutorial @ http://www.youtube.com/user/thejonasnet/videos?view=0 or the tutorial @ http://trac.zentyal.org/wiki/Documentation/Community/Document/MultipleZentyal.

Also note that you might have to change the default web admin port from 443 to 444 or anything you like as zentyal uses port 443 for the secure sync in a master and slave setup.

Please do let us know if this is of any help and share you experience with others.

Good luck!

[koecse]

Hi xklones

The web admin port is 8421 and not 443.

I have already set up 2 other servers and synced them with usersynchronization. And then it worked fine.

I didn't want to set up the second server as additional domain controller, because of samba4 known isues (http://www.samba.org/samba/history/samba-4.0.0.html. Does it everything work well with the additional domain controller?

[christian]

There is something that, I think, deserves some clarification regarding accounts & groups synchronization between 2 Zentyal servers since 3.0 and its specific LDAP design.

With 2.x, because one single LDAP server was deploy on each Zentyal server, account synchronization was almost similar to simple LDAP replication problem between 2 LDAP servers.

Now with 3.0, you have 2 LDAP servers per Zentyal server. Let's call it LDAP and Samba-LDAP. There is obviously an internal LDAP to Samba-LDAP synchronization process.

- When you deploy 2 Zentyal servers without file sharing but want to have account synchronization, how does it work ? LDAP master/slave design ?
- Same question when you enable file sharing, decides that one server is PDC and want secondary server to act as BDC ? Smaba-LDAP to Samba-LDAP ?

I don't know what is really designed but this confuses me 

[koecse]

after a long time, trying different ways, I decided to change my plans. So I cut the syncronization and configured server2 as an additional domain controller. That didn't worked as well. They synced the users and groups, but there was a big bug. When I changed an users firstname, it didn't synced. Then I tried to delete that user and nothing worked longer. An error message from zentyal popped up, "there's a bug". Afterwards, the module has stopped working. I think it must have been something else, as the module users and groups. I don't know what.
After that, I had no desire to look any further for the error. I decided to set up two new servers. As I have everything set up nicely in order, then the synchronization has  worked fine. I don't know, why the other installation had errors.

[xklones]

Hi koecse & christian,
I also noticed the same error after I setup the zentyal servers as domain controller and

additional, the main domain controller had a lot issues when an account is modified in the

additional domain controller. so I had to stick with the additional domain controller.

I also noticed that after updating to core version 3.0.17, there are two additional fields Read-only root DN and Read-only password as stated below:

Base DN:               dc=chrisland,dc=lan
Root DN:               cn=zentyal,dc=chrisland,dc=lan
Password:               lIullblablablablabla
Read-only root DN:    cn=zentyalro,dc=chrisland,dc=lan
Read-only password:    blablablablablablabla
Users DN:               ou=Users,dc=chrisland,dc=lan
Groups DN:               ou=Groups,dc=chrisland,dc=lan


Though I haven't tried the synchronizing with a domain controller. How exactly did you setup

your servers? Please I want you to share.

Thanks!

[christian]

The read-only DN and password are here because Zentyal decided not to expose Zentyal LDAP content to anonymous access, therefore the need to provide account able to read it.

BTW, what do you want me to share ?

[koecse]

hi xklones

To synchronize Users and groups, first of all, you have to write down the slave password from the PDC. (I had to type in by hand, copy/paste didn't worked)
After that, go to the server, which you want to sync the users and type in the data from the PDC.

Look at the attached photos.

[xklones]

Hi koecse,
Thank you very much for the info, I really appreciate. Though I haven't tried it out. I have 4 zentyal servers in four different locations and are connected via an E1 line. I want the other servers to pool username and password from the zentyal DC @ the HQ. I hope this will work with your example?

[koecse]

hi folks

Same Problem again! Set up another PDC and second server. Everything allright, but user&group-sync do not work. 

I put the error-log as attachment

Any help is welcome.

[Javier Amor Garcia]

Thre is a known bug that sync could fail if you change the apache certificate. It is your case?

[koecse]

yes, it could be, that I changed the certificate.

How can I avoid that? Set up new servers, first of all, set CA, and then all the other modules, and never touch again CA? Or is it possible to fix it?

[Javier Amor Garcia]

Just don't change the certificate for the administration web interface. Other certificates are fair play..

[koecse]

Then I'll start again from bottom. I'ill let you know, how it happened.

thank you Javier.

[koecse]

Yes, it is a bug!

Spent hours with it. 

First set up 2 new servers. Created a certificate on both servers. Then enabled the certificate for administration webserver. Sync didn't work as expected.

Same thing again, but without enabling the certificate for administration webserver. Syncing is working. 

I promise, I'll never, never, never touch the enabling-button for administration webserver again....

cheerio