Author Topic: Can't sync new Zentyal installation with Univention UCS Version 4.4  (Read 1542 times)

Metz

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Hello,

I'm trying to Sync Zentyal trial Version with Univentioen UCS 4.4 Server.

Zentyal Core version 6.2.3 (fresh install from iso)

On univention I addet quota:
Code: [Select]
ucr set repository/online/component/cool-solutions=yes \
repository/online/component/cool-solutions/version="current" \
repository/online/component/cool-solutions/unmaintained=yes

univention-install univention-domain-userquota

and also disabled tls:
Code: [Select]
ucr set samba/ldap/server/require/strong/auth=no
/etc/init.d/samba restart

Users and Computers get synced. DNS entries not and I get following error messages during sync:

Code: [Select]
...
2020/11/05 21:46:35 INFO> Samba.pm:776 EBox::Samba::_postServiceHook - Writing DNS update list...
2020/11/05 21:46:36 INFO> SyncDaemon.pm:340 EBox::Samba::SyncDaemon::run - Samba sync daemon started
2020/11/05 21:46:38 INFO> LDAP.pm:246 EBox::Module::LDAP::_sendSchemaUpdate - Sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=intranet
2020/11/05 21:46:38 ERROR> LDAP.pm:248 EBox::Module::LDAP::_sendSchemaUpdate - Error sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=intranet The server is unwilling to perform the requested operation
 at Error sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=intranet The server is unwilling to perform the requested operation
 at /usr/share/perl5/EBox/Module/LDAP.pm line 248
EBox::Module::LDAP::_sendSchemaUpdate('EBox::Samba=HASH(0x55986f10cc00)', 'Net::LDAP=HASH(0x559870c4a258)', '/usr/share/zentyal-samba/schema-quota.ldif') called at /usr/share/perl5/EBox/Module/LDAP.pm line 278
EBox::Module::LDAP::_loadSchemasFiles('EBox::Samba=HASH(0x55986f10cc00)', 'ARRAY(0x559870165220)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 267
EBox::Module::LDAP::_loadSchemas('EBox::Samba=HASH(0x55986f10cc00)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 341
EBox::Module::LDAP::_performSetup('EBox::Samba=HASH(0x55986f10cc00)') called at /usr/share/perl5/EBox/Samba.pm line 671
EBox::Samba::_regenConfig('EBox::Samba=HASH(0x55986f10cc00)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::Samba=HASH(0x55986f10cc00)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 649
eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 648
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x55986a26f890)', 'progress', 'EBox::ProgressIndicator=HASH(0x55986da09828)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x55986d955cb0)', 'progress', 'EBox::ProgressIndicator=HASH(0x55986da09828)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2020/11/05 21:46:38 ERROR> GlobalImpl.pm:653 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: Error sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=intranet The server is unwilling to perform the requested operation
2020/11/05 21:46:38 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: radius
...
...
...
2020/11/05 21:47:40 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/K9v70Bpt2E failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/K9v70Bpt2E failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/3opd1FyAb9.cmd 2> /var/lib/zentyal/tmp/stderr', 'nsupdate -g -t 10 /var/lib/zentyal/tmp/K9v70Bpt2E', 512, 'ARRAY(0x5598713acff0)', 'ARRAY(0x55986b75a318)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, 'nsupdate -g -t 10 /var/lib/zentyal/tmp/K9v70Bpt2E') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('nsupdate -g -t 10 /var/lib/zentyal/tmp/K9v70Bpt2E') called at /usr/share/perl5/EBox/DNS.pm line 967
EBox::DNS::_postServiceHook('EBox::DNS=HASH(0x55986e5d9bd8)', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 948
EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0x55986e5d9bd8)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::DNS=HASH(0x55986e5d9bd8)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 681
eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 679
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x55986a26f890)', 'progress', 'EBox::ProgressIndicator=HASH(0x55986da09828)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x55986d955cb0)', 'progress', 'EBox::ProgressIndicator=HASH(0x55986da09828)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2020/11/05 21:47:40 ERROR> GlobalImpl.pm:687 EBox::GlobalImpl::saveAllModules - Failed to restart dns after save changes: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/K9v70Bpt2E failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2020/11/05 21:47:40 ERROR> GlobalImpl.pm:728 EBox::GlobalImpl::saveAllModules - The following modules failed while saving their changes, their state is unknown: samba dns  at The following modules failed while saving their changes, their state is unknown: samba dns  at /usr/share/perl5/EBox/GlobalImpl.pm line 728
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x55986a26f890)', 'progress', 'EBox::ProgressIndicator=HASH(0x55986da09828)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x55986d955cb0)', 'progress', 'EBox::ProgressIndicator=HASH(0x55986da09828)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2020/11/05 21:48:20 INFO> Index.pm:187 EBox::Dashboard::CGI::Index::masonParameters - dashboard1


First looks that quota is still not correct installed. Second some issues with nsupdate.

BR Dirk
« Last Edit: November 07, 2020, 11:04:59 am by Metz »

Metz

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Can't sync new Zentyal installation with Univention UCS Version 4.4
« Reply #1 on: November 05, 2020, 10:26:56 pm »
Updating to zentyal 6.2.4

Moving Server role to Domain Controller / Save and moving back to additional domain controller result in an resolv.conf error

Code: [Select]
2020/11/05 22:22:08 INFO> Provision.pm:1336 EBox::Samba::Provision::provisionADC - Waiting RID pool allocation
2020/11/05 22:22:09 INFO> Provision.pm:1340 EBox::Samba::Provision::provisionADC - Running KCC on remote DC
2020/11/05 22:22:11 INFO> SyncDaemon.pm:340 EBox::Samba::SyncDaemon::run - Samba sync daemon started
2020/11/05 22:22:20 INFO> Samba.pm:776 EBox::Samba::_postServiceHook - Writing DNS update list...
2020/11/05 22:22:21 ERROR> LDAP.pm:106 EBox::Module::LDAP::_dnsResolve - DNS query failed: query timed out (using nameservers , /etc/resolv.conf was
'# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
' at DNS query failed: query timed out (using nameservers , /etc/resolv.conf was
'# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
' at /usr/share/perl5/EBox/Module/LDAP.pm line 106
EBox::Module::LDAP::_dnsResolve('EBox::Samba=HASH(0x55db8c808068)', 'ucs-001.example.intranet') called at /usr/share/perl5/EBox/Module/LDAP.pm line 155
EBox::Module::LDAP::_connectToSchemaMaster('EBox::Samba=HASH(0x55db8c808068)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 275
EBox::Module::LDAP::_loadSchemasFiles('EBox::Samba=HASH(0x55db8c808068)', 'ARRAY(0x55db8d865050)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 267
EBox::Module::LDAP::_loadSchemas('EBox::Samba=HASH(0x55db8c808068)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 341
EBox::Module::LDAP::_performSetup('EBox::Samba=HASH(0x55db8c808068)') called at /usr/share/perl5/EBox/Samba.pm line 671
EBox::Samba::_regenConfig('EBox::Samba=HASH(0x55db8c808068)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::Samba=HASH(0x55db8c808068)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 649
eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 648
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x55db88004ba8)', 'progress', 'EBox::ProgressIndicator=HASH(0x55db875f43b8)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x55db8b6a7720)', 'progress', 'EBox::ProgressIndicator=HASH(0x55db875f43b8)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2020/11/05 22:22:21 ERROR> GlobalImpl.pm:653 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: DNS query failed: query timed out (using nameservers , /etc/resolv.conf was
'# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
'
2020/11/05 22:22:21 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: radius
2020/11/05 22:22:25 INFO> SyncDaemon.pm:340 EBox::Samba::SyncDaemon::run - Samba sync daemon started
2020/11/05 22:22:29 ERROR> LDAP.pm:106 EBox::Module::LDAP::_dnsResolve - DNS query failed: query timed out (using nameservers , /etc/resolv.conf was
'# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
' at DNS query failed: query timed out (using nameservers , /etc/resolv.conf was
'# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
' at /usr/share/perl5/EBox/Module/LDAP.pm line 106
EBox::Module::LDAP::_dnsResolve('EBox::Radius=HASH(0x55db8e0e3b68)', 'ucs-001.example.intranet') called at /usr/share/perl5/EBox/Module/LDAP.pm line 155
EBox::Module::LDAP::_connectToSchemaMaster('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 275
EBox::Module::LDAP::_loadSchemasFiles('EBox::Radius=HASH(0x55db8e0e3b68)', 'ARRAY(0x55db8e744120)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 267
EBox::Module::LDAP::_loadSchemas('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 341
EBox::Module::LDAP::_performSetup('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/Module/LDAP.pm line 331
EBox::Module::LDAP::_regenConfig('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/Module/Kerberos.pm line 378
EBox::Module::Kerberos::_regenConfig('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/Radius.pm line 198
EBox::Radius::_regenConfig('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::Radius=HASH(0x55db8e0e3b68)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 649
eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 648
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x55db88004ba8)', 'progress', 'EBox::ProgressIndicator=HASH(0x55db875f43b8)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x55db8b6a7720)', 'progress', 'EBox::ProgressIndicator=HASH(0x55db875f43b8)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2020/11/05 22:22:29 ERROR> GlobalImpl.pm:653 EBox::GlobalImpl::saveAllModules - Failed to save changes in module radius: DNS query failed: query timed out (using nameservers , /etc/resolv.conf was
'# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
'
2020/11/05 22:22:29 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: logs
2020/11/05 22:22:29 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2020/11/05 22:22:38 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2020/11/05 22:23:07 ERROR> GlobalImpl.pm:728 EBox::GlobalImpl::saveAllModules - The following modules failed while saving their changes, their state is unknown: samba radius  at The following modules failed while saving their changes, their state is unknown: samba radius  at /usr/share/perl5/EBox/GlobalImpl.pm line 728
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x55db88004ba8)', 'progress', 'EBox::ProgressIndicator=HASH(0x55db875f43b8)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x55db8b6a7720)', 'progress', 'EBox::ProgressIndicator=HASH(0x55db875f43b8)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30

Metz

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Can't sync new Zentyal installation with Univention UCS Version 4.4
« Reply #2 on: November 07, 2020, 09:32:05 am »
Adding DNS Forwarder and enabling "transparent DNS cache" solved the DNS error.
I switch to server role "domain controller" and back to "additional domain controller" and get the following error. Same like on initial install:
(You need to delete the dns-zentyal user on the univention GUI otherwise you get an error because of the user.)

Code: [Select]
2020/11/07 09:22:07 INFO> LDAP.pm:246 EBox::Module::LDAP::_sendSchemaUpdate - Sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=intranet
2020/11/07 09:22:07 ERROR> LDAP.pm:248 EBox::Module::LDAP::_sendSchemaUpdate - Error sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=intranet The server is unwilling to perform the requested operation
 at Error sending schema update: CN=quota,CN=Schema,CN=Configuration,DC=examlpe,DC=intranet The server is unwilling to perform the requested operation
 at /usr/share/perl5/EBox/Module/LDAP.pm line 248

Metz

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Can't sync new Zentyal installation with Univention UCS Version 4.4
« Reply #3 on: November 07, 2020, 11:04:37 am »
I've installed directory-logger on univention and checked all log files.
I do not see any message send to the univention system when the error occurs.

Code: [Select]
tail -F /var/log/univention/directory-logger.log
tail -F /var/log/univention/listener.log
tail -F /var/lib/univention-ldap/notify/transaction
tail -F /var/log/syslog

In this Topic:
https://forum.zentyal.org/index.php/topic,23457.0.html
the quota.ldiff was missing but I do not know where to get the ldif and where (univention or zentyal) and how to install.

Following file is on the Zentyal Server:
/usr/share/zentyal-samba/schema-quota.ldif

Metz

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Can't sync new Zentyal installation with Univention UCS Version 4.4
« Reply #4 on: November 07, 2020, 12:49:30 pm »
When I run on the party synced Zentyal Server (user and groups are shown):
Code: [Select]
sudo ldbsearch -H /var/lib/samba/private/sam.ldb | grep quotaI do not get a response which looks like cn=quota is not installed on the univention system. (Only CN=NTDS Quotas)

Copied /usr/share/zentyal-samba/schema-quota.ldif to the univention server
replaced ,DOMAIN_TOP_DN with ,DC=example,DC=intranet
and tried to import with
Code: [Select]
ldapadd -x -D "cn=admin,$(ucr get ldap/base)" -w "$(cat /etc/ldap.secret)" -f schema-quota.ldif
I'm getting the issues with following attributes:
Code: [Select]
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.19937.1.1.1
ldapDisplayName: quota
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE

Removing them i get:
Code: [Select]
additional info: no structural object class provided
« Last Edit: November 07, 2020, 01:00:37 pm by Metz »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Can't sync new Zentyal installation with Univention UCS Version 4.4
« Reply #5 on: November 09, 2020, 09:45:46 am »
 :)

I tried the joining process of a Zentyal server to a domain managed by UCS a long time ago.

The first issues in order to join Zentyal were quickly fixed by installing the UCS Samba compatible module.

Afterward, the issue was that Zentyal includes the groups  into users container (as Windows Server does https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups) instead of including them into their own groups' container (as UCS does)

At this point, I gave up (I didn't have a real reason to insist on this deployment if it wasn't quick and easy)

Samba4 provides a way to extend his LDAP schema https://wiki.samba.org/index.php/Samba_AD_schema_extensions  (Zentyal introduces the needed module attributes this way) but, did you check if UCS and Zentyal schemas are totally compatible?

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,