Bug 33475 – univention-s4-position-sync should update the S4 Connector groupcache

Bug 33475 - univention-s4-position-sync should update the S4 Connector groupcache


Summary:	univention-s4-position-sync should update the S4 Connector groupcache

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-19 14:00 CET by Arvid Requate
Modified:	2020-10-02 12:22 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2013-11-19 14:00:05 CET

We had a test UCS@school domain where due to Bug 33366 the Windows clients were not created below the school OU. This was discovered because the machine part for the GPO for the schoolexam was not evaluated by the clients.

To fix this, we simply executed /usr/share/univention-s4-connector/univention-s4-position-sync and continued with the tests. After the time of the exam was over, all exam-accounts have been removed automatically from the schoolexam group and the machines as well. Yet, the clients continued to evaluate the schoolexam GPO, denying login for all users.

The cause for this situation was found by comparing the schoolexam object in LDAP and Samba4: While the LDAP group did not show any members, in Samba4 the group still contained the machine accounts. The S4 Connector had not removed the members, because the uniqueMember DNs had changed and did not match any longer with the S4 Connector group cache:
======================================================================
19.11.2013 13:29:53,600 LDAP        (PROCESS): group_members_sync_from_ucs: cn=schulpc1,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete
19.11.2013 13:29:53,600 LDAP        (PROCESS): group_members_sync_from_ucs: cn=realschule-raum1,cn=raeume,cn=groups,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete
19.11.2013 13:29:53,600 LDAP        (PROCESS): group_members_sync_from_ucs: cn=schulpc5,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete
19.11.2013 13:29:53,601 LDAP        (PROCESS): group_members_sync_from_ucs: cn=schulpc4,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete
19.11.2013 13:29:53,601 LDAP        (PROCESS): group_members_sync_from_ucs: cn=schulpc3,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete
19.11.2013 13:29:53,601 LDAP        (PROCESS): group_members_sync_from_ucs: cn=schulpc2,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete
======================================================================

Comment 1 Arvid Requate

2013-11-19 14:02:16 CET

Another, more general solution would be, to adjust the S4 Connector to search the group again, in case it cannot find it in its cache.

Comment 2 Stefan Gohmann

2013-11-28 16:58:51 CET

(In reply to Arvid Requate from comment #1)
> Another, more general solution would be, to adjust the S4 Connector to
> search the group again, in case it cannot find it in its cache.

We should be careful with a search because it can cost a lot of performance. And the performance was the original reason for the cache. Maybe we could simple stop the connector in univention-s4-position-sync. 

Does univention-s4-position-sync a normal ldapmodrdn or ldbrename? If so it would be a generic connector bug.

Comment 3 Arvid Requate

2013-11-28 19:33:14 CET

It performs a samdb.rename call against the local sam.ldb file, which eventually results in a ldbmodify operation, I think.

Comment 4 Stefan Gohmann

2017-06-16 20:37:31 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.

Comment 5 Ingo Steuwer

2020-07-03 20:54:11 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.