Univention Bugzilla – Bug 33475
univention-s4-position-sync should update the S4 Connector groupcache
Last modified: 2020-10-02 12:22:26 CEST
We had a test UCS@school domain where due to Bug 33366 the Windows clients were not created below the school OU. This was discovered because the machine part for the GPO for the schoolexam was not evaluated by the clients. To fix this, we simply executed /usr/share/univention-s4-connector/univention-s4-position-sync and continued with the tests. After the time of the exam was over, all exam-accounts have been removed automatically from the schoolexam group and the machines as well. Yet, the clients continued to evaluate the schoolexam GPO, denying login for all users. The cause for this situation was found by comparing the schoolexam object in LDAP and Samba4: While the LDAP group did not show any members, in Samba4 the group still contained the machine accounts. The S4 Connector had not removed the members, because the uniqueMember DNs had changed and did not match any longer with the S4 Connector group cache: ====================================================================== 19.11.2013 13:29:53,600 LDAP (PROCESS): group_members_sync_from_ucs: cn=schulpc1,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete 19.11.2013 13:29:53,600 LDAP (PROCESS): group_members_sync_from_ucs: cn=realschule-raum1,cn=raeume,cn=groups,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete 19.11.2013 13:29:53,600 LDAP (PROCESS): group_members_sync_from_ucs: cn=schulpc5,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete 19.11.2013 13:29:53,601 LDAP (PROCESS): group_members_sync_from_ucs: cn=schulpc4,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete 19.11.2013 13:29:53,601 LDAP (PROCESS): group_members_sync_from_ucs: cn=schulpc3,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete 19.11.2013 13:29:53,601 LDAP (PROCESS): group_members_sync_from_ucs: cn=schulpc2,cn=computers,ou=realschule,dc=ucs,dc=school was not found in group member con cache of cn=ourealschule-klassenarbeit,cn=ucsschool,cn=groups,dc=ucs,dc=school, don't delete ======================================================================
Another, more general solution would be, to adjust the S4 Connector to search the group again, in case it cannot find it in its cache.
(In reply to Arvid Requate from comment #1) > Another, more general solution would be, to adjust the S4 Connector to > search the group again, in case it cannot find it in its cache. We should be careful with a search because it can cost a lot of performance. And the performance was the original reason for the cache. Maybe we could simple stop the connector in univention-s4-position-sync. Does univention-s4-position-sync a normal ldapmodrdn or ldbrename? If so it would be a generic connector bug.
It performs a samdb.rename call against the local sam.ldb file, which eventually results in a ldbmodify operation, I think.
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.