First Last Prev Next    This bug is not in your last search results.
Bug 42393 - S4 Connector: DNS zone synchronization fails if ldap/base and samba4/ldap/base are different
S4 Connector: DNS zone synchronization fails if ldap/base and samba4/ldap/bas...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Stefan Gohmann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-14 16:50 CEST by Jens Thorp-Hansen
Modified: 2018-12-17 21:43 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016091321000211
Bug group (optional): Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2016-09-14 16:50:40 CEST 
example:

root@ucs-7811:~# ucr search --brief ldap/base
connector/s4/ldap/base: DC=STUFF,DC=FOO,DC=BAR
ldap/base: dc=foo,dc=bar
samba4/ldap/base: DC=STUFF,DC=FOO,DC=BAR

produces:

14.09.2016 11:38:46,786 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1473845580.846386
14.09.2016 11:38:46,806 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 802, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2380, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1377, in ucs2con
    s4_zone_create_wrapper(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 776, in s4_zone_create_wrapper
    result = s4_zone_create(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 678, in s4_zone_create
    __create_s4_forward_zone(s4connector, zone_dn)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 455, in __create_s4_forward_zone
    s4connector.lo_s4.lo.add_s(zone_dn, al)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 202, in add_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': '00002030: objectclass: Cannot add dc=6.200.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,dc=stuff,DC=stuff,DC=foo,DC=bar, parent does not exist!', 'desc': 'No such object'}

it is unclear if that only happens when zone-add or also when zone-modify. The behaviour happend in Ticket#2016091321000211 (4.1-0 140) and in a new installed 4.1-0 0)

The behaviour may happen in every environment that has similar setting!
Comment 1 Jens Thorp-Hansen univentionstaff 2016-09-15 16:57:33 CEST 
still true for 4.1-3 E268 and seems to happen with zone-add of the reverse zone.

Workaround: add the zone manually

example:
root@ucs-5593:~# samba-tool dns zonecreate SERVER 6.200.10.in-addr.arpa -UAdministrator%PASSWORD
Comment 2 Jens Thorp-Hansen univentionstaff 2016-10-06 15:08:12 CEST 
Ticket#2016091321000211
Comment 3 Jens Thorp-Hansen univentionstaff 2016-11-07 16:11:20 CET 
increases in severity es mentioned in the attached ticket. The resulting rejects obscure possible real problems. The customer can not implement the workaround.
Comment 4 Jens Thorp-Hansen univentionstaff 2016-11-11 13:34:24 CET 
DC synchronisation is not working either
Comment 5 Arvid Requate univentionstaff 2016-12-13 20:37:13 CET 
I think I fixed the samba4/ldap/base mapping issue but I'm not exactly sure how to reproduce this cleanly. I've just abused my plain UCS 4.1 installation (w/o Samba):

ucr set kerberos/realm="SUB.$(ucr get kerberos/realm)"
univention-install univention-s4-connector

After that now I'm still left with rejects in the _msdcs sub-zone of my UCS "$domain". E.g.

====================================================
root@master:~# host gc._msdcs.ar41i2.qa
Host gc._msdcs.ar41i2.qa not found: 3(NXDOMAIN)
====================================================

but the relevant sub-domain gets synchronized:
====================================================
root@master:~# host gc._msdcs.sub.ar41i2.qa
gc._msdcs.sub.ar41i2.qa has address 10.200.8.40
====================================================

I'm not sure if this is a real life case though. If it is, that would be a bit harder to fix, because usually the _msdcs zone is always present in Samba and the code is not prepared for the case where it only present in OpenLDAP. In that case we would have to add special treatment for that zone, because we would have to instruct the S4-Connector to create that zone (only) in ForestDnsZones. I'm leaving this for QA to decide if handling this is required too. As far as I understand the Ticket that's not the point.

Also, Comment 4 says

> DC synchronisation is not working either

but I can see no evidence in the connector-s4.log attached at the Ticket, so I have no clue what to fix. I'd say this should go into a separate Bug with proper evidence.

Merged to and built for UCS 4.2.
Advisory: univention-s4-connector.yaml
Comment 6 Stefan Gohmann univentionstaff 2016-12-14 09:29:51 CET 
You can simply reproduce it . Just install UCS with a domain for example foo.bar.com and use as LDAP base dc=bar,dc=com in UCS Installer.

On my test system it looks like this:

root@ucs-3620:~# ucr search --brief ldap/base
connector/s4/ldap/base: DC=FOO,DC=DEADLOCK33,DC=INTRANET
ldap/base: dc=deadlock33,dc=intranet
samba4/ldap/base: DC=FOO,DC=DEADLOCK33,DC=INTRANET
root@ucs-3620:~# 

After the installation I had the following rejects:
root@ucs-3620:~# univention-s4connector-list-rejected

UCS rejected

    1:   UCS DN: zoneName=201.10.in-addr.arpa,cn=dns,dc=deadlock33,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1481703305.685577

    2:   UCS DN: relativeDomainName=1.33,zoneName=201.10.in-addr.arpa,cn=dns,dc=deadlock33,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1481703305.823988

    3:   UCS DN: cn=ucs-3620,cn=dc,cn=computers,dc=deadlock33,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1481703431.012150

    4:   UCS DN: cn=ucs-3620,cn=dc,cn=computers,dc=deadlock33,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1481703531.734460

    5:   UCS DN: cn=ucs-3620,cn=dc,cn=computers,dc=deadlock33,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1481703554.416650


S4 rejected

    1:    S4 DN: CN=UCS-3620,OU=Domain Controllers,DC=foo,DC=deadlock33,DC=intranet
         UCS DN: <not found>

        last synced USN: 3813
root@ucs-3620:~# 

The log file looked like this:
14.12.2016 09:21:31,469 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1481703305.685577
14.12.2016 09:21:31,473 LDAP        (PROCESS): sync from ucs: [           dns] [       add] DC=@,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,dc=foo,DC=foo,DC=deadlock33,DC=intranet
14.12.2016 09:21:31,489 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1481703305.685577
14.12.2016 09:21:31,490 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 842, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2363, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1568, in ucs2con
    s4_zone_create_wrapper(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 843, in s4_zone_create_wrapper
    result = s4_zone_create(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 741, in s4_zone_create
    __create_s4_forward_zone(s4connector, zone_dn)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 473, in __create_s4_forward_zone
    s4connector.lo_s4.lo.add_s(zone_dn, al)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 202, in add_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': '00002030: objectclass: Cannot add dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,dc=foo,DC=foo,DC=deadlock33,DC=intranet, parent does not exist!', 'desc': 'No such object'}

14.12.2016 09:21:31,490 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1481703305.823988
14.12.2016 09:21:31,499 LDAP        (WARNING): sync failed, saved as rejected 
        /var/lib/univention-connector/s4/1481703305.823988
14.12.2016 09:21:31,499 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 986, in resync_rejected_ucs
    if self.__sync_file_from_ucs(filename, append_error=' rejected'):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 838, in __sync_file_from_ucs
    object = self._object_mapping(key, object, 'ucs')
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1763, in _object_mapping
    object = function(self, object, dn_mapping_stored, isUCSobject=(object_type == 'ucs'))
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 268, in dns_dn_mapping
    show_deleted=False)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 1116, in __search_s4
    rtype, rdata, rmsgid, serverctrls = self.lo_s4.lo.result3(msgid)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': '00002030: No such Base DN: DC=201.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=FOO,DC=DEADLOCK33,DC=INTRANET', 'desc': 'No such object'}

14.12.2016 09:21:31,500 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1481703431.012150
14.12.2016 09:21:31,506 LDAP        (PROCESS): sync from ucs: [            dc] [    modify] CN=UCS-3620,ou=domain controllers,dc=foo,DC=foo,DC=deadlock33,DC=intranet
14.12.2016 09:21:31,513 LDAP        (ERROR  ): sync_from_ucs: traceback during add object: CN=UCS-3620,ou=domain controllers,dc=foo,DC=foo,DC=deadlock33,DC=intranet
14.12.2016 09:21:31,513 LDAP        (ERROR  ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'computer']), ('userAccountControl', ['532480']), (u'cn', [u'ucs-3620']), ('operatingSystemVersion', [u'4.1-4']), ('sAMAccountName', [u'ucs-3620$']), ('operatingSystem', [u'Univention Corporate Server'])]
14.12.2016 09:21:31,518 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1481703431.012150
14.12.2016 09:21:31,518 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 842, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2402, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls)  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 187, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': '00002030: objectclass: Cannot add CN=UCS-3620,ou=domain controllers,dc=foo,DC=foo,DC=deadlock33,DC=intranet, parent does not exist!', 'desc': 'No such object'}

After installing the new S4 connector version, everything seems to work.
Comment 7 Stefan Gohmann univentionstaff 2016-12-14 11:23:12 CET 
Tests: OK, see Comment #6.

YAML: OK

Code review: OK

UCS 4.2 merge: OK
Comment 8 Philipp Hahn univentionstaff 2016-12-21 15:32:55 CET 
<http://errata.software-univention.de/ucs/4.1/365.html>
First Last Prev Next    This bug is not in your last search results.