Univention Bugzilla – Bug 49708
S4-Connector reject for dns-slave service account after upgrade to ucsschool 4.4 v2
Last modified: 2020-11-10 10:36:42 CET
After the upgrade to ucsschool 4.4 v2 and executing univention-run-join-scripts the following traceback is shown: 24.06.2019 08:12:52.831 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=dns-slave,CN=Users,DC=schein,DC=me 24.06.2019 08:12:52.839 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=dns-slave,CN=Users,dc=schein,dc=me 24.06.2019 08:12:52.910 LDAP (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute 24.06.2019 08:12:53.247 LDAP (ERROR ): Unknown Exception during sync_to_ucs 24.06.2019 08:12:53.247 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1547, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1295, in add_in_ucs res = ucs_object.create(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 546, in create self._ldap_pre_ready() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1613, in _ldap_pre_ready self.alloc.append(('uid', univention.admin.allocators.request(self.lo, self.position, 'uid', value=self['username']))) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 195, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 173, in acquireUnique univention.admin.locking.lock(lo, position, type, value, scope=scope) File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 100, in lock raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,)) permissionDenied: Can not modify lock time of u'cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=schein,dc=me'. This seems to happen, if the dns-slave object already existed on the master.
Okay, the dns-slave object was not created on the master. But the s4 reject comes up, after the upgrade univention-s4connector-list-rejected UCS rejected S4 rejected 1: S4 DN: CN=dns-slave,CN=Users,DC=schein,DC=me UCS DN: <not found> last synced USN: 138427 ------------------------------------------------ After running the 98univention-samba4-dns script to fix the missing entry on the master I've got more rejects. univention-s4connector-list-rejected UCS rejected 1: UCS DN: uid=dns-slave,cn=users,dc=schein,dc=me S4 DN: cn=dns-slave,cn=users,DC=schein,DC=me Filename: /var/lib/univention-connector/s4/1561377839.863336 2: UCS DN: uid=dns-slave,cn=users,dc=schein,dc=me S4 DN: cn=dns-slave,cn=users,DC=schein,DC=me Filename: /var/lib/univention-connector/s4/1561377840.325360 S4 rejected 1: S4 DN: CN=dns-slave,CN=Users,DC=schein,DC=me UCS DN: uid=dns-slave,cn=users,dc=schein,dc=me last synced USN: 138427 And additionally the systemdiagnostic on the slave shows: CRITICAL : Check kerberos authenticated DNS updates Errors occured while running kinit or nsupdate kinit for principal dns-ucsdc with keytab /var/lib/samba/private/dns.keytab failed. The password was now incorrect and I had to fix it with samba-tool user setpassword --newpassword="$(ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=dns-$(hostname) secret | sed -ne 's/^secret: //p')" --filter=samaccountname=dns-$(hostname)
The traceback, after univention-run-join-scripts --force --run-scripts 98univention-samba4-dns 24.06.2019 14:04:55.156 LDAP (PROCESS): sync from ucs: [ user] [ add] CN=dns-slave,CN=Users,DC=schein,DC=me 24.06.2019 14:04:55.161 LDAP (PROCESS): Unable to sync CN=dns-slave,CN=Users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked. 24.06.2019 14:04:55.163 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1561377840.325360 24.06.2019 14:04:55.166 LDAP (PROCESS): sync from ucs: [ user] [ modify] CN=dns-slave,CN=Users,DC=schein,DC=me 24.06.2019 14:04:55.170 LDAP (PROCESS): Unable to sync CN=dns-slave,CN=Users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked. 24.06.2019 14:04:55.171 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=dns-slave,CN=Users,DC=schein,DC=me 24.06.2019 14:04:55.176 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=dns-slave,cn=users,dc=schein,dc=me 24.06.2019 14:04:55.400 LDAP (ERROR ): failed in post_con_modify_functions 24.06.2019 14:04:55.408 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1577, in sync_to_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/password.py", line 829, in password_sync_s4_to_ucs s4connector.lo.lo.modify(ucs_object['dn'], modlist) File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 693, in modify self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 753, in modify_ext_s rtype, rdata, rmsgid, resp_ctrls = lo_ref.modify_ext_s(dn, ml, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 987, in modify_ext_s return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 931, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'} 24.06.2019 14:05:50.989 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1561377839.863336 24.06.2019 14:05:50.993 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=dns-slave,cn=users,DC=schein,DC=me 24.06.2019 14:05:50.997 LDAP (PROCESS): Unable to sync cn=dns-slave,cn=users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked. 24.06.2019 14:05:50.999 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1561377840.325360 24.06.2019 14:05:51.003 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=dns-slave,cn=users,DC=schein,DC=me 24.06.2019 14:05:51.007 LDAP (PROCESS): Unable to sync cn=dns-slave,cn=users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked. 24.06.2019 14:05:51.016 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=dns-slave,CN=Users,DC=schein,DC=me 24.06.2019 14:05:51.020 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=dns-slave,cn=users,dc=schein,dc=me 24.06.2019 14:05:51.070 LDAP (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute 24.06.2019 14:05:51.379 LDAP (ERROR ): Unknown Exception during sync_to_ucs 24.06.2019 14:05:51.380 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1565, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1316, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1396, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 642, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1312, in _modify self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 891, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied
Happened again
After the update to UCS@school 4.4-7 the reject is now back on 3 servers. Nicht synchronisierte S4 Objekte: S4 DN: CN=dns-schulucs1,CN=Users,DC=bsp-schule,DC=net, UCS DN: nicht gefunden Nicht synchronisierte S4 Objekte: S4 DN: CN=dns-schulucs2,CN=Users,DC=bsp-schule,DC=net, UCS DN: nicht gefunden Nicht synchronisierte S4 Objekte: S4 DN: CN=dns-schulucs3,CN=Users,DC=bsp-schule,DC=net, UCS DN: nicht gefunden