Univention Bugzilla – Bug 49736
Expired user account causes S4-Connector reject on the school slaves
Last modified: 2019-12-05 10:17:31 CET
Environment: UCSschool multimaster UCS: 4.3-4 errata529 ucsschool=4.3 v8 Reproduced in my testenvironment with UCS: 4.4-0 errata0 ucsschool=4.4 v2 How to reproduce: Add a global user. When the user is replicated to all school slaves, just set account expiry date to a previous date, so the account is deactivated. Now all school slaves get the following reject for the user: 21.06.2019 19:12:24,832 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=cschein,CN=Users,DC=schein,DC=me 21.06.2019 19:12:24,838 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=cschein,cn=users,dc=schein,dc=me 21.06.2019 19:12:24,856 LDAP (ERROR ): Unknown Exception during sync_to_ucs 21.06.2019 19:12:24,856 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1565, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1316, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1674, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 635, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1283, in _modify self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 823, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied
Created attachment 10096 [details] Debuglevel4
To be sure: is this reproducable for any global user in any UCS@school installation?
(In reply to Ingo Steuwer from comment #2) > To be sure: is this reproducable for any global user in any UCS@school > installation? If I can reproduce it in my testenvironment, i think this is an issue for all school customers. How many different types of global users do we have?
(In reply to Christina Scheinig from comment #3) > (In reply to Ingo Steuwer from comment #2) > > To be sure: is this reproducable for any global user in any UCS@school > > installation? > > If I can reproduce it in my testenvironment, i think this is an issue for > all school customers. Do you have Samba 4 and the S4 connector installed on the DC Master? If not, does it work if you install it on the DC Master?
I have new insights here. I installed samba4 and the connector on my master in my testenvironment, but the reject didn't dissolve. So I removed the reject and changed the description on the object to retrigger the synchronisation. The object gets rejected again. Getting an UMC notification: ----------------- The following empty properties were set to default values in the form. These values will be applied when saving. Account - Deactivation - Account is deactivated: false ----------------- I realized, that the account is not deactivated at all, just expired. Deactivating the account removes the reject immediately (with samba4 on the master) Setting the account back to expired, the reject occurs again with the following attributes to change: 07.10.2019 12:16:02.864 LDAP (INFO ): The following attributes have been changed: ['whenChanged', 'userAccountControl', 'uSNChanged']
Maybe related to/caused by Bug #46067.