Bug 28907 – S4 Connector reject Constraint violation - PrimaryKerberos num_old_keys > num_keys

Bug 28907 - S4 Connector reject Constraint violation - PrimaryKerberos num_old_keys > num_keys


Summary:	S4 Connector reject Constraint violation - PrimaryKerberos num_old_keys > num...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.1
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:	interim-3

Depends on:	28906
Blocks:
	Show dependency tree / graph

Reported:	2012-10-24 18:45 CEST by Arvid Requate
Modified:	2020-02-24 18:11 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2012-10-24 18:45:29 CEST

Der Patch für Bug #28906 muss nach UCS 3.1 übernommen werden.


+++ This bug was initially created as a clone of Bug #28906 +++

Nach der Übernahme eines Windows 2008 AD-Servers per univention-ad-takeover
wurde per UDM das Passwort eines übernommenen Benutzer geändert. Danach trat
ein Reject im S4 Connector auf:

============================================================
24.10.2012 15:32:07,371 LDAP        (WARNING): Traceback (most recent call
last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line
751, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn,
old_dn, old))):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py",
line 2282, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/password.py",
line 540, in password_sync_ucs_to_s4
    s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']),
modlist, serverctrls=[ ctrl_bypass_password_hash ])
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 295, in
modify_ext_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in
result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in
result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in
result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in
_ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: Constraint violation -
PrimaryKerberos num_old_keys > num_keys at
../source4/dsdb/samdb/ldb_modules/password_hash.c:376', 'desc': 'Constraint
violation'}
============================================================

Ursache ist die gleiche wie in Bug 24779, nämlich daß

  "W2k8-DCs in der Kommunikation mit W2k3-DCs in das Attribut
  supplementalCredentials den NT-Hash als dummy-Wert einträgt."

In der Richtung S4 -> UCS wird ein solcher key (mit keytype -140L) durch die
Anpassug für Bug 24779 ignoriert. In die Rückrichtung wandert dieser Key aber
bisher weiter in die "old_keys" und dann ist im neuen Key-Array einer weniger
als im alten, was Samba4 mit dem traceback quittiert.

Comment 1 Arvid Requate

2012-10-24 20:43:47 CEST

Fixed.

Comment 2 Felix Botner

2012-11-15 15:49:25 CET

OK, konnte keine Probleme mehr feststellen.

Comment 3 Stefan Gohmann

2012-12-12 21:09:34 CET

UCS 3.1-0 has been released: 
 http://forum.univention.de/viewtopic.php?f=54&t=2125

If this error occurs again, please use "Clone This Bug".