Bug 34880 - Bad DSA objectGUID <guid> for sid <UDM sid> - expected sid <samba sid>
Bad DSA objectGUID <guid> for sid <UDM sid> - expected sid <samba sid>
Status: RESOLVED WONTFIX
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 3.2 R2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-20 20:14 CEST by Arvid Requate
Modified: 2019-02-05 21:49 CET (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-05-20 20:14:49 CEST
During the tests for Bug #32187 we observed a situation, where a second Samba4 DC joined into an UCS@school Samba4 Slave PDC could not access the PDC for DRS replication (samba-tool drs showrepl on the new DC showed this). The PDC showed the following messages in log.samba:

========================================================================
[2014/05/20 12:14:44.435918,  0, pid=22531] ../source4/dsdb/common/util.c:4276(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4276: Bad DSA objectGUID ce84764e-9468-4735-8989-0b668a6329c0 for sid S-1-5-21-3208242057-1788187455-3372601454-5018 - expected sid S-1-5-21-3208242057-1788187455-3372601454-1104
[2014/05/20 12:14:44.436056,  0, pid=22531] ../source4/rpc_server/drsuapi/updaterefs.c:274(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:274: Refusing DsReplicaUpdateRefs for sid S-1-5-21-3208242057-1788187455-3372601454-5018 with GUID ce84764e-9468-4735-8989-0b668a6329c0
========================================================================

There are two SIDs here: the -1104 one is the "temporary" SID that the PDC Samba4 assigned to the new DC during join. The -5018 is the from UDM, which was synchronized to Samba4 by the S4 Connector.

I tracked the issue down to the serverReference attribute, which still stored the "temporary" SID in a thing called "extended DN". The ucs-school-join-secondary-samba4 script created for Bug #32187 shows an example workaround which might be useful in case this happens again, e.g. on Samba4 DCs in the central school department.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2019-02-05 21:49:35 CET
This issue has been filled against UCS@school 3. The maintenance with
bug and security fixes for the last UCS@school version for UCS 3.x 
(→ UCS@school 3.2) has ended on Dec 31, 2016.

Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.