Bug 36831 - Rejects on school slave after installing distributed UCS@school env
Rejects on school slave after installing distributed UCS@school env
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Stefan Gohmann
Felix Botner
: 37834 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2014-11-18 17:57 CET by Stefan Gohmann
Modified: 2016-09-14 15:38 CEST (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

connector-s4.log with debug level set to 4, same system as Bug 37834 (4.15 MB, text/x-log)
2015-02-19 14:44 CET, Michael Grandjean

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-11-18 17:57:50 CET
I've several rejects after the update to UCS@school 4.0 on a school slave if Samba 4 is not installed on the master:

S4 rejected

    1:    S4 DN: CN=Domain Users,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=domain users,cn=groups,dc=deadlock43,dc=intranet
    2:    S4 DN: CN=Domain Admins,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=domain admins,cn=groups,dc=deadlock43,dc=intranet
    3:    S4 DN: CN=System,DC=deadlock43,DC=intranet
         UCS DN: cn=system,dc=deadlock43,dc=intranet
    4:    S4 DN: DC=deadlock43,DC=intranet
         UCS DN: dc=deadlock43,dc=intranet
    5:    S4 DN: OU=Domain Controllers,DC=deadlock43,DC=intranet
         UCS DN: ou=domain controllers,dc=deadlock43,dc=intranet
    6:    S4 DN: CN=Group Policy Creator Owners,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=group policy creator owners,cn=groups,dc=deadlock43,dc=intranet
    7:    S4 DN: CN=Administrator,CN=Users,DC=deadlock43,DC=intranet
         UCS DN: uid=administrator,cn=users,dc=deadlock43,dc=intranet
    8:    S4 DN: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=domain guests,cn=groups,dc=deadlock43,dc=intranet

root@slave432:~# univention-ldapsearch 'cn=domain guests' -LLL description ; univention-s4search 'cn=domain guests' description
dn: cn=Domain Guests,cn=groups,dc=deadlock43,dc=intranet

WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
# record 1
dn: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet
description: All domain guests
Comment 1 Stefan Gohmann univentionstaff 2014-11-18 18:58:13 CET
This was already before updating to UCS 4.
Comment 2 Arvid Requate univentionstaff 2015-02-18 14:44:11 CET
*** Bug 37834 has been marked as a duplicate of this bug. ***
Comment 3 Michael Grandjean univentionstaff 2015-02-19 14:44:07 CET
Created attachment 6704 [details]
connector-s4.log with debug level set to 4, same system as  Bug 37834

I reverted my system of Bug 37834 to an older snapshot and set connector/debug/level=4 before installing UCS@school. I was then able to reproduce the rejects by just installing UCS@school with Samba 4. I attached th connector-s4.log.
Comment 4 Arvid Requate univentionstaff 2015-02-20 11:39:09 CET
Ok, thanks, that should give a pretty clear idea what things need to be written with Admin credentials during join.

To avoid pre-seeding all this nitty gritty detail, we could "simply" initialize the S4-Connector during join with Admin credentials. But that would require to implement a mechanism in the S4-Connector to drop the initialization-Credentials after it has initialzed, to continue normal operations with host credentials. For this we would in turn need to find a way to recognize at which pount the initial sync is done (not too easy, USN tracking..). Just brainstorming..
Comment 5 Felix Botner univentionstaff 2016-06-09 10:59:49 CEST
again with 4.1-2 and school 4.1R2

UCS Master + school (no univention-samba4!)
UCS Slave + school with univention-samba4/connector

After installing school on the slave the connector complains about the following rejects:

S4 rejected

    1:    S4 DN: OU=Domain Controllers,DC=w2k12,DC=test
         UCS DN: ou=domain controllers,dc=w2k12,dc=test
    2:    S4 DN: CN=System,DC=w2k12,DC=test
         UCS DN: cn=system,dc=w2k12,dc=test
    3:    S4 DN: CN=Administrator,CN=Users,DC=w2k12,DC=test
         UCS DN: uid=administrator,cn=users,dc=w2k12,dc=test
    4:    S4 DN: DC=w2k12,DC=test
         UCS DN: dc=w2k12,dc=test

All rejects a caused by a permission problem:

09.06.2016 10:54:04,126 LDAP        (PROCESS): sync to ucs:   [  container_dc] [    modify] dc=w2k12,dc=test
09.06.2016 10:54:04,151 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
09.06.2016 10:54:04,151 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1438, in sync_to_ucs
    result = self.property[property_type].ucs_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dc.py", line 180, in con2ucs
    s4connector.lo.modify(dn, ml)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 420, in modify
    raise univention.admin.uexceptions.permissionDenied

We should either
 * ignore those objects on school slaves in the connector
 * or changes the ldap acls for school slave

But rejects are not good ...
Comment 6 Jens Thorp-Hansen univentionstaff 2016-07-22 10:51:23 CEST

here too, same as above. It is cosmetic, but may mask other problems: If we recommend resolving these "legit" rejects or ignoring them, other problems may rear its head in the future with causes that are ignored in this earlier states.

rejects are not good.
Comment 7 Florian Best univentionstaff 2016-07-22 11:03:00 CEST
This hit me some weeks ago, too.
Comment 8 Stefan Gohmann univentionstaff 2016-08-15 07:20:57 CEST
We already create several groups in the 96univention-samba4slavepdc.inst join script. We should do these changes there as well.
Comment 9 Stefan Gohmann univentionstaff 2016-08-19 16:30:49 CEST
YAML: r71761

Fix: r71760

* Update some default settings in the LDAP directory to prevent
  rejects if no S4 connector is installed on the DC master
  (Bug #36831)

Waiting for Jenkins test results.
Comment 10 Stefan Gohmann univentionstaff 2016-08-22 16:57:32 CEST
(In reply to Stefan Gohmann from comment #9)
> YAML: r71761
> Fix: r71760
> * Update some default settings in the LDAP directory to prevent
>   rejects if no S4 connector is installed on the DC master
>   (Bug #36831)
> Waiting for Jenkins test results.

Some more updates: r71768 + r71770 + r71780

We've decided to increase the join script version so the rejects will be removed after running the join scripts.

I've also merged these changes to UCS 4.2.
Comment 11 Janek Walkenhorst univentionstaff 2016-08-29 18:36:02 CEST
Rebuild package for Bug #36831, #41167 due to buildsystem error


Comment 12 Felix Botner univentionstaff 2016-09-12 13:56:21 CEST
OK - merged to 4.2
OK - no rejects on slave - no samba4 on master
OK - no rejects on slave - samba4 on master
OK - rejects are gone after upgrade/univention-run-join-scripts on slave
OK - yaml
Comment 13 Janek Walkenhorst univentionstaff 2016-09-14 15:38:55 CEST