First Last Prev Next    This bug is not in your last search results.
Bug 37834 - S4 Connector Rejects on newly installed DC Slave
S4 Connector Rejects on newly installed DC Slave
Status: RESOLVED DUPLICATE of bug 36831
Product: UCS@school
Classification: Unclassified
Component: Samba 4 - Slave PDC
UCS@school 4.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-18 12:23 CET by Michael Grandjean
Modified: 2015-02-18 14:44 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-02-18 12:23:55 CET 
I just installed a new UCS@school multi-server-environment:
- DC Master - UCS 4.0-1 - UCS@school 4.0 v1
- DC Backup - UCS 4.0-1 - UCS@school 4.0 v1
- DC Slave  - UCS 4.0-1 - UCS@school 4.0 v1 - Samba 4

Right after the UCS@school-Rejoin of the School-Slave, I found these S4-Connector-Rejects:

> root@dcschool:~# univention-s4connector-list-rejected 
> 
> UCS rejected
> 
> S4 rejected
>     1:    S4 DN: CN=System,DC=schulen,DC=local
>          UCS DN: cn=system,dc=schulen,dc=local
>     2:    S4 DN: CN=Group Policy Creator Owners,CN=Groups,DC=schulen,DC=local
>          UCS DN: cn=group policy creator owners,cn=groups,dc=schulen,dc=local
>     3:    S4 DN: CN=Domain Admins,CN=Groups,DC=schulen,DC=local
>          UCS DN: cn=domain admins,cn=groups,dc=schulen,dc=local
>     4:    S4 DN: CN=Administrator,CN=Users,DC=schulen,DC=local
>          UCS DN: uid=administrator,cn=users,dc=schulen,dc=local
>     5:    S4 DN: CN=Domain Users,CN=Groups,DC=schulen,DC=local
>          UCS DN: cn=domain users,cn=groups,dc=schulen,dc=local
>     6:    S4 DN: CN=Domain Guests,CN=Groups,DC=schulen,DC=local
>          UCS DN: cn=domain guests,cn=groups,dc=schulen,dc=local
> 
>         last synced USN: 3891

This is accompanied by tracebacks like this in connector-s4.log:

> 18.02.2015 12:18:41,768 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Domain Guests,CN=Groups,DC=schulen,DC=local
> 18.02.2015 12:18:41,778 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=domain guests,cn=groups,dc=schulen,dc=local
> 18.02.2015 12:18:41,825 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
> 18.02.2015 12:18:41,825 LDAP        (ERROR  ): Traceback (most recent call last):
>   File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1439, in sync_to_ucs
>     result = self.modify_in_ucs(property_type, object, module, position)
>   File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1216, in modify_in_ucs
>     return ucs_object.modify() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
>   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 364, in modify
>     return self._modify(modify_childs,ignore_license=ignore_license)
>   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 959, in _modify
>     self.lo.modify(self.dn, ml, ignore_license=ignore_license)
>   File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 420, in modify
>     raise univention.admin.uexceptions.permissionDenied
> permissionDenied

These rejects are legitimate, because the UCS@school Samba4 DC Slave tries to modify objects outside of it's own OU (which it is not allowed to do).
I just wonder why these modifications happen. At this point no Windows Clients were joined and no Group Policies created.
Comment 1 Arvid Requate univentionstaff 2015-02-18 14:44:11 CET 

*** This bug has been marked as a duplicate of bug 36831 ***
First Last Prev Next    This bug is not in your last search results.