Bug 41417 - S4 Connector: Tracebacks (unique index violation on objectSid) for BUILTIN objects
S4 Connector: Tracebacks (unique index violation on objectSid) for BUILTIN ob...
Status: RESOLVED WONTFIX
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 4.1 R2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on: 29000 29486 32767 32768
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-02 10:33 CEST by Michael Grandjean
Modified: 2019-02-05 21:43 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
connector-s4.log (238.69 KB, text/x-log)
2016-06-02 10:33 CEST, Michael Grandjean
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2016-06-02 10:33:39 CEST
Created attachment 7713 [details]
connector-s4.log

1. installed UCS 4.1-0 as Master
2. updated to UCS 4.1-2 errata 185
3. installed UCS@school for multi-server environments
4. installed "Active Directory compatible domaincontroller" App
5. S4 Connector has the following tracebacks:


UCS rejected

    1:   UCS DN: cn=Enterprise Domain Controllers,cn=groups,dc=example,dc=org
          S4 DN: cn=enterprise domain controllers,cn=groups,DC=example,DC=org
         Filename: /var/lib/univention-connector/s4/1464854994.564544

    2:   UCS DN: cn=Interactive,cn=Builtin,dc=example,dc=org
          S4 DN: cn=interactive,cn=builtin,DC=example,DC=org
         Filename: /var/lib/univention-connector/s4/1464855005.955398

    3:   UCS DN: cn=IUSR,cn=Builtin,dc=example,dc=org
          S4 DN: cn=iusr,cn=builtin,DC=example,DC=org
         Filename: /var/lib/univention-connector/s4/1464855011.873150

    4:   UCS DN: cn=Enterprise Domain Controllers,cn=groups,dc=example,dc=org
          S4 DN: cn=enterprise domain controllers,cn=groups,DC=example,DC=org
         Filename: /var/lib/univention-connector/s4/1464855028.031333

    5:   UCS DN: cn=Interactive,cn=Builtin,dc=example,dc=org
          S4 DN: cn=interactive,cn=builtin,DC=example,DC=org
         Filename: /var/lib/univention-connector/s4/1464855028.045915

    6:   UCS DN: cn=IUSR,cn=Builtin,dc=example,dc=org
          S4 DN: cn=iusr,cn=builtin,DC=example,DC=org
         Filename: /var/lib/univention-connector/s4/1464855028.053535


S4 rejected


        last synced USN: 3859


Complete log is attached (initially with default connector/debug/level=2, later with connector/debug/level=4)
Comment 1 Arvid Requate univentionstaff 2016-06-02 11:48:32 CEST
Example cn=Enterprise Domain Controllers:

In Samba/Ad that's here:
 * CN=S-1-5-9,CN=ForeignSecurityPrincipals,$samba4_ldap_base

In OpenLDAP it has

sambaSID: S-1-5-9
univentionObjectFlag: hidden
univentionGroupType: -2147483643
sambaGroupType: 5

Without further digging I don't recall how the S4-Connector normally handles this case.

Maybe the issue reported here is due to the order of installation (step 3 and 4)?
I assume that no UCS@school Slave PDCs had been installed at this point.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2019-02-05 21:43:48 CET
This issue has been filled against UCS@school 4.1 (R2). The maintenance with
bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.