Univention Bugzilla – Bug 41906
UCS@school: Allow re-creation of deleted user object with same objectSid in Samba/AD
Last modified: 2018-04-14 14:15:49 CEST
We should add a test case for this issue.
+++ This bug was initially created as a clone of Bug #41864 +++
UCS@school 4.1 R2 allows users to get replicated into multiple schools
(Bug 40870, Bug 41115, Bug 41118), but the S4-Connector on the School-DCs fails to re-create a user object in Samba/AD that has been removed before.
When a user object is deleted in Samba/AD, a stripped down version of it is kept in the "CN=Deleted Objects" container. In UCS@school, due to selective replication, user objects can get deleted and recreated (see Bug 41756) easily just by moving them or by changing the "schools" property in UDM (affecting the ucsschoolSchool attribute in OpenLDAP).
In this case the OpenLDAP user objects don't only keep their OpenLDAP entryUUID but also their sambaSID. In UCS@school the S4-Connector forces Samba/AD to accept the OpenLDAP sambaSID (UCR: connector/s4/mapping/sid_to_s4=yes). Since the Deleted Object still holds that SID in it's objectSid attribute, the S4-Connector will get an exception from Samba/AD (ldap.ALREADY_EXISTS exception: "Failed to re-index objectSid" due to "unique index violation on objectSid").
Reducing tombstoneLifetime to the minimum of 1 day is not enough for production use.
The attached patch proposal (plus patch for Bug 41756) may fix the issue.