Bug 41906 - UCS@school: Allow re-creation of deleted user object with same objectSid in Samba/AD
UCS@school: Allow re-creation of deleted user object with same objectSid in S...
Status: NEW
Product: UCS Test
Classification: Unclassified
Component: S4 Connector
Other Linux
: P2 major (vote)
: ---
Assigned To: Samba maintainers
Depends on: 32263 41756 41864
  Show dependency treegraph
Reported: 2016-08-03 16:05 CEST by Stefan Gohmann
Modified: 2018-04-14 14:15 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): External feedback, Release Goal, Troubleshooting
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2016-08-03 16:05:45 CEST
We should add a test case for this issue.

+++ This bug was initially created as a clone of Bug #41864 +++

UCS@school 4.1 R2 allows users to get replicated into multiple schools 
(Bug 40870, Bug 41115, Bug 41118), but the S4-Connector on the School-DCs fails to re-create a user object in Samba/AD that has been removed before.

When a user object is deleted in Samba/AD, a stripped down version of it is kept in the "CN=Deleted Objects" container. In UCS@school, due to selective replication, user objects can get deleted and recreated (see Bug 41756) easily just by moving them or by changing the "schools" property in UDM (affecting the ucsschoolSchool attribute in OpenLDAP).

In this case the OpenLDAP user objects don't only keep their OpenLDAP entryUUID but also their sambaSID. In UCS@school the S4-Connector forces Samba/AD to accept the OpenLDAP sambaSID (UCR: connector/s4/mapping/sid_to_s4=yes). Since the Deleted Object still holds that SID in it's objectSid attribute, the S4-Connector will get an exception from Samba/AD (ldap.ALREADY_EXISTS exception: "Failed to re-index objectSid" due to "unique index violation on objectSid").

Reducing tombstoneLifetime to the minimum of 1 day is not enough for production use.

The attached patch proposal (plus patch for Bug 41756) may fix the issue.