Univention Bugzilla – Bug 42393
S4 Connector: DNS zone synchronization fails if ldap/base and samba4/ldap/base are different
Last modified: 2018-12-17 21:43:32 CET
example: root@ucs-7811:~# ucr search --brief ldap/base connector/s4/ldap/base: DC=STUFF,DC=FOO,DC=BAR ldap/base: dc=foo,dc=bar samba4/ldap/base: DC=STUFF,DC=FOO,DC=BAR produces: 14.09.2016 11:38:46,786 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1473845580.846386 14.09.2016 11:38:46,806 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 802, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2380, in sync_from_ucs self.property[property_type].con_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1377, in ucs2con s4_zone_create_wrapper(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 776, in s4_zone_create_wrapper result = s4_zone_create(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 678, in s4_zone_create __create_s4_forward_zone(s4connector, zone_dn) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 455, in __create_s4_forward_zone s4connector.lo_s4.lo.add_s(zone_dn, al) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 202, in add_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': '00002030: objectclass: Cannot add dc=6.200.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,dc=stuff,DC=stuff,DC=foo,DC=bar, parent does not exist!', 'desc': 'No such object'} it is unclear if that only happens when zone-add or also when zone-modify. The behaviour happend in Ticket#2016091321000211 (4.1-0 140) and in a new installed 4.1-0 0) The behaviour may happen in every environment that has similar setting!
still true for 4.1-3 E268 and seems to happen with zone-add of the reverse zone. Workaround: add the zone manually example: root@ucs-5593:~# samba-tool dns zonecreate SERVER 6.200.10.in-addr.arpa -UAdministrator%PASSWORD
Ticket#2016091321000211
increases in severity es mentioned in the attached ticket. The resulting rejects obscure possible real problems. The customer can not implement the workaround.
DC synchronisation is not working either
I think I fixed the samba4/ldap/base mapping issue but I'm not exactly sure how to reproduce this cleanly. I've just abused my plain UCS 4.1 installation (w/o Samba): ucr set kerberos/realm="SUB.$(ucr get kerberos/realm)" univention-install univention-s4-connector After that now I'm still left with rejects in the _msdcs sub-zone of my UCS "$domain". E.g. ==================================================== root@master:~# host gc._msdcs.ar41i2.qa Host gc._msdcs.ar41i2.qa not found: 3(NXDOMAIN) ==================================================== but the relevant sub-domain gets synchronized: ==================================================== root@master:~# host gc._msdcs.sub.ar41i2.qa gc._msdcs.sub.ar41i2.qa has address 10.200.8.40 ==================================================== I'm not sure if this is a real life case though. If it is, that would be a bit harder to fix, because usually the _msdcs zone is always present in Samba and the code is not prepared for the case where it only present in OpenLDAP. In that case we would have to add special treatment for that zone, because we would have to instruct the S4-Connector to create that zone (only) in ForestDnsZones. I'm leaving this for QA to decide if handling this is required too. As far as I understand the Ticket that's not the point. Also, Comment 4 says > DC synchronisation is not working either but I can see no evidence in the connector-s4.log attached at the Ticket, so I have no clue what to fix. I'd say this should go into a separate Bug with proper evidence. Merged to and built for UCS 4.2. Advisory: univention-s4-connector.yaml
You can simply reproduce it . Just install UCS with a domain for example foo.bar.com and use as LDAP base dc=bar,dc=com in UCS Installer. On my test system it looks like this: root@ucs-3620:~# ucr search --brief ldap/base connector/s4/ldap/base: DC=FOO,DC=DEADLOCK33,DC=INTRANET ldap/base: dc=deadlock33,dc=intranet samba4/ldap/base: DC=FOO,DC=DEADLOCK33,DC=INTRANET root@ucs-3620:~# After the installation I had the following rejects: root@ucs-3620:~# univention-s4connector-list-rejected UCS rejected 1: UCS DN: zoneName=201.10.in-addr.arpa,cn=dns,dc=deadlock33,dc=intranet S4 DN: <not found> Filename: /var/lib/univention-connector/s4/1481703305.685577 2: UCS DN: relativeDomainName=1.33,zoneName=201.10.in-addr.arpa,cn=dns,dc=deadlock33,dc=intranet S4 DN: <not found> Filename: /var/lib/univention-connector/s4/1481703305.823988 3: UCS DN: cn=ucs-3620,cn=dc,cn=computers,dc=deadlock33,dc=intranet S4 DN: <not found> Filename: /var/lib/univention-connector/s4/1481703431.012150 4: UCS DN: cn=ucs-3620,cn=dc,cn=computers,dc=deadlock33,dc=intranet S4 DN: <not found> Filename: /var/lib/univention-connector/s4/1481703531.734460 5: UCS DN: cn=ucs-3620,cn=dc,cn=computers,dc=deadlock33,dc=intranet S4 DN: <not found> Filename: /var/lib/univention-connector/s4/1481703554.416650 S4 rejected 1: S4 DN: CN=UCS-3620,OU=Domain Controllers,DC=foo,DC=deadlock33,DC=intranet UCS DN: <not found> last synced USN: 3813 root@ucs-3620:~# The log file looked like this: 14.12.2016 09:21:31,469 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1481703305.685577 14.12.2016 09:21:31,473 LDAP (PROCESS): sync from ucs: [ dns] [ add] DC=@,dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,dc=foo,DC=foo,DC=deadlock33,DC=intranet 14.12.2016 09:21:31,489 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1481703305.685577 14.12.2016 09:21:31,490 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 842, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2363, in sync_from_ucs self.property[property_type].con_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1568, in ucs2con s4_zone_create_wrapper(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 843, in s4_zone_create_wrapper result = s4_zone_create(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 741, in s4_zone_create __create_s4_forward_zone(s4connector, zone_dn) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 473, in __create_s4_forward_zone s4connector.lo_s4.lo.add_s(zone_dn, al) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 202, in add_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': '00002030: objectclass: Cannot add dc=201.10.in-addr.arpa,cn=microsoftdns,dc=domaindnszones,dc=foo,DC=foo,DC=deadlock33,DC=intranet, parent does not exist!', 'desc': 'No such object'} 14.12.2016 09:21:31,490 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1481703305.823988 14.12.2016 09:21:31,499 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1481703305.823988 14.12.2016 09:21:31,499 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 986, in resync_rejected_ucs if self.__sync_file_from_ucs(filename, append_error=' rejected'): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 838, in __sync_file_from_ucs object = self._object_mapping(key, object, 'ucs') File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1763, in _object_mapping object = function(self, object, dn_mapping_stored, isUCSobject=(object_type == 'ucs')) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 268, in dns_dn_mapping show_deleted=False) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 1116, in __search_s4 rtype, rdata, rmsgid, serverctrls = self.lo_s4.lo.result3(msgid) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': '00002030: No such Base DN: DC=201.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=FOO,DC=DEADLOCK33,DC=INTRANET', 'desc': 'No such object'} 14.12.2016 09:21:31,500 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1481703431.012150 14.12.2016 09:21:31,506 LDAP (PROCESS): sync from ucs: [ dc] [ modify] CN=UCS-3620,ou=domain controllers,dc=foo,DC=foo,DC=deadlock33,DC=intranet 14.12.2016 09:21:31,513 LDAP (ERROR ): sync_from_ucs: traceback during add object: CN=UCS-3620,ou=domain controllers,dc=foo,DC=foo,DC=deadlock33,DC=intranet 14.12.2016 09:21:31,513 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'computer']), ('userAccountControl', ['532480']), (u'cn', [u'ucs-3620']), ('operatingSystemVersion', [u'4.1-4']), ('sAMAccountName', [u'ucs-3620$']), ('operatingSystem', [u'Univention Corporate Server'])] 14.12.2016 09:21:31,518 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1481703431.012150 14.12.2016 09:21:31,518 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 842, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2402, in sync_from_ucs self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 187, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': '00002030: objectclass: Cannot add CN=UCS-3620,ou=domain controllers,dc=foo,DC=foo,DC=deadlock33,DC=intranet, parent does not exist!', 'desc': 'No such object'} After installing the new S4 connector version, everything seems to work.
Tests: OK, see Comment #6. YAML: OK Code review: OK UCS 4.2 merge: OK
<http://errata.software-univention.de/ucs/4.1/365.html>