Univention Bugzilla – Bug 42468
member-mode: Traceback with "security Group - Domain Local"
Last modified: 2016-12-14 13:23:57 CET
Ticket#2016092121000456 Customer has groups that were created (around 2012) with type "Security Group - Domain Local". In a later UCS-Release all groups are created with type "Security Group - Global". The AD-Connector seem to cannot handle "Security Group - Domain Local" and throws a traceback: 21.09.2016 13:33:16,477 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=STUFF,CN=groups,OU=Verwaltung,DC=FOO,DC=BAR,DC=DE 21.09.2016 13:33:16,482 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=STUFF,cn=groups,ou=verwaltung,o=BAR,c=DE 21.09.2016 13:33:16,485 LDAP (ERROR ): Unknown Exception during sync_to_ucs 21.09.2016 13:33:16,485 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1297, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1145, in modify_in_ucs return ucs_object.modify() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 307, in modify return self._modify(modify_childs,ignore_license=ignore_license) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 748, in _modify self._ldap_pre_modify() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 496, in _ldap_pre_modify self.check_ad_group_type_change() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 969, in check_ad_group_type_change raise univention.admin.uexceptions.adGroupTypeChangeGlobalToDomainLocal adGroupTypeChangeGlobalToDomainLocal Workaround: Change the type to "Security Group - Global" via an intermediate step by using "Security Group - Universal" - But: "Security Group - Domain Local" is in windows explizitly used.
Additional: the AD-Connector produces logfiles en masse because the rejects are not resolved. Because of the windows group type „Domain Local“ the customer is not able to automate and use the workaround recursive.
I guess http://sdb.univention.de/1238 has to be followed.
(In reply to Stefan Gohmann from comment #2) > I guess http://sdb.univention.de/1238 has to be followed. If not, please re-open with more information.