Bug 42468 - member-mode: Traceback with "security Group - Domain Local"
member-mode: Traceback with "security Group - Domain Local"
Status: RESOLVED WORKSFORME
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.1
Other Linux
: P5 normal (vote)
: ---
Assigned To: Connector maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-22 10:34 CEST by Jens Thorp-Hansen
Modified: 2016-12-14 13:23 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016092121000456
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2016-09-22 10:34:56 CEST
Ticket#2016092121000456

Customer has groups that were created (around 2012) with type "Security Group - Domain Local". In a later UCS-Release all groups are created with type "Security Group - Global". 

The AD-Connector seem to cannot handle "Security Group - Domain Local" and throws a traceback:

21.09.2016 13:33:16,477 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=STUFF,CN=groups,OU=Verwaltung,DC=FOO,DC=BAR,DC=DE
21.09.2016 13:33:16,482 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=STUFF,cn=groups,ou=verwaltung,o=BAR,c=DE
21.09.2016 13:33:16,485 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
21.09.2016 13:33:16,485 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1297, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1145, in modify_in_ucs
    return ucs_object.modify() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 307, in modify
    return self._modify(modify_childs,ignore_license=ignore_license)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 748, in _modify
    self._ldap_pre_modify()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 496, in _ldap_pre_modify
    self.check_ad_group_type_change()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 969, in check_ad_group_type_change
    raise univention.admin.uexceptions.adGroupTypeChangeGlobalToDomainLocal
adGroupTypeChangeGlobalToDomainLocal
 

Workaround: Change the type to "Security Group - Global" via an intermediate step by using "Security Group - Universal" - But: "Security Group - Domain Local" is in windows explizitly used.
Comment 1 Jens Thorp-Hansen univentionstaff 2016-09-22 11:09:55 CEST
Additional: the AD-Connector produces logfiles en masse because the rejects are not resolved. Because of the windows group type „Domain Local“ the customer is not able to automate and use the workaround recursive.
Comment 2 Stefan Gohmann univentionstaff 2016-09-28 10:09:31 CEST
I guess http://sdb.univention.de/1238 has to be followed.
Comment 3 Stefan Gohmann univentionstaff 2016-12-14 13:23:57 CET
(In reply to Stefan Gohmann from comment #2)
> I guess http://sdb.univention.de/1238 has to be followed.

If not, please re-open with more information.