Univention Bugzilla – Bug 43722
Connector mistakenly removes dns forward zone
Last modified: 2022-03-15 09:39:08 CET
We had a situation where the connector removed the following object from samba dc=@,dc=_msdcs.w2k12.test,cn=microsoftdns,dc=forestdnszones,DC=w2k12,DC=test It is not clear what caused this, but it can easily reproduced by adding and removing a forward zone with the name "_msdcs.$DOMAIN". -> udm dns/forward_zone create \ --position "cn=dns,$(ucr get ldap/base)" \ --set zone="_msdcs.$(ucr get domainname)" \ --set nameserver="$(hostname -f)." \ --set zonettl="1" \ --set a=10.200.7.150 \ --set contact="root@$(ucr get domainname)." -> udm dns/forward_zone remove \ --dn "zoneName=_msdcs.w2k12.test,cn=dns,dc=w2k12,dc=test" 03.03.2017 15:50:23,833 LDAP (PROCESS): sync from ucs: [ dns] [ delete] dc=@,dc=_msdcs.w2k12.test,cn=microsoftdns,dc=forestdnszones,DC=w2k12,DC=test 03.03.2017 15:50:23,857 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1488552619.884444 03.03.2017 15:50:23,883 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2615, in sync_from_ucs self.property[property_type].con_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1571, in ucs2con s4_zone_delete(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 869, in s4_zone_delete res = s4connector.lo_s4.lo.delete_s(zone_dn) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 295, in delete_s return self.delete_ext_s(dn,None,None) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 288, in delete_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NOT_ALLOWED_ON_NONLEAF: {'info': '00002015: subtree_delete: Unable to delete a non-leaf node (it has 10 children)!', 'desc': 'Operation not allowed on non-leaf'} Now the DC=@ object in dc=forestdnszones,DC=w2k12,DC=test is gone and DNS is completely broken. Furthermore, there is no easy way to repair this. We had to get the object from the backup and add it to the samba database. (1) It would be nice if check_essential_samba4_dns_records not only checks but also repairs such situiations. (2) The connector should not delete dc=@,dc=_msdcs.w2k12.test,...,dc=forestdnszones,... if a new UDM dns forward zone "_msdcs.$(ucr get domainname)" is created/removed.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
UCS 4.4-0: 12.05.2019 02:00:25,127 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1557071186.432998 12.05.2019 02:00:25,131 LDAP (PROCESS): sync from ucs: [ dns] [ delete] DC=@,DC=30.20.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=school,DC=dev 12.05.2019 02:00:25,143 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1557071186.432998 12.05.2019 02:00:25,144 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2761, in sync_from_ucs self.property[property_type].con_sync_function(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/dns.py", line 1635, in ucs2con s4_zone_delete(s4connector, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/dns.py", line 884, in s4_zone_delete res = s4connector.lo_s4.lo.delete_s(zone_dn) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 333, in delete_s return self.delete_ext_s(dn,None,None) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 326, in delete_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NOT_ALLOWED_ON_NONLEAF: {'info': '00002015: subtree_delete: Unable to delete a non-leaf node (it has 1 children)!', 'desc': 'Operation not allowed on non-leaf'}
Re: Comment 2 > UCS 4.4-0: Where did this occur?
(In reply to Arvid Requate from comment #3) > Re: Comment 2 > > > UCS 4.4-0: > > Where did this occur? On my dev-machine, where I ran ucs-test.