Bug 44289 - Traceback after re-initializing the s4-connector
Traceback after re-initializing the s4-connector
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 43368 44517
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-04 16:35 CEST by Arvid Requate
Modified: 2017-07-05 13:32 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-04-04 16:35:44 CEST
We also need to fix this in UCS 4.2


+++ This bug was initially created as a clone of Bug #43368 +++

In my test environment I happened to reinitialized the s4-connector and as a result I came across the following traceback in my s4-connector.log

-------------------------------------------------------------------------------
11.11.2016 08:25:24,389 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1478847638.880242
11.11.2016 08:25:24,394 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=Printer-Admins,cn=groups,DC=acheron,DC=mail
11.11.2016 08:25:24,481 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1478847638.880242
11.11.2016 08:25:24,482 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2414, in sync_from_ucs
    objectSid = decode_sid(objectSid_attr_value)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 517, in decode_sid
    sid += "%d" % ord(value[0])
TypeError: 'NoneType' object has no attribute '__getitem__'

11.11.2016 08:25:24,483 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Print Operators,CN=Builtin,DC=acheron,DC=mail
11.11.2016 08:25:24,492 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=Printer-Admins,cn=groups,dc=acheron,dc=mail
11.11.2016 08:25:24,493 LDAP        (PROCESS): Unable to sync cn=Printer-Admins,cn=groups,dc=acheron,dc=mail (UUID: 150065a0-3ab0-1036-889b-9dfaca459e67). The object is currently locked.

-----------------------------------------------------------------------------
Comment 1 Arvid Requate univentionstaff 2017-04-13 11:58:24 CEST
I've flipped the target of Bug 43368 and Bug 44289.

So also need to backport this to UCS 4.1.
Comment 2 Arvid Requate univentionstaff 2017-04-18 12:13:08 CEST
Package rebuilt with backported patch.

Advisory: univention-s4-connector.yaml
Comment 3 Felix Botner univentionstaff 2017-05-02 17:02:29 CEST
the search filter seems to be broken

 samaccount_dn_mapping: search in s4 for (&(objectclass=group)(samaccountname=Printer-Admins)(samaccountname=Print Operators))
02.05.2017 17:00:47,935 LDAP        (INFO   ): samaccount_dn_mapping: newdn: cn=Printer-Admins,cn=groups,dc=w2k12,dc=test
02.05.2017 17:00:47,935 LDAP        (INFO   ): samaccount_dn_mapping: newdn for key dn:
02.05.2017 17:00:47,935 LDAP        (INFO   ): samaccount_dn_mapping: olddn: cn=Printer-Admins,cn=groups,dc=w2k12,dc=test
02.05.2017 17:00:47,936 LDAP        (INFO   ): samaccount_dn_mapping: newdn: cn=Printer-Admins,cn=groups,dc=w2k12,dc=test
02.05.2017 17:00:47,936 LDAP        (INFO   ): samaccount_dn_mapping: check newdn for key olddn:
02.05.2017 17:00:47,937 LDAP        (INFO   ): _ignore_object: Do not ignore cn=Printer-Admins,cn=groups,DC=w2k12,DC=test
02.05.2017 17:00:47,939 LDAP        (INFO   ): __sync_file_from_ucs: finished mapping
02.05.2017 17:00:47,939 LDAP        (INFO   ): sync_from_ucs: sync object: cn=Printer-Admins,cn=groups,DC=w2k12,DC=test
02.05.2017 17:00:47,939 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=Printer-Admins,cn=groups,DC=w2k12,DC=test
...
02.05.2017 17:00:47,952 LDAP        (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4
02.05.2017 17:00:47,953 LDAP        (INFO   ): sync_from_ucs: search filter: (&(sAMAccountName=Print Operators)(objectSid=S-1-5-32-550)(isDeleted=TRUE))
02.05.2017 17:00:47,954 LDAP        (PROCESS): sync_from_ucs: no conflicting deleted object found

search for (samaccountname=Printer-Admins) OR (samaccountname=Print Operators)
Comment 4 Arvid Requate univentionstaff 2017-05-02 17:56:39 CEST
Search filter adjusted, package rebuilt and advisory updated.
Comment 5 Stefan Gohmann univentionstaff 2017-05-03 07:38:52 CEST
I'm not sure if this bug or Bug #44291 is the root cause but the S4 connector tests fail since April 18th.

See 
 http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/AutotestJoin/SambaVersion=s4connector,Systemrolle=master/168/

-----------------------------------------------------------------------
02.05.2017 18:06:58,613 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=denied rodc password replication group,cn=groups,DC=autotest091c,DC=local
02.05.2017 18:06:58,684 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=denied rodc password replication group,cn=groups,DC=autotest091c,DC=local
02.05.2017 18:06:58,748 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=administrators,cn=builtin,DC=autotest091c,DC=local
02.05.2017 18:06:58,749 LDAP        (PROCESS): Unable to sync cn=administrators,cn=builtin,DC=autotest091c,DC=local (GUID: 161b30e8-cafa-4bb6-9482-775aa4ff8943). The object is currently locked.
02.05.2017 18:07:28,784 MAIN        (------ ): DEBUG_INIT
02.05.2017 18:07:28,889 LDAP        (PROCESS): Building internal group membership cache
02.05.2017 18:07:28,892 LDAP        (PROCESS): Internal group membership cache was created
02.05.2017 18:07:29,329 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=administrators,cn=builtin,DC=autotest091c,DC=local
02.05.2017 18:07:29,330 LDAP        (PROCESS): Unable to sync cn=administrators,cn=builtin,DC=autotest091c,DC=local (GUID: 161b30e8-cafa-4bb6-9482-775aa4ff8943). The object is currently locked.
02.05.2017 18:07:59,368 MAIN        (------ ): DEBUG_INIT
-----------------------------------------------------------------------
Comment 6 Arvid Requate univentionstaff 2017-05-11 18:21:52 CEST
The current tests look good.
Comment 7 Felix Botner univentionstaff 2017-05-12 12:54:47 CEST
OK - univention-s4-connector
OK - latest jenkins connector tests
OK - YAML
Comment 8 Janek Walkenhorst univentionstaff 2017-07-05 13:32:18 CEST
<http://errata.software-univention.de/ucs/4.1/439.html>