Univention Bugzilla – Bug 46649
S4-Connector sync to ucs: reject for CN=dns container
Last modified: 2020-02-03 16:37:16 CET
Created attachment 9468 [details] connector-s4.log from UCS@school Samba/AD Slave PDC A new installation of a UCS@school 4.3-0 Multischool Samba/AD Slave PDC (Master without Samba/AD) shows this reject: ========================================================================== 13.03.2018 16:04:10,141 LDAP (PROCESS): sync to ucs: [ container] [ modify] cn=dns,dc=ar430rc1s,dc=school 13.03.2018 16:04:10,351 LDAP (ERROR ): Unknown Exception during sync_to_ucs 13.03.2018 16:04:10,352 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1588, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1365, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 526, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1074, in _modify self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 500, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied ==========================================================================
Created attachment 9469 [details] connector-s4.log reject at debug level 4
Happens here too every time a school DC is joined to the domain. 4.3-1 errata229.
It was also a reason for troubleshooting in ticket #2018092621000891
Happened again, may we fix this to reduce troubleshooting? It could be something worse, something really changed, and then you debug and demand more debug and then you realize nothing really changed. There is no real problem here, but the slave is not allowed to write "nothing". You have a reject, and this is shown in the diagnostic tool. Oh, something might be wrong, I'll open a support ticket...
Happened again on a new installed school slave UCS: 4.3-4 errata526 ucsschool=4.3 v8 The customer was quite concerned, if this might cause major dns problems.
The S4 connector tries to add the objectClass top to the dns container. The modlist line: mod dn=cn=dns,$LDAP_BASE ml=[('objectClass', ['organizationalRole', 'univentionObject'], ['top', 'organizationalRole', 'univentionObject'])]
The objectClass "top" is now added to the container cn=dns,$LDAP_BASE, when the UCS LDAP is initially provisioned. Existing systems are not modified. [4.4-2] 386653bb12 Bug #46649: add objectClass "top" to container cn=dns,$LDAP_BASE [4.4-2] 9809007d76 Bug #46649: advisory univention-ldap (15.0.0-25) The test 00_checks/01_univention_system_check should now not fail anymore on the slave in "Install U@S 4.4 Multiserver (00_checks_only)": http://jenkins.knut.univention.de:8080/job/UCSschool-4.4/job/Install%20Multiserver%2000_checks_only/231/Config=s4,StartConfig=no-samba,TestGroup=base1/testReport/junit/00_checks/01_univention_system_check/slave2151/
OK - the problem with cn=dns is gone. The errors in "00_checks/01_univention_system_check" in http://jenkins.knut.univention.de:8080/job/UCSschool-4.4/job/Install%20Multiserver%2000_checks_only/lastBuild/#showFailuresLink are not related.
OK - univention-ldap OK - yaml
<http://errata.software-univention.de/ucs/4.4/301.html>