First Last Prev Next    This bug is not in your last search results.
Bug 46649 - S4-Connector sync to ucs: reject for CN=dns container
S4-Connector sync to ucs: reject for CN=dns container
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-2-errata
Assigned To: Daniel Tröder
Felix Botner
:
Depends on:
Blocks: 50268 50769
  Show dependency treegraph
 
Reported: 2018-03-13 21:26 CET by Arvid Requate
Modified: 2020-02-03 16:37 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018092621000891, 2018092621000891, 2018110921000346, 2019060621000511
Bug group (optional):
Max CVSS v3 score:

Attachments
connector-s4.log from UCS@school Samba/AD Slave PDC (128.32 KB, text/x-log)
2018-03-13 21:26 CET, Arvid Requate 		Details
connector-s4.log reject at debug level 4 (32.00 KB, text/x-log)
2018-03-13 21:52 CET, Arvid Requate 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-03-13 21:26:19 CET 
Created attachment 9468 [details]
connector-s4.log  from UCS@school Samba/AD Slave PDC

A new installation of a UCS@school 4.3-0 Multischool Samba/AD Slave PDC (Master without Samba/AD) shows this reject:

==========================================================================
13.03.2018 16:04:10,141 LDAP        (PROCESS): sync to ucs:   [     container] [    modify] cn=dns,dc=ar430rc1s,dc=school
13.03.2018 16:04:10,351 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
13.03.2018 16:04:10,352 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1588, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1365, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 526, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1074, in _modify
    self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 500, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
==========================================================================
Comment 1 Arvid Requate univentionstaff 2018-03-13 21:52:45 CET 
Created attachment 9469 [details]
connector-s4.log   reject at debug level 4
Comment 2 Markus Dählmann 2018-09-17 17:20:31 CEST 
Happens here too every time a school DC is joined to the domain. 4.3-1 errata229.
Comment 3 Christina Scheinig univentionstaff 2018-10-05 10:54:41 CEST 
It was also a reason for troubleshooting in ticket #2018092621000891
Comment 4 Christina Scheinig univentionstaff 2019-01-16 15:41:44 CET 
Happened again, may we fix this to reduce troubleshooting?

It could be something worse, something really changed, and then you debug and demand more debug and then you realize nothing really changed. There is no real problem here, but the slave is not allowed to write "nothing". 

You have a reject, and this is shown in the diagnostic tool. 

Oh, something might be wrong, I'll open a support ticket...
Comment 5 Christina Scheinig univentionstaff 2019-06-11 14:12:15 CEST 
Happened again on a new installed school slave
UCS: 4.3-4 errata526 ucsschool=4.3 v8

The customer was quite concerned, if this might cause major dns problems.
Comment 6 Stefan Gohmann univentionstaff 2019-07-23 16:43:52 CEST 
The S4 connector tries to add the objectClass top to the dns container. The modlist line:

mod dn=cn=dns,$LDAP_BASE ml=[('objectClass', ['organizationalRole', 'univentionObject'], ['top', 'organizationalRole', 'univentionObject'])]
Comment 7 Daniel Tröder univentionstaff 2019-09-26 11:01:43 CEST 
The objectClass "top" is now added to the container cn=dns,$LDAP_BASE, when the UCS LDAP is initially provisioned.
Existing systems are not modified.

[4.4-2] 386653bb12 Bug #46649: add objectClass "top" to container cn=dns,$LDAP_BASE
[4.4-2] 9809007d76 Bug #46649: advisory

univention-ldap (15.0.0-25)

The test 00_checks/01_univention_system_check should now not fail anymore on the slave in "Install U@S 4.4 Multiserver (00_checks_only)":
http://jenkins.knut.univention.de:8080/job/UCSschool-4.4/job/Install%20Multiserver%2000_checks_only/231/Config=s4,StartConfig=no-samba,TestGroup=base1/testReport/junit/00_checks/01_univention_system_check/slave2151/
Comment 8 Daniel Tröder univentionstaff 2019-10-01 11:23:05 CEST 
OK - the problem with cn=dns is gone.

The errors in "00_checks/01_univention_system_check" in http://jenkins.knut.univention.de:8080/job/UCSschool-4.4/job/Install%20Multiserver%2000_checks_only/lastBuild/#showFailuresLink
are not related.
Comment 9 Felix Botner univentionstaff 2019-10-07 10:46:21 CEST 
OK - univention-ldap
OK - yaml
Comment 10 Erik Damrose univentionstaff 2019-10-09 14:21:17 CEST 
<http://errata.software-univention.de/ucs/4.4/301.html>
First Last Prev Next    This bug is not in your last search results.