Univention Bugzilla – Bug 47343
Avoid reject in sync_to_s4 when zone cannot be deleted due to child objects
Last modified: 2024-02-15 10:14:15 CET
Created attachment 9590 [details] check_and_show_child_objects_before_zone_removal_fails.patch Ticket#2018071021000262 reported a reject that occurred after deleting a DNS Zone via UMC. The attached patch should a) improve the logging, so that customer and support can see the child objects the are blocking the removal in Samba/AD and b) not partially remove the SOA record in Samba/AD when the zone container itself cannot be removed. In the current state the Samba/AD container is left without a SOA record, leaving trash in the Samba/AD. =============================================================================== 08.07.2018 06:25:07,404 LDAP (PROCESS): sync from ucs: [ dns] [ delete] DC=@,DC=some.zone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ucsdom,DC=net 08.07.2018 06:25:07,406 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1529325131.369715 08.07.2018 06:25:07,407 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, prema pped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2727, in sync_from_ucs self.property[property_type].con_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1585, in ucs2con s4_zone_delete(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 884, in s4_zone_delete res = s4connector.lo_s4.lo.delete_s(zone_dn) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 295, in delete_s return self.delete_ext_s(dn,None,None) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 288, in delete_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NOT_ALLOWED_ON_NONLEAF: {'info': '00002015: subtree_delete: Unable to delete a non-leaf node (it has 1 children)!', 'desc': 'Operation not allowed on non-leaf'} ===============================================================================
Happend again and was reported via diagnostic module
I tested the patch in a customer environment. After fixing the for loop for result in s4connector.lo_s4.lo.search_ext_s(zone_dn, ldap.SCOPE_SUBTREE, 'objectClass=*', timeout=-1, sizelimit=0): I got this messages in the connector-s4.log: 27.07.2018 06:26:30,343 LDAP (PROCESS): sync from ucs: [ dns] [ delete] DC=@,DC=somezone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local 27.07.2018 06:26:30,355 LDAP (ERROR ): remove zone container from S4 failed, there are sub-objects left 27.07.2018 06:26:30,355 LDAP (ERROR ): DC=somezone.test.local,DC=somezone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local and the rejects are gone. Hope this is the expected behaviour.
> and the rejects are gone. Hope this is the expected behaviour. No. I guess that the zone has not been deleted in Samba/AD because, as the log messages say the following object is blocking the removal: DC=somezone.test.local,DC=somezone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local We should handle that in the context of the ticket.
I did not applied the patch. I deleted the zones manually, as it was done in ticket 2018081021000573 ldbdel -H /var/lib/samba/private/sam.ldb --cross-ncs -r 'DC=some.zone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ucsdom,DC=net'
*** Bug 49878 has been marked as a duplicate of this bug. ***
(In reply to Florian Best from comment #5) > *** Bug 49878 has been marked as a duplicate of this bug. *** This happens arround 158 times every night in our Jenkins tests: attachment 10121 [details] (s4connector.log)
Bug #43722 is probably also a duplicate of this bug! > Now the DC=@ object in dc=forestdnszones,DC=w2k12,DC=test is gone and DNS is > completely broken. Furthermore, there is no easy way to repair this. We had > to get the object from the backup and add it to the samba database. > > (1) It would be nice if check_essential_samba4_dns_records not only checks > but also repairs such situiations. > > (2) The connector should not delete > dc=@,dc=_msdcs.w2k12.test,...,dc=forestdnszones,... if a new UDM dns forward > zone "_msdcs.$(ucr get domainname)" is created/removed.
Happened again in Ticket 2024021421000216. The DC=@ was deleted in samba4 DNS, but fortunately not all! So removing the existing rejects and resyncing the zone, fixes the issue, because all underlying are still there.