Bug 47343 - Avoid reject in sync_to_s4 when zone cannot be deleted due to child objects
Avoid reject in sync_to_s4 when zone cannot be deleted due to child objects
Status: NEW
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
: 49878 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-11 14:41 CEST by Arvid Requate
Modified: 2024-02-15 10:14 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018071021000262, 2018072621000796, 2018081621000464, 2018081021000573, 2024021421000216
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
check_and_show_child_objects_before_zone_removal_fails.patch (994 bytes, patch)
2018-07-11 14:41 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-07-11 14:41:10 CEST
Created attachment 9590 [details]
check_and_show_child_objects_before_zone_removal_fails.patch

Ticket#2018071021000262 reported a reject that occurred after deleting a DNS Zone via UMC. The attached patch should a) improve the logging, so that customer and support can see the child objects the are blocking the removal in Samba/AD and b) not partially remove the SOA record in Samba/AD when the zone container itself cannot be removed. In the current state the Samba/AD container is left without a SOA record, leaving trash in the Samba/AD.

===============================================================================
08.07.2018 06:25:07,404 LDAP        (PROCESS): sync from ucs: [           dns] [    delete] DC=@,DC=some.zone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ucsdom,DC=net
08.07.2018 06:25:07,406 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1529325131.369715
08.07.2018 06:25:07,407 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, prema
pped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2727, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1585, in ucs2con
    s4_zone_delete(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 884, in s4_zone_delete
    res = s4connector.lo_s4.lo.delete_s(zone_dn)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 295, in delete_s
    return self.delete_ext_s(dn,None,None)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 288, in delete_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NOT_ALLOWED_ON_NONLEAF: {'info': '00002015: subtree_delete: Unable to delete a non-leaf node (it has 1 children)!', 'desc': 'Operation not allowed on non-leaf'}
===============================================================================
Comment 1 Christina Scheinig univentionstaff 2018-07-27 14:22:08 CEST
Happend again and was reported via diagnostic module
Comment 2 Christina Scheinig univentionstaff 2018-07-27 15:55:17 CEST
I tested the patch in a customer environment.
After fixing the for loop

for result in s4connector.lo_s4.lo.search_ext_s(zone_dn, ldap.SCOPE_SUBTREE, 'objectClass=*', timeout=-1, sizelimit=0):

I got this messages in the connector-s4.log:
27.07.2018 06:26:30,343 LDAP        (PROCESS): sync from ucs: [           dns] [    delete] DC=@,DC=somezone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local
27.07.2018 06:26:30,355 LDAP        (ERROR  ): remove zone container from S4 failed, there are sub-objects left
27.07.2018 06:26:30,355 LDAP        (ERROR  ):  DC=somezone.test.local,DC=somezone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local

and the rejects are gone. Hope this is the expected behaviour.
Comment 3 Arvid Requate univentionstaff 2018-07-31 19:12:33 CEST
> and the rejects are gone. Hope this is the expected behaviour.

No. I guess that the zone has not been deleted in Samba/AD because, as the log messages say the following object is blocking the removal:

DC=somezone.test.local,DC=somezone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local

We should handle that in the context of the ticket.
Comment 4 Christina Scheinig univentionstaff 2018-08-21 09:35:56 CEST
I did not applied the patch. I deleted the zones manually, as it was done in ticket  2018081021000573

ldbdel -H /var/lib/samba/private/sam.ldb --cross-ncs -r 'DC=some.zone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ucsdom,DC=net'
Comment 5 Florian Best univentionstaff 2019-09-26 16:19:25 CEST
*** Bug 49878 has been marked as a duplicate of this bug. ***
Comment 6 Florian Best univentionstaff 2019-09-26 16:20:26 CEST
(In reply to Florian Best from comment #5)
> *** Bug 49878 has been marked as a duplicate of this bug. ***
This happens arround 158 times every night in our Jenkins tests:
attachment 10121 [details] (s4connector.log)
Comment 7 Florian Best univentionstaff 2019-09-26 16:25:35 CEST
Bug #43722 is probably also a duplicate of this bug!

> Now the DC=@ object in dc=forestdnszones,DC=w2k12,DC=test is gone and DNS is
> completely broken. Furthermore, there is no easy way to repair this. We had
> to get the object from the backup and add it to the samba database.
> 
> (1) It would be nice if check_essential_samba4_dns_records not only checks
> but also repairs such situiations.
> 
> (2) The connector should not delete
> dc=@,dc=_msdcs.w2k12.test,...,dc=forestdnszones,... if a new UDM dns forward
> zone "_msdcs.$(ucr get domainname)"  is created/removed.
Comment 8 Christina Scheinig univentionstaff 2024-02-15 10:14:15 CET
Happened again in Ticket 2024021421000216. The DC=@ was deleted in samba4 DNS, but fortunately not all!
So removing the existing rejects and resyncing the zone, fixes the issue, because all underlying are still there.