Bug 47440 – UCS@school Slave: Temporary reject for join-slave and join-backup

Bug 47440 - UCS@school Slave: Temporary reject for join-slave and join-backup


Summary:	UCS@school Slave: Temporary reject for join-slave and join-backup

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4 - Slave PDC
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-02 12:25 CEST by Jürn Brodersen
Modified:	2020-12-01 13:15 CET (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	5: Will affect all installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019011021000397
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürn Brodersen

2018-08-02 12:25:50 CEST

This error seems to happen every time a school slave joins:
http://jenkins.knut.univention.de:8080/job/UCSschool-4.3/job/Install%20Multiserver/Config=s4,TestGroup=base1/ws/test/slave2032/connector-s4.log

'''
02.08.2018 00:32:14,537 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=join-slave,cn=users,DC=autotest203,DC=local
02.08.2018 00:32:14,547 LDAP        (WARNING): sync failed, saved as rejected
	/var/lib/univention-connector/s4/1533162059.650477
02.08.2018 00:32:14,548 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 898, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2533, in sync_from_ucs
    f(self, property_type, object, addlist, ctrls)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 128, in add_primary_group_to_addlist
    primary_group_sid = ldap_object_s4_group['objectSid'][0]
TypeError: 'NoneType' object has no attribute '__getitem__'
'''

This doesn't seem to actually break anything but having s4 rejects on a fresh system isn't really a nice thing.

Comment 1 Christian Völker

2019-01-24 09:01:18 CET

Is happening on customer site who has serious problems in joining school slaves. Dunno if related but for sure it does not simplify troubleshooting!
============================================================================

24.01.2019 05:09:45,792 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=USERNAME,cn=schueler,cn=users,ou=SCHOOL,DC=SCHOOL,DC=DE
24.01.2019 05:09:46,398 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1548299500.685835
24.01.2019 05:09:46,398 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 898, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2538, in sync_from_ucs
    f(self, property_type, object, addlist, ctrls)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 128, in add_primary_group_to_addlist
    primary_group_sid = ldap_object_s4_group['objectSid'][0]
TypeError: 'NoneType' object has no attribute '__getitem__'

Comment 2 Felix Botner

2019-02-11 13:46:20 CET

In UCS the the primary group of join-slave is created before the user (obviously), but this information (which object was created first) is lost during the connector initialization.

The connector gets the ADD for the user first and fails (as he can't get the RID of the primary group in samba). But this is a temporary reject and and soon as the group is created in samba, the user sync also works.

I see no easy "fix" (even though this is not really a problem).

We can't create the use before the group, or we loose the correct primary group for the user. We could somehow preserve the creation order in the connector listener, so that the group is synced first. But that would be a rather dramatic change for this kind of Non-problem.

I changed the user pain, this is not a setup problem, just an annoyance.

Comment 3 Florian Best

2020-08-21 09:34:47 CEST

Still with UCS 4.4-5:

LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2385, in sync_from_ucs
    f(self, property_type, object, addlist, ctrls)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 136, in add_primary_group_to_addlist
    primary_group_sid = ldap_object_s4_group['objectSid'][0]
TypeError: 'NoneType' object has no attribute '__getitem__'