Bug 49473 - S4connector Traceback due to permissionDenied: Can not modify lock time of
S4connector Traceback due to permissionDenied: Can not modify lock time of
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: LDAP
UCS@school 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-14 16:31 CEST by Christian Völker
Modified: 2023-04-18 16:27 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019031921001054, 2020021821000207, 2020032021000424, 2020111021000188, 2021062221000235, 2023040421000297
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2019-05-14 16:31:31 CEST
s4 connector stops working on a school-slave.
Might be some editing on the objects but unsure what has been done in detail.
However, connector-s4.log states:
=======================================================================0
30.04.2019 14:43:06,421 LDAP        (INFO   ): close debug
DEL:85e3916f-5c38-4501-b8b6-b8f6a3b4bd6c))
DEL:85e3916f-5c38-4501-b8b6-b8f6a3b4bd6c,zonename=domain.de,cn=dns,dc=domain,dc=de
DEL:85e3916f-5c38-4501-b8b6-b8f6a3b4bd6c,zonename=domain.de,cn=dns,dc=domain,dc=de
DEL:4c66cb3e-2fb6-4e9c-8b40-c6e618175056))
DEL:4c66cb3e-2fb6-4e9c-8b40-c6e618175056,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de
DEL:4c66cb3e-2fb6-4e9c-8b40-c6e618175056,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de
DEL:f8735e63-915b-4f20-8b53-52d95f02a878))
DEL:f8735e63-915b-4f20-8b53-52d95f02a878,zonename=domain.de,cn=dns,dc=domain,dc=de
DEL:f8735e63-915b-4f20-8b53-52d95f02a878,zonename=domain.de,cn=dns,dc=domain,dc=de
DEL:ae68a09c-1dc0-49c7-a61f-5cc17ae26710))
DEL:ae68a09c-1dc0-49c7-a61f-5cc17ae26710,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de
DEL:ae68a09c-1dc0-49c7-a61f-5cc17ae26710,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 580, in modify
    self._ldap_pre_ready()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1894, in _ldap_pre_ready
    self.alloc.append(('mailPrimaryAddress', univention.admin.allocators.request(self.lo, self.position, 'mailPrimaryAddress', value=self['mailPrimaryAddress'])))
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 196, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 185, in acquireUnique
    univention.admin.locking.lock(lo, position, type, value, scope=scope)
  File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 78, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=http-proxy-ucs-mscsmc@domain.de,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=domain,dc=de'.

  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 580, in modify
    self._ldap_pre_ready()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1894, in _ldap_pre_ready
    self.alloc.append(('mailPrimaryAddress', univention.admin.allocators.request(self.lo, self.position, 'mailPrimaryAddress', value=self['mailPrimaryAddress'])))
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 196, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 185, in acquireUnique
    univention.admin.locking.lock(lo, position, type, value, scope=scope)
  File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 78, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=http-proxy-ucs-gsadbg@domain.de,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=domain,dc=de'.

  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 580, in modify
    self._ldap_pre_ready()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1894, in _ldap_pre_ready
    self.alloc.append(('mailPrimaryAddress', univention.admin.allocators.request(self.lo, self.position, 'mailPrimaryAddress', value=self['mailPrimaryAddress'])))
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 196, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 185, in acquireUnique
    univention.admin.locking.lock(lo, position, type, value, scope=scope)
  File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 78, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=http-proxy-ucs-osgblz@domain.de,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=domain,dc=de'.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2019-05-28 15:13:36 CEST
It looks like someone added via the AD a mail address to the functional/internal user cn=http-proxy-.....@domain.de. The functional/internal user is required for the proxy squid. I do not see a reason/usecase to add a mail address. That's why the LDAP ACLs gave no write permission.

Are there any further details known regarding the use case?
Comment 2 Christian Völker univentionstaff 2019-05-28 16:54:53 CEST
There has been no specific reason. Moreover, this has happened by accident and is not needed.

But I guess we should fix it somehow by creating a better readable output instead of a traceback.
Comment 3 Christian Völker univentionstaff 2020-02-18 15:48:47 CET
Happened on another customer on two servers:
I guess as workaround the objects can simply be removed on the master?

========================================================
18.02.2020 09:18:37.234 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1537, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1278, in add_in_ucs
    res = ucs_object.create(serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 555, in create
    self._ldap_pre_ready()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1637, in _ldap_pre_ready
    self.alloc.append(('uid', univention.admin.allocators.request(self.lo, self.position, 'uid', value=self['username'])))
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 195, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 173, in acquireUnique
    univention.admin.locking.lock(lo, position, type, value, scope=scope)
  File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line 101, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=dns-ucsschool,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'.
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2020-02-19 21:31:37 CET
(In reply to Christian Völker from comment #3)
> I guess as workaround the objects can simply be removed on the master?

If the lock time is more the 5min in the past, the lock object is considered as expired and can be removed.
Comment 5 Christina Scheinig univentionstaff 2020-11-12 16:44:58 CET
Unfortunately you cannot see her, if the object should be added or modified.
In my new case, the dns-hostname object should be added, but gets the permissionDenied: Can not modify lock time of u'cn=dns-hostname....
Comment 6 Christina Scheinig univentionstaff 2021-06-22 15:36:40 CEST
(In reply to Christian Völker from comment #3)
> Happened on another customer on two servers:
> I guess as workaround the objects can simply be removed on the master?
> 
> ========================================================
> 18.02.2020 09:18:37.234 LDAP        (ERROR  ): Traceback (most recent call
> last):
>   File
> "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line
> 1537, in sync_to_ucs
>     result = self.add_in_ucs(property_type, object, module, position)
>   File
> "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line
> 1278, in add_in_ucs
>     res = ucs_object.create(serverctrls=serverctrls, response=response)
>   File
> "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py",
> line 555, in create
>     self._ldap_pre_ready()
>   File
> "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py",
> line 1637, in _ldap_pre_ready
>     self.alloc.append(('uid', univention.admin.allocators.request(self.lo,
> self.position, 'uid', value=self['username'])))
>   File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py",
> line 195, in request
>     return acquireUnique(lo, position, type, value, _type2attr[type],
> scope=_type2scope[type])
>   File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py",
> line 173, in acquireUnique
>     univention.admin.locking.lock(lo, position, type, value, scope=scope)
>   File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line
> 101, in lock
>     raise univention.admin.uexceptions.permissionDenied(_('Can not modify
> lock time of %r.') % (dn,))
> permissionDenied: Can not modify lock time of
> u'cn=dns-ucsschool,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'.

Happend again, and there is no temporary object anymore, but the account is not created in ldap.
Comment 7 Mirac Erdemiroglu univentionstaff 2023-04-18 16:27:43 CEST
Customer affected Ticket#2023040421000297

UCS: 5.0-3 errata642
Installed: cups=2.2.1 dhcp-server=12.0 radius=5.0 samba4=4.16 squid=3.5 ucsschool=5.0 v3 4.4/ucsschool-veyon-proxy=4.7.4.14-0
Upgradable:

samba4/role: DC
server/role: domaincontroller_slave
system/setup/boot/select/role: true

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 1456, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 1181, in add_in_ucs
    res = ucs_object.create(serverctrls=serverctrls, response=response)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1267, in _create
    al = self._ldap_addlist()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/computers/__base.py", line 137, in _ldap_addlist
    uidNum = self.request_lock('uidNumber')
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1704, in request_lock
    value = univention.admin.allocators.request(self.lo, self.position, name, value)
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 219, in request
    return acquireRange(lo, position, type, _type2attr[type], [{'first': 1000, 'last': 55000}, {'first': 65536, 'last': 1000000}], scope=_type2scope[type])
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 135, in acquireRange
    univention.admin.locking.lock(lo, position, atype, str(startID).encode('utf-8'), scope=scope)
  File "/usr/lib/python3/dist-packages/univention/admin/locking.py", line 102, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))                                                                     
univention.admin.uexceptions.permissionDenied: Permission denied: Can not modify lock time of 'cn=3930,cn=uidNumber,cn=temporary,cn=univention,dc=testschule,dc=intranet'|