Univention Bugzilla – Bug 49473
S4connector Traceback due to permissionDenied: Can not modify lock time of
Last modified: 2023-04-18 16:27:43 CEST
s4 connector stops working on a school-slave. Might be some editing on the objects but unsure what has been done in detail. However, connector-s4.log states: =======================================================================0 30.04.2019 14:43:06,421 LDAP (INFO ): close debug DEL:85e3916f-5c38-4501-b8b6-b8f6a3b4bd6c)) DEL:85e3916f-5c38-4501-b8b6-b8f6a3b4bd6c,zonename=domain.de,cn=dns,dc=domain,dc=de DEL:85e3916f-5c38-4501-b8b6-b8f6a3b4bd6c,zonename=domain.de,cn=dns,dc=domain,dc=de DEL:4c66cb3e-2fb6-4e9c-8b40-c6e618175056)) DEL:4c66cb3e-2fb6-4e9c-8b40-c6e618175056,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de DEL:4c66cb3e-2fb6-4e9c-8b40-c6e618175056,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de DEL:f8735e63-915b-4f20-8b53-52d95f02a878)) DEL:f8735e63-915b-4f20-8b53-52d95f02a878,zonename=domain.de,cn=dns,dc=domain,dc=de DEL:f8735e63-915b-4f20-8b53-52d95f02a878,zonename=domain.de,cn=dns,dc=domain,dc=de DEL:ae68a09c-1dc0-49c7-a61f-5cc17ae26710)) DEL:ae68a09c-1dc0-49c7-a61f-5cc17ae26710,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de DEL:ae68a09c-1dc0-49c7-a61f-5cc17ae26710,zonename=4.10.in-addr.arpa,cn=dns,dc=domain,dc=de File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 580, in modify self._ldap_pre_ready() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1894, in _ldap_pre_ready self.alloc.append(('mailPrimaryAddress', univention.admin.allocators.request(self.lo, self.position, 'mailPrimaryAddress', value=self['mailPrimaryAddress']))) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 196, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 185, in acquireUnique univention.admin.locking.lock(lo, position, type, value, scope=scope) File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 78, in lock raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,)) permissionDenied: Can not modify lock time of u'cn=http-proxy-ucs-mscsmc@domain.de,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=domain,dc=de'. File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 580, in modify self._ldap_pre_ready() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1894, in _ldap_pre_ready self.alloc.append(('mailPrimaryAddress', univention.admin.allocators.request(self.lo, self.position, 'mailPrimaryAddress', value=self['mailPrimaryAddress']))) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 196, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 185, in acquireUnique univention.admin.locking.lock(lo, position, type, value, scope=scope) File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 78, in lock raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,)) permissionDenied: Can not modify lock time of u'cn=http-proxy-ucs-gsadbg@domain.de,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=domain,dc=de'. File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 580, in modify self._ldap_pre_ready() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1894, in _ldap_pre_ready self.alloc.append(('mailPrimaryAddress', univention.admin.allocators.request(self.lo, self.position, 'mailPrimaryAddress', value=self['mailPrimaryAddress']))) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 196, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 185, in acquireUnique univention.admin.locking.lock(lo, position, type, value, scope=scope) File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 78, in lock raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,)) permissionDenied: Can not modify lock time of u'cn=http-proxy-ucs-osgblz@domain.de,cn=mailPrimaryAddress,cn=temporary,cn=univention,dc=domain,dc=de'.
It looks like someone added via the AD a mail address to the functional/internal user cn=http-proxy-.....@domain.de. The functional/internal user is required for the proxy squid. I do not see a reason/usecase to add a mail address. That's why the LDAP ACLs gave no write permission. Are there any further details known regarding the use case?
There has been no specific reason. Moreover, this has happened by accident and is not needed. But I guess we should fix it somehow by creating a better readable output instead of a traceback.
Happened on another customer on two servers: I guess as workaround the objects can simply be removed on the master? ======================================================== 18.02.2020 09:18:37.234 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1537, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1278, in add_in_ucs res = ucs_object.create(serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 555, in create self._ldap_pre_ready() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1637, in _ldap_pre_ready self.alloc.append(('uid', univention.admin.allocators.request(self.lo, self.position, 'uid', value=self['username']))) File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 195, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 173, in acquireUnique univention.admin.locking.lock(lo, position, type, value, scope=scope) File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line 101, in lock raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,)) permissionDenied: Can not modify lock time of u'cn=dns-ucsschool,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'.
(In reply to Christian Völker from comment #3) > I guess as workaround the objects can simply be removed on the master? If the lock time is more the 5min in the past, the lock object is considered as expired and can be removed.
Unfortunately you cannot see her, if the object should be added or modified. In my new case, the dns-hostname object should be added, but gets the permissionDenied: Can not modify lock time of u'cn=dns-hostname....
(In reply to Christian Völker from comment #3) > Happened on another customer on two servers: > I guess as workaround the objects can simply be removed on the master? > > ======================================================== > 18.02.2020 09:18:37.234 LDAP (ERROR ): Traceback (most recent call > last): > File > "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line > 1537, in sync_to_ucs > result = self.add_in_ucs(property_type, object, module, position) > File > "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line > 1278, in add_in_ucs > res = ucs_object.create(serverctrls=serverctrls, response=response) > File > "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", > line 555, in create > self._ldap_pre_ready() > File > "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", > line 1637, in _ldap_pre_ready > self.alloc.append(('uid', univention.admin.allocators.request(self.lo, > self.position, 'uid', value=self['username']))) > File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", > line 195, in request > return acquireUnique(lo, position, type, value, _type2attr[type], > scope=_type2scope[type]) > File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", > line 173, in acquireUnique > univention.admin.locking.lock(lo, position, type, value, scope=scope) > File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line > 101, in lock > raise univention.admin.uexceptions.permissionDenied(_('Can not modify > lock time of %r.') % (dn,)) > permissionDenied: Can not modify lock time of > u'cn=dns-ucsschool,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'. Happend again, and there is no temporary object anymore, but the account is not created in ldap.
Customer affected Ticket#2023040421000297 UCS: 5.0-3 errata642 Installed: cups=2.2.1 dhcp-server=12.0 radius=5.0 samba4=4.16 squid=3.5 ucsschool=5.0 v3 4.4/ucsschool-veyon-proxy=4.7.4.14-0 Upgradable: samba4/role: DC server/role: domaincontroller_slave system/setup/boot/select/role: true Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 1456, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 1181, in add_in_ucs res = ucs_object.create(serverctrls=serverctrls, response=response) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1267, in _create al = self._ldap_addlist() File "/usr/lib/python3/dist-packages/univention/admin/handlers/computers/__base.py", line 137, in _ldap_addlist uidNum = self.request_lock('uidNumber') File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1704, in request_lock value = univention.admin.allocators.request(self.lo, self.position, name, value) File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 219, in request return acquireRange(lo, position, type, _type2attr[type], [{'first': 1000, 'last': 55000}, {'first': 65536, 'last': 1000000}], scope=_type2scope[type]) File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 135, in acquireRange univention.admin.locking.lock(lo, position, atype, str(startID).encode('utf-8'), scope=scope) File "/usr/lib/python3/dist-packages/univention/admin/locking.py", line 102, in lock raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,)) univention.admin.uexceptions.permissionDenied: Permission denied: Can not modify lock time of 'cn=3930,cn=uidNumber,cn=temporary,cn=univention,dc=testschule,dc=intranet'|