First Last Prev Next    This bug is not in your last search results.
Bug 49708 - S4-Connector reject for dns-slave service account after upgrade to ucsschool 4.4 v2
S4-Connector reject for dns-slave service account after upgrade to ucsschool ...
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-24 12:47 CEST by Christina Scheinig
Modified: 2020-11-10 10:36 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020111021000188, 2019062121000483, 2019062121000367, 2019031921001054, 2019102821000355, 2020073121000316
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2019-06-24 12:47:58 CEST 
After the upgrade to ucsschool 4.4 v2 and executing univention-run-join-scripts the following traceback is shown:

24.06.2019 08:12:52.831 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=dns-slave,CN=Users,DC=schein,DC=me
24.06.2019 08:12:52.839 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=dns-slave,CN=Users,dc=schein,dc=me
24.06.2019 08:12:52.910 LDAP        (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute
24.06.2019 08:12:53.247 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
24.06.2019 08:12:53.247 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1547, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1295, in add_in_ucs
    res = ucs_object.create(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 546, in create
    self._ldap_pre_ready()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1613, in _ldap_pre_ready
    self.alloc.append(('uid', univention.admin.allocators.request(self.lo, self.position, 'uid', value=self['username'])))
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 195, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/pymodules/python2.7/univention/admin/allocators.py", line 173, in acquireUnique
    univention.admin.locking.lock(lo, position, type, value, scope=scope)
  File "/usr/lib/pymodules/python2.7/univention/admin/locking.py", line 100, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=schein,dc=me'.

This seems to happen, if the dns-slave object already existed on the master.
Comment 2 Christina Scheinig univentionstaff 2019-06-24 15:20:14 CEST 
Okay, the dns-slave object was not created on the master. But the s4 reject comes up, after the upgrade

univention-s4connector-list-rejected 

UCS rejected


S4 rejected

    1:    S4 DN: CN=dns-slave,CN=Users,DC=schein,DC=me
         UCS DN: <not found>

	last synced USN: 138427
------------------------------------------------
After running the 98univention-samba4-dns script to fix the missing entry on the master I've got more rejects.

univention-s4connector-list-rejected 

UCS rejected

    1:   UCS DN: uid=dns-slave,cn=users,dc=schein,dc=me
          S4 DN: cn=dns-slave,cn=users,DC=schein,DC=me
         Filename: /var/lib/univention-connector/s4/1561377839.863336

    2:   UCS DN: uid=dns-slave,cn=users,dc=schein,dc=me
          S4 DN: cn=dns-slave,cn=users,DC=schein,DC=me
         Filename: /var/lib/univention-connector/s4/1561377840.325360


S4 rejected


    1:    S4 DN: CN=dns-slave,CN=Users,DC=schein,DC=me
         UCS DN: uid=dns-slave,cn=users,dc=schein,dc=me

	last synced USN: 138427


And additionally the systemdiagnostic on the slave shows:
CRITICAL : Check kerberos authenticated DNS updates
Errors occured while running kinit or nsupdate
kinit for principal dns-ucsdc with keytab /var/lib/samba/private/dns.keytab failed.

The password was now incorrect and I had to fix it with 

samba-tool user setpassword --newpassword="$(ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=dns-$(hostname) secret | sed -ne 's/^secret: //p')" --filter=samaccountname=dns-$(hostname)
Comment 3 Christina Scheinig univentionstaff 2019-06-24 15:55:50 CEST 
The traceback, after
univention-run-join-scripts --force --run-scripts 98univention-samba4-dns

24.06.2019 14:04:55.156 LDAP        (PROCESS): sync from ucs: [          user] [       add] CN=dns-slave,CN=Users,DC=schein,DC=me
24.06.2019 14:04:55.161 LDAP        (PROCESS): Unable to sync CN=dns-slave,CN=Users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked.
24.06.2019 14:04:55.163 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1561377840.325360
24.06.2019 14:04:55.166 LDAP        (PROCESS): sync from ucs: [          user] [    modify] CN=dns-slave,CN=Users,DC=schein,DC=me
24.06.2019 14:04:55.170 LDAP        (PROCESS): Unable to sync CN=dns-slave,CN=Users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked.
24.06.2019 14:04:55.171 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=dns-slave,CN=Users,DC=schein,DC=me
24.06.2019 14:04:55.176 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=dns-slave,cn=users,dc=schein,dc=me
24.06.2019 14:04:55.400 LDAP        (ERROR  ): failed in post_con_modify_functions
24.06.2019 14:04:55.408 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1577, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/password.py", line 829, in password_sync_s4_to_ucs
    s4connector.lo.lo.modify(ucs_object['dn'], modlist)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 693, in modify
    self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 753, in modify_ext_s
    rtype, rdata, rmsgid, resp_ctrls = lo_ref.modify_ext_s(dn, ml, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 987, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 931, in _apply_method_s 
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'}

24.06.2019 14:05:50.989 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1561377839.863336
24.06.2019 14:05:50.993 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=dns-slave,cn=users,DC=schein,DC=me
24.06.2019 14:05:50.997 LDAP        (PROCESS): Unable to sync cn=dns-slave,cn=users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked.
24.06.2019 14:05:50.999 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1561377840.325360
24.06.2019 14:05:51.003 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=dns-slave,cn=users,DC=schein,DC=me
24.06.2019 14:05:51.007 LDAP        (PROCESS): Unable to sync cn=dns-slave,cn=users,DC=schein,DC=me (GUID: 650b482b-becc-46f4-96de-a4dd67e4d28a). The object is currently locked.
24.06.2019 14:05:51.016 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=dns-slave,CN=Users,DC=schein,DC=me
24.06.2019 14:05:51.020 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=dns-slave,cn=users,dc=schein,dc=me
24.06.2019 14:05:51.070 LDAP        (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute
24.06.2019 14:05:51.379 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
24.06.2019 14:05:51.380 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1565, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1316, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1396, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 642, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1312, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 891, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
Comment 4 Christina Scheinig univentionstaff 2020-08-05 11:19:42 CEST 
Happened again
Comment 5 Christina Scheinig univentionstaff 2020-11-10 10:36:42 CET 
After the update to UCS@school 4.4-7 the reject is now back on 3 servers.

Nicht synchronisierte S4 Objekte: S4 DN: CN=dns-schulucs1,CN=Users,DC=bsp-schule,DC=net, UCS DN: nicht gefunden
Nicht synchronisierte S4 Objekte: S4 DN: CN=dns-schulucs2,CN=Users,DC=bsp-schule,DC=net, UCS DN: nicht gefunden
Nicht synchronisierte S4 Objekte: S4 DN: CN=dns-schulucs3,CN=Users,DC=bsp-schule,DC=net, UCS DN: nicht gefunden
First Last Prev Next    This bug is not in your last search results.