Univention Bugzilla – Bug 50349
schoolwizards/computers/query: KeyError: 'ucsschoolRole'
Last modified: 2021-02-05 12:41:17 CET
A customer gets this Traceback, if he opens computers (schools) just like Bug 49311 Interner Server-Fehler in "schoolwizards/computers/query (schoolwizards/computers)". Request: schoolwizards/computers/query (schoolwizards/computers) Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 260, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolwizards/__init__.py", line 122, in _decorated ret = func(self, request, *a, **kw) File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolwizards/__init__.py", line 330, in get_computers return self._get_all(computer_class, school, request.options.get('filter'), ldap_user_read) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolwizards/__init__.py", line 271, in _get_all objs.extend(klass.get_all(lo, school.name, filter_str=filter_str, easy_filter=True)) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 818, in get_all ret.append(cls.from_udm_obj(udm_obj, school, lo)) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py", line 323, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 869, in from_udm_obj return klass.from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py", line 323, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 876, in from_udm_obj udm_value = udm_obj[attr.udm_name] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 477, in __getitem__ elif key not in self.__no_default and self.descriptions[key].editable: KeyError: 'ucsschoolRole' The customer already has the Bugfix installed on his server: ------------------------------------ python-ucs-school: Installiert: 12.1.7A~4.4.0.201909041215 Installationskandidat: 12.1.7A~4.4.0.201909041215 Versionstabelle: *** 12.1.7A~4.4.0.201909041215 500 500 https://appcenter.software-univention.de/univention-repository/4.4/maintained/component ucsschool_20190723074557/all/ Packages 100 /var/lib/dpkg/status 12.1.5A~4.4.0.201908271804 500 500 https://appcenter.software-univention.de/univention-repository/4.4/maintained/component ucsschool_20190723074557/all/ Packages 12.1.4A~4.4.0.201907301859 500 500 https://appcenter.software-univention.de/univention-repository/4.4/maintained/component ucsschool_20190723074557/all/ Packages 12.1.2-1A~4.4.0.201907090931 500 500 https://appcenter.software-univention.de/univention-repository/4.4/maintained/component ucsschool_20190723074557/all/ Packages 11.0.2-6A~4.3.0.201904091600 500 500 https://appcenter.software-univention.de/univention-repository/4.3/maintained/component ucsschool_20190723074557/all/ Packages 11.0.2-5A~4.3.0.201902251246 500 500 https://appcenter.software-univention.de/univention-repository/4.3/maintained/component ucsschool_20190723074557/all/ Packages --------------------------------------- So I am not sure this is a regression. I tried to fix the school roles but got a traceback. /usr/share/ucs-school-import/scripts/fix_ucsschool_roles --dry-run ------------------------ Changing "ucsschoolRole" of 'cn=paedagogik,cn=dc,cn=server,cn=computers,ou=sun,dc=schein,dc=me' from ['dc_slave_edu:school:sun', 'win _computer:school:sun'] to ['dc_slave_edu:school:sun', 'dc_slave_edu:school:sun']. Traceback (most recent call last): File "/usr/share/ucs-school-import/scripts/fix_ucsschool_roles", line 92, in <module> lo.modify(dn, [('ucsschoolRole', old_roles, new_roles)]) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 902, in modify raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) univention.admin.uexceptions.ldapError: Type or value exists: ucsschoolRole: value #0 provided more than once ----------------------------------------- The traceback could be replaced with a readable error message? This script fixed the problem. /usr/share/ucs-school-import/scripts/fix_ucsschool_slaves --dry-run I am not sure why this situation could occure in the first place? Maybe tis is not a bug at all, but debugging the situation was quite difficult.
Reported again, Version: 4.4-2 errata298 (Blumenthal) - UCS@school 4.4 v2 Remark: auf Master über Schuladministration auf Kategorie Rechner gecklickt
Interner Server-Fehler in "computerroom/room/acquire". Request: computerroom/room/acquire Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 358, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 261, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/computerroom/__init__.py", line 392, in room_acquire self._italc.room = roomDN File "/usr/lib/pymodules/python2.7/univention/management/console/modules/computerroom/italc2.py", line 647, in room self._set(value) File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/computerroom/italc2.py", line 709, in _set computers = list(computerroom.get_computers(lo)) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/group.py", line 288, in get_computers yield SchoolComputer.from_dn(host, self.school, ldap_connection) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 935, in from_dn return cls.from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py", line 323, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 869, in from_udm_obj return klass.from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py", line 323, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 876, in from_udm_obj udm_value = udm_obj[attr.udm_name] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 478, in __getitem__ elif key not in self.__no_default and self.descriptions[key].editable: KeyError: 'ucsschoolRole'
b) Modul Schuladministration/Computerräume verwalten: Interner Server-Fehler in "schoolrooms/computers". Request: schoolrooms/computers Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 358, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 261, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 145, in wrapper_func return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolrooms/__init__.py", line 66, in computers } for x in SchoolComputer.get_all(ldap_user_read, request.options['school'], pattern)] File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 818, in get_all ret.append(cls.from_udm_obj(udm_obj, school, lo)) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py", line 323, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 869, in from_udm_obj return klass.from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py", line 323, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py", line 876, in from_udm_obj udm_value = udm_obj[attr.udm_name] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 478, in __getitem__ elif key not in self.__no_default and self.descriptions[key].editable: KeyError: 'ucsschoolRole'
There is a problem with the OpenLDAP ACLs. The machine account can read the attribute "ucsschoolRole" on user and group objects, but a "normal" user cannot. (Rooms are technically groups.)
The tracebacks show a problem with the (School)Computer objects and not the SchoolRoom(groups) objects though
I checked a bit on one customers system and identified several computer objects in computer rooms that, for some reasons, do not have the objectClass ucsschoolComputer and thus do not have an ucsschoolRole. We still have to determine why this situation could occur
Okay we think that we found the reason of the entire problem. With the fix of Bug #49311 we changed the SchoolComputer.lookup function in a way that it only returns computer objects containing the objectClass ucsschoolComputer. The migration script migrate_ucsschool_roles retrieves all SchoolComputers of any given school by using SchoolComputer.get_all which in turn uses the lookup function. That means that after the mentioned fix the migration script stopped working properly since not all objects that needed modification were collected anymore. Thus we have to modify the migration script now to use an alternative way to fetch the objects.
Proposed fix is in oschwieg/4.4/50349 When all objects or computers-school is specified, all macos, windows and ipmanaged objects under the OU are fetched and the appropriate school roles are attached.
A customer, who already had removed the windows role from his school slaves, now ran in the same problem and the win_computer role is set again on the slaves. Where does this come from, that the roles are wrongly assigned again? ------------------------ Looking for affected domaincontroller_slave objects... Will modify: cn=slave1,cn=dc,cn=server,cn=computers,ou=sun,dc=school,dc=schein,dc=me Roles: {'new': ['dc_slave_edu:school:sun'], 'old': ['dc_slave_edu:school:sun', 'win_computer:school:sun']} ObjectClass: {'new': ['krb5KDCEntry', 'person', 'top', 'univentionHost', 'univentionDomainController', 'univentionObject', 'univentionNagiosHostClass', 'krb5Principal', 'shadowAccount', 'posixAccount', 'sambaSamAccount', 'univentionPolicyReference', 'univentionPortalComputer', 'ucsschoolServer'], 'old': ['krb5KDCEntry', 'person', 'ucsschoolComputer', 'top', 'univentionHost', 'univentionDomainController', 'univentionObject', 'univentionWindows', 'univentionNagiosHostClass', 'krb5Principal', 'shadowAccount', 'posixAccount', 'sambaSamAccount', 'univentionPolicyReference', 'univentionPortalComputer', 'ucsschoolServer']} DRY-RUN: skipping modification ------------------------- root@master:~# apt-cache policy python-ucs-school python-ucs-school: Installiert: 12.1.9A~4.4.0.201911031011 Installationskandidat: 12.1.9A~4.4.0.201911031011
(In reply to Christina Scheinig from comment #10) > A customer, who already had removed the windows role from his school slaves, > now ran in the same problem and the win_computer role is set again on the > slaves. > > Where does this come from, that the roles are wrongly assigned again? > > ------------------------ > Looking for affected domaincontroller_slave objects... > Will modify: > cn=slave1,cn=dc,cn=server,cn=computers,ou=sun,dc=school,dc=schein,dc=me > Roles: {'new': ['dc_slave_edu:school:sun'], 'old': > ['dc_slave_edu:school:sun', 'win_computer:school:sun']} > ObjectClass: {'new': ['krb5KDCEntry', 'person', 'top', 'univentionHost', > 'univentionDomainController', 'univentionObject', > 'univentionNagiosHostClass', 'krb5Principal', 'shadowAccount', > 'posixAccount', 'sambaSamAccount', 'univentionPolicyReference', > 'univentionPortalComputer', 'ucsschoolServer'], 'old': ['krb5KDCEntry', > 'person', 'ucsschoolComputer', 'top', 'univentionHost', > 'univentionDomainController', 'univentionObject', 'univentionWindows', > 'univentionNagiosHostClass', 'krb5Principal', 'shadowAccount', > 'posixAccount', 'sambaSamAccount', 'univentionPolicyReference', > 'univentionPortalComputer', 'ucsschoolServer']} > DRY-RUN: skipping modification > > ------------------------- > > root@master:~# apt-cache policy python-ucs-school > python-ucs-school: > Installiert: 12.1.9A~4.4.0.201911031011 > Installationskandidat: 12.1.9A~4.4.0.201911031011 This problem should be connected to some issues Sönke identified in the S4-Connector. He documented that in Bug #50280. Please put the infos/questions there since in this bug we want to fix the regression from the migration script.
Branchtest looks good: https://jenkins.knut.univention.de:8181/job/UCS%20Branch%20Test/240/testReport/90_ucsschool/ Removed objectClass and role -> Script works again I would suggest to narrow down the ldap search a little: [oschwieg/4.4/50349 0a425ee23] Bug #50349: Narrow down the ldapsearch But your version works just as well :) -> OK for merge onto 4.4
SDB Article: https://help.univention.com/t/keyerror-ucsschoolrole-in-computerroom-room-aquire-and-schoolwizards-computers-query/13718 I think the article should include the traceback (which I now fail to reproduce?). The article states that the migration script is called again on updated. Does the join script version need to be adjusted or did I miss something?
Package: ucs-school-import Version: 17.0.18A~4.4.0.201911271049 Branch: ucs_4.4-0 Scope: ucs-school-4.4 The migration script is *not run* automatically during the update A note was added to the changelog for 4.4v5 The SDB article now includes the tracebacks and explains how to run the script again.
Small wording changes: [4.4 fc22d40fd] Bug #50349: changelog/yaml wording I also changed the date format in the sdb article What I tested: win/mac/ip without ucsschoolrole -> OK win/mac/ip without objectClass and ucsschoolrole -> OK sdb article -> OK changelog/yaml -> OK -> Verified
Missed this one: [4.4 32abda11d] Bug #50349: fix debian/changelog syntax I don't think a rebuild is necessary.
UCS@school 4.4 v4 has been released (errata update to the release). https://docs.software-univention.de/changelog-ucsschool-4.4v4-de.html If this error occurs again, please clone this bug.
reported again Version: 4.4-4 errata579 (Blumenthal) - UCS@school 4.4 v5 Error: Interner Server-Fehler in "schoolwizards/computers/query (schoolwizards/computers)". Request: schoolwizards/computers/query (schoolwizards/computers) Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 358, in __error_handling six.reraise(etype, exc, etraceback) File "%PY2.7%/univention/management/console/base.py", line 261, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 123, in _decorated ret = func(self, request, *a, **kw) File "%PY2.7%/ucsschool/lib/school_umc_ldap_connection.py", line 123, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 331, in get_computers return self._get_all(computer_class, school, request.options.get('filter'), ldap_user_read) File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 272, in _get_all objs.extend(klass.get_all(lo, school.name, filter_str=filter_str, easy_filter=True)) File "%PY2.7%/ucsschool/lib/models/base.py", line 830, in get_all ret.append(cls.from_udm_obj(udm_obj, school, lo)) File "%PY2.7%/ucsschool/lib/models/computer.py", line 332, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "%PY2.7%/ucsschool/lib/models/base.py", line 887, in from_udm_obj return klass.from_udm_obj(udm_obj, school, lo) File "%PY2.7%/ucsschool/lib/models/computer.py", line 332, in from_udm_obj obj = super(SchoolComputer, cls).from_udm_obj(udm_obj, school, lo) File "%PY2.7%/ucsschool/lib/models/base.py", line 894, in from_udm_obj udm_value = udm_obj[attr.udm_name] File "%PY2.7%/univention/admin/handlers/__init__.py", line 479, in __getitem__ elif key not in self.__no_default and self.descriptions[key].editable: KeyError: 'ucsschoolRole' Role: domaincontroller_master