Bug 51279 – Error replication new user class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'

Bug 51279 - Error replication new user class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'


Summary:	Error replication new user class 'krb5KDCEntry' requires attribute 'krb5KeyVe...

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	LDAP
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 5.0 v3
Assigned To:	Julia Bremer
QA Contact:	Felix Botner

URL:	https://git.knut.univention.de/univen...
Keywords:

Duplicates:	49668 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-05-12 10:51 CEST by Philipp Hahn
Modified:	2023-02-20 15:45 CET (History)
CC List:	9 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020112421000492
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2020-05-12 10:51:25 CEST

07.01.20 16:26:19.249  LISTENER    ( ERROR   ) : replication: Object class violation; dn="uid=phahn2,dc=nstx,dc=ucs": object class violation while adding
07.01.20 16:26:19.249  LISTENER    ( ERROR   ) :        additional info: object class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'

Comment 1 Florian Best

2020-05-12 10:54:44 CEST

Was the user created via UDM or via S4-Connector, etc?

Comment 2 Florian Best

2020-05-12 10:55:28 CEST

Or are the problem LDAP ACL's which disallow reading the attributes when doing replication?

Comment 3 Philipp Hahn

2020-05-12 11:22:14 CEST

udm-cli without --position and selective replication in U@S

Comment 4 Arvid Requate

2020-05-12 18:49:33 CEST

Ok, from which kind of DC in a UCS@school domain is the message?
Is it a school slave or one of the servers in the central department?

Comment 5 Christina Scheinig

2020-11-26 09:26:10 CET

I found this error message on a central slave in a school environment.

24.11.20 13:22:34.761  LISTENER    ( ERROR   ) : replication: Object class violation; dn="uid=lara.croft,cn=users,ou=selfmade,dc=example,dc=int": object class violation while adding
24.11.20 13:22:34.761  LISTENER    ( ERROR   ) :     additional info: object class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'

The customer added an "ou" for this slave. Could this be the cause of this message.
As i recall, we had an similar issue in Bug 49668 caused by an additional ou in a school environment?

Comment 12 Siavash Sefid Rodi

2022-03-15 15:42:57 CET

How to reproduce: 

1. Create non-school ou

2. /etc/init.d/slapd restart &&  udm users/user create --set username=test --set lastname=test --set password=univention  --position ou=testOU,dc=mydomain,dc=intranet && udm users/user remove --dn=uid=test,ou=testOU,dc=mydomain,dc=intranet

3. Check  /var/log/univention/listener.log: 
  LISTENER    ( ERROR   ) : replication: Object class violation; dn="uid=test,ou=testOU,dc=mydomain,dc=intranet": object class violation while adding
  LISTENER    ( ERROR   ) :        additional info: object class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'

Comment 13 Siavash Sefid Rodi

2022-03-18 10:34:41 CET

*** Bug 49668 has been marked as a duplicate of this bug. ***

Comment 14 Julia Bremer

2022-05-09 15:24:52 CEST

Merge-request waiting for QA by the ucs@school team: 
https://git.knut.univention.de/univention/ucsschool/-/merge_requests/81

Comment 15 Julia Bremer

2022-06-01 15:39:30 CEST

Merged + built

Successful build
Package: ucs-school-ldap-acls-master
Version: 18.0.4A~5.0.0.202206011518
Branch: ucs_5.0-0
Scope: ucs-school-5.0

Package: ucs-test-ucsschool
Version: 7.3.46A~5.0.0.202206011537
Branch: ucs_5.0-0
Scope: ucs-school-5.0


616c3a4b290d | Bug #51279: Update YAML
048348510fd9 | Bug #51279: YAML + changelog
4f72c0451f96 | Bug #51279: Test access to password attributes of global users
ff6dc29ddd4a | Bug #51279: Increase joinscript version
1dfc74d8ea07 | Bug #51279: Give schoolservers rights to read password attributes of global users
c5462a94fc06 | fixup! Bug #51279: add docu hint
cdca4151a3f3 | Bug #51279: add docu hint

Comment 16 Felix Botner

2022-06-01 17:13:33 CEST

OK - yaml
OK - manual tests
OK - documentation

TODO - jenkins test

Comment 17 Felix Botner

2022-06-08 08:34:21 CEST

OK - jenkins tests

Comment 18 Julia Bremer

2023-02-20 15:45:58 CET

Has been released with ucs@school version 5.0v2