Bug 51679 – S4-Connector sync to ucs: reject for CN=PSPs and CN=Managed Service Accounts

Bug 51679 - S4-Connector sync to ucs: reject for CN=PSPs and CN=Managed Service Accounts


Summary:	S4-Connector sync to ucs: reject for CN=PSPs and CN=Managed Service Accounts

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4 - Slave PDC
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:	48084 48752 49034
Blocks:	50640
	Show dependency tree / graph

Reported:	2020-07-16 16:05 CEST by Christina Scheinig
Modified:	2020-07-16 16:15 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.051
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020062421000591
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2020-07-16 16:05:15 CEST

+++ This bug was initially created as a clone of Bug #48752 +++

With the new Samba version of UCS 4.4 there are two new rejects on UCS@school Slave PDCs, if the Master doesn't have Samba/AD installed:

oot@s44adm:~# univention-s4connector-list-rejected 

UCS rejected


S4 rejected

    1:    S4 DN: CN=dns,DC=uni,DC=dtr
         UCS DN: cn=dns,dc=uni,dc=dtr
    2:    S4 DN: CN=Managed Service Accounts,DC=uni,DC=dtr
         UCS DN: <not found>
    3:    S4 DN: CN=PSPs,CN=System,DC=uni,DC=dtr
         UCS DN: <not found>

The first one is Bug #46649, but the other two containers are new,

On a customer School Slave still or again happening

univention-app info
UCS: 4.4-4 errata589
Installed: cups=2.2.1 dhcp-server=12.0 radius=5.0 samba4=4.10 squid=3.5 ucsschool=4.4 v5
Upgradable: 
---------------

S4 rejected

    1:    S4 DN: CN=PSPs,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    2:    S4 DN: CN=Managed Service Accounts,DC=anonym,DC=ized
         UCS DN: <not found>
    3:    S4 DN: CN=dns,DC=anonym,DC=ized
         UCS DN: cn=dns,dc=anonym,dc=ized

-------------------
16.07.2020 15:54:12.557 LDAP        (PROCESS): sync to ucs:   [     container] [       add] u'CN=PSPs,CN=System,dc=anonym,dc=ized'
16.07.20 15:54:12.837  ADMIN       ( ERROR   ) : Creating u'cn=PSPs,CN=System,dc=anonym,dc=ized' failed: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

16.07.2020 15:54:12.837 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
16.07.2020 15:54:12.838 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1537, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1278, in add_in_ucs
    res = ucs_object.create(serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1298, in _create
    six.reraise(exc[0], exc[1], exc[2])
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

16.07.2020 15:54:12.838 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Managed Service Accounts,DC=anonym,DC=ized
16.07.2020 15:54:12.842 LDAP        (PROCESS): sync to ucs:   [     container] [       add] u'CN=Managed Service Accounts,dc=anonym,dc=ized'
16.07.20 15:54:13.136  ADMIN       ( ERROR   ) : Creating u'cn=Managed Service Accounts,dc=anonym,dc=ized' failed: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

-------------------
How can this be solved? Is there a workaround? Can cn=PSP manually added?

Comment 1 Florian Best

2020-07-16 16:15:24 CEST

as workaround, execute on the DC Master:

udm container/cn create --ignore_exists --set name='Managed Service Accounts' --set description='Default container for managed service accounts'
udm container/cn create --ignore_exists --set name='PSPs' --position "cn=System,$(ucr get ldap/base)"