52401 – can not add new users with udm nor new users are synced from AD - uidNumber could not get locked

Bug 52401 - can not add new users with udm nor new users are synced from AD - uidNumber could not get locked

Summary: can not add new users with udm nor new users are synced from AD - uidNumber c...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-11-19 18:49 CET by stefan.bauer
Modified:	2025-02-05 09:24 CET (History)
CC List:	4 users (show)

See Also:	37084 37085 44294
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description stefan.bauer 2020-11-19 18:49:42 CET

univention-app info
UCS: 4.4-6 errata803
Installed: adconnector=12.0 kopano-core=8.7.1.0-1 kopano-webapp=3.5.14.2539-2 samba-memberserver=4.7 z-push-kopano=2.4.5


root@kopano01:~# udm users/user create --set username=foobar8 --set password=univention12345... --set lastname=foo
E: Object exists: (nolock) The attribute 'uidNumber' could not get locked.

root@kopano01:~# univention-ldapsearch -LLL 'univentionLastUsedValue=*' univentionLastUsedValue
dn: cn=gidNumber,cn=temporary,cn=univention,dc=customer,dc=local
univentionLastUsedValue: 5179

dn: cn=uidNumber,cn=temporary,cn=univention,dc=customer,dc=local
univentionLastUsedValue: 1000001

root@kopano01:~# udm users/user create --set username=foobar8 --set password=univention12345... --set lastname=foo --set uidNumber=1000000
Object created: uid=foobar8,dc=customer,dc=local


Seems like the enumeration / selection of new UIDs is broken in some way.

console logs (incoming change via AD connector):

19.11.2020 18:47:30.899 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=max mustermann,CN=Users,DC=customer,DC=local
19.11.2020 18:47:30.905 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=max.mustermann,cn=users,dc=customer,dc=local
19.11.2020 18:47:30.930 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
19.11.2020 18:47:30.931 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1329, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1149, in add_in_ucs
    return bool(ucs_object.create())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1231, in _create
    self._ldap_pre_create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1584, in _ldap_pre_create
    self['uidNumber'] = univention.admin.allocators.request(self.lo, self.position, 'uidNumber')
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 194, in request
    return acquireRange(lo, position, type, _type2attr[type], [{'first': 1000, 'last': 55000}, {'first': 65536, 'last': 1000000}], scope=_type2scope[type])
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 158, in acquireRange
    raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (atype,))
noLock: The attribute 'uidNumber' could not get locked.

Comment 1 Florian Best

2020-11-19 18:59:39 CET

We are allocating only 1.000.000 uidNumbers. It seems this somehow was exceeded.
I guess you don't have that much users/groups?!

> dn: cn=uidNumber,cn=temporary,cn=univention,dc=customer,dc=local
> univentionLastUsedValue: 1000001
What caused changing it to this value? Our code? Your code? (A hacker?).

This may happen if you create a user with uidNumber=1000000 manually.
Do you have such a value? Maybe in Samba / AD?

Comment 2 Arvid Requate

2020-11-19 20:12:08 CET

FYI: The high value may be caused by an AD-Connector sync loop, e.g. if the sync of a user object from AD to UDM/OpenLDAP fails at the second stage e.g. due to a UDM hook. Then the object constantly would get created and deleted again. That should show up in the connector.log though.

Comment 3 Arvid Requate

2020-11-19 20:15:05 CET

Anyway, I think this is site specific and needs to be handled via support of help.univention.de. It doesn't look like a product bug. Although the message could be more informative.

Comment 4 stefan.bauer 2020-11-19 21:12:26 CET

Indeed i did not create a user manually. And indeed it was due to a sync problem/loop that increased the number.

We only have a bunch of users and just test UCS at the moment to see if it fits our needs.

Can the value be reset manually?

Comment 5 Florian Best

2020-11-19 21:33:42 CET

(In reply to stefan.bauer from comment #4)
> Can the value be reset manually?

yes.
You can get the highest number in use by:
univention-ldapsearch -LLL '(&(objectClass=person)(uidNumber=*))' uidNumber | grep ^uidNumber: | sort | tail -1

Just set it to that value.

Comment 6 Philipp Hahn

2020-11-20 08:48:48 CET

(In reply to Florian Best from comment #5)
> (In reply to stefan.bauer from comment #4)
> univention-ldapsearch -LLL '(&(objectClass=person)(uidNumber=*))' uidNumber | grep ^uidNumber: | sort | tail -1


This is wrong as "11" < "2" when comparing numbers as strings; use `sort -k2n`.

Comment 7 Erik Damrose

2020-11-20 09:56:02 CET

Based on bug 52373 i assume this is a win2008r2 AD

Comment 8 stefan.bauer 2020-11-20 11:22:07 CET

yes it is 2008 r2.

Comment 9 Jan-Luca Kiok

2025-02-05 09:24:45 CET

This bug is in state "NEEDSMOREINFO", but no info has been supplied.

Furthermore, this issue has been filed against UCS 4.4.

UCS 4.4 is out of maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide information on how this issue is affecting you.