First Last Prev Next    This bug is not in your last search results.
Bug 52401 - can not add new users with udm nor new users are synced from AD - uidNumber could not get locked
can not add new users with udm nor new users are synced from AD - uidNumber c...
Status: NEEDMOREINFO
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-19 18:49 CET by stefan.bauer
Modified: 2021-09-06 12:44 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description stefan.bauer 2020-11-19 18:49:42 CET 
univention-app info
UCS: 4.4-6 errata803
Installed: adconnector=12.0 kopano-core=8.7.1.0-1 kopano-webapp=3.5.14.2539-2 samba-memberserver=4.7 z-push-kopano=2.4.5


root@kopano01:~# udm users/user create --set username=foobar8 --set password=univention12345... --set lastname=foo
E: Object exists: (nolock) The attribute 'uidNumber' could not get locked.

root@kopano01:~# univention-ldapsearch -LLL 'univentionLastUsedValue=*' univentionLastUsedValue
dn: cn=gidNumber,cn=temporary,cn=univention,dc=customer,dc=local
univentionLastUsedValue: 5179

dn: cn=uidNumber,cn=temporary,cn=univention,dc=customer,dc=local
univentionLastUsedValue: 1000001

root@kopano01:~# udm users/user create --set username=foobar8 --set password=univention12345... --set lastname=foo --set uidNumber=1000000
Object created: uid=foobar8,dc=customer,dc=local


Seems like the enumeration / selection of new UIDs is broken in some way.

console logs (incoming change via AD connector):

19.11.2020 18:47:30.899 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=max mustermann,CN=Users,DC=customer,DC=local
19.11.2020 18:47:30.905 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=max.mustermann,cn=users,dc=customer,dc=local
19.11.2020 18:47:30.930 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
19.11.2020 18:47:30.931 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1329, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1149, in add_in_ucs
    return bool(ucs_object.create())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1231, in _create
    self._ldap_pre_create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1584, in _ldap_pre_create
    self['uidNumber'] = univention.admin.allocators.request(self.lo, self.position, 'uidNumber')
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 194, in request
    return acquireRange(lo, position, type, _type2attr[type], [{'first': 1000, 'last': 55000}, {'first': 65536, 'last': 1000000}], scope=_type2scope[type])
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 158, in acquireRange
    raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (atype,))
noLock: The attribute 'uidNumber' could not get locked.
Comment 1 Florian Best univentionstaff 2020-11-19 18:59:39 CET 
We are allocating only 1.000.000 uidNumbers. It seems this somehow was exceeded.
I guess you don't have that much users/groups?!

> dn: cn=uidNumber,cn=temporary,cn=univention,dc=customer,dc=local
> univentionLastUsedValue: 1000001
What caused changing it to this value? Our code? Your code? (A hacker?).

This may happen if you create a user with uidNumber=1000000 manually.
Do you have such a value? Maybe in Samba / AD?
Comment 2 Arvid Requate univentionstaff 2020-11-19 20:12:08 CET 
FYI: The high value may be caused by an AD-Connector sync loop, e.g. if the sync of a user object from AD to UDM/OpenLDAP fails at the second stage e.g. due to a UDM hook. Then the object constantly would get created and deleted again. That should show up in the connector.log though.
Comment 3 Arvid Requate univentionstaff 2020-11-19 20:15:05 CET 
Anyway, I think this is site specific and needs to be handled via support of help.univention.de. It doesn't look like a product bug. Although the message could be more informative.
Comment 4 stefan.bauer 2020-11-19 21:12:26 CET 
Indeed i did not create a user manually. And indeed it was due to a sync problem/loop that increased the number.

We only have a bunch of users and just test UCS at the moment to see if it fits our needs.

Can the value be reset manually?
Comment 5 Florian Best univentionstaff 2020-11-19 21:33:42 CET 
(In reply to stefan.bauer from comment #4)
> Can the value be reset manually?

yes.
You can get the highest number in use by:
univention-ldapsearch -LLL '(&(objectClass=person)(uidNumber=*))' uidNumber | grep ^uidNumber: | sort | tail -1

Just set it to that value.
Comment 6 Philipp Hahn univentionstaff 2020-11-20 08:48:48 CET 
(In reply to Florian Best from comment #5)
> (In reply to stefan.bauer from comment #4)
> univention-ldapsearch -LLL '(&(objectClass=person)(uidNumber=*))' uidNumber | grep ^uidNumber: | sort | tail -1


This is wrong as "11" < "2" when comparing numbers as strings; use `sort -k2n`.
Comment 7 Erik Damrose univentionstaff 2020-11-20 09:56:02 CET 
Based on bug 52373 i assume this is a win2008r2 AD
Comment 8 stefan.bauer 2020-11-20 11:22:07 CET 
yes it is 2008 r2.
First Last Prev Next    This bug is not in your last search results.