Bug 53061 – gidNumber not synced from UCS to Samba if user/group is created in Samba

Bug 53061 - gidNumber not synced from UCS to Samba if user/group is created in Samba


Summary:	gidNumber not synced from UCS to Samba if user/group is created in Samba

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0
Assigned To:	Arvid Requate
QA Contact:	Florian Best

URL:
Keywords:

Depends on:	52358
Blocks:
	Show dependency tree / graph

Reported:	2021-04-12 14:09 CEST by Felix Botner
Modified:	2021-06-22 15:02 CEST (History)
CC List:	3 users (show)

See Also:	50766 50593
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2021-04-12 14:09:58 CEST

UCS 5.0 primary with s4-connector/samba

-> samba-tool user create sam1 Univention.99
-> univention-s4search cn=sam1 gidNumber
# record 1
dn: CN=sam1,CN=Users,DC=five,DC=test

-> samba-tool group add samgrp1
-> univention-s4search cn=samgrp1 gidNumber
# record 1
dn: CN=samgrp1,CN=Users,DC=five,DC=test

This works with UCS 4.4

-> univention-s4search cn=sam1 gidNumber
# record 1
dn: CN=sam1,CN=Users,DC=four,DC=four
gidNumber: 5001

Comment 1 Florian Best

2021-04-13 12:14:00 CEST

git:6ef2304ad5fc925311787f81df2a52215c011323 Bug #50766 changed the sync_mode of gidNumber from sync to write.

Comment 2 Arvid Requate

2021-04-27 17:55:34 CEST

I think the "echo" sync from UCS/OpenLDAP back to Samba/AD is suppressed
by the PostRead Control usage introduced via Bug #52358. When i comment
out the self._remember_entryCSN_commited_by_connector lines then the gidNumber
sync starts to work again.

I guess we need to decide how we want to handle this. Damping replication echos
by using the PostRead LDAP control has its merits, but we need to conceicve a method
to still detect LDAP changes silently added by UDM to be able to sync them back.

I'm currently unsure if we still need the PostRead control to avoid the replication loop
we faced in Bug #52358, because I also adjusted the sort order of sync_to_ucs changes back
to the way it was in UCS 4.4. So one option would be to revert f773e67cec and watch the
Jenkins tests.

Comment 3 Florian Best

2021-04-28 21:36:13 CEST

OK, I reverted that commit in:

univention-s4-connector (14.0.7-2)
aeb58b115123 | Revert "Bug #52358: User LDAP post read control for all objects, not just msGPO."

The commit which fixed the usn search logic: 66511ba17890482f3721724e694ebf4fc3c932de

Comment 4 Arvid Requate

2021-04-29 11:35:57 CEST

a293005fd6 | Test case for gidNumber sync S4->OL
4709e5a79f | fixup

Package: ucs-test
Version: 10.0.5-10A~5.0.0.202104282308
Branch: ucs_5.0-0

Comment 5 Florian Best

2021-04-29 13:17:40 CEST

OK: test case reproduces the problem
OK: revert
OK: no changelog necessary, interim bug
TODO: a new bug to re-add the behavior and find a real solution has to be created

Comment 6 Florian Best

2021-05-25 15:58:37 CEST

UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".

Comment 7 Florian Best

2021-06-22 15:02:29 CEST

To re-add the post-read-control, UDM might should return the addlist/modlist(s), which was actually send to OpenLDAP and the S4-Connector would have to evaluate this.