Univention Bugzilla – Bug 54848
Exam Mode (silently) can not create exam users if SID calculation has offset
Last modified: 2023-06-07 10:20:04 CEST
This is a complicated problem; I absolutely do not know what the root cause is; but I will explain how to reproduce the problem. It happened in a customer environment and was not easy to debug. If you try to create a user that contains an actual invalid (idn is valid, but not in UCS! see bug #46753) mailaddress (maybe happen also with other invalid options) udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="Römmes" --set lastname="Römmes" --set password="password" --set mailPrimaryAddress=Römmes@reiherwaldschule.intranet the creation will fail. If you now directly (I think within 5 minutes lock timeout) create that user without the mailaddress the SID will no longer match the calculation uidNumber * 2 + 1000 it will be uidNumber * 2 + 1000 + 2 This offset will now transported to all following new user. UDM and UMC seems to have no problem with that but the exam mode will not be able to create the exam users any more. You will see this traceback on the master: 08.06.22 10:10:56.578 MODULE ( ERROR ) : create_exam_user:491 Creation of exam user account failed: Das Attribut 'sid' konnte nicht gesperrt werden. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/schoolexam-master/__init__.py", line 340, in create_exam_user ldap_admin_write, ldap_position, uidNum File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 83, in requestUserSid return request(lo, position, 'sid', sid) File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 208, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 202, in acquireUnique raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (type,)) noLock: Das Attribut 'sid' konnte nicht gesperrt werden. 08.06.22 10:10:56.583 MODULE ( PROCESS ) : Interner Server-Fehler in "schoolexam-master/create-exam-user". I opened the bug against the exam module as here are two problems. First one why is the module not able to create the exam users; udm can do. The second problem is, that there was absolutely no hint given to the teacher that something went wrong. It may be possible (for me it looks like) that the root cause is the behavior of udm (failing create must from my point of view release the lock of SID) but please fix the silence to the teacher in such a case. Recreation: UCS@school env: UCS4.4-9 ucsschool v9 1) udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="Römmes" --set lastname="Römmes" --set password="password" --set mailPrimaryAddress=Römmes@reiherwaldschule.intranet 2) within less than a minute after step 1: udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="Römmes" --set lastname="Römmes" --set password="password" 3) Try to start an exam
The exam-mode has copied the code from udms function generate_user_sid with a few differences. On the first try of allocating the SID that is the uid * 2 + 1000, udm catches a bare except while the schoolexammode catches (ldap.LDAPError, univention.admin.uexceptions.ldapError) The code afterwards, which increments the SID until it get's a lock is therefore never reached, if the lock for the initially calculated SID fails. This patch was sufficient to successfully start an exam. --- a/ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py +++ b/ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py @@ -339,7 +339,7 @@ class Instance(SchoolBaseModule): userSid = univention.admin.allocators.requestUserSid( ldap_admin_write, ldap_position, uidNum ) - except (ldap.LDAPError, univention.admin.uexceptions.ldapError): + except (ldap.LDAPError, univention.admin.uexceptions.ldapError,univention.admin.uexceptions.noLock): pass if not userSid or userSid == "None": num = uidNum
Customer reported that the normal accounts of the students will not be activated again after finishing the exam. If you run into that situation, you can correct this with: univention-ldapsearch -LLL '(&(sambaUserWorkstations=$)(objectClass=ucsschoolStudent))' dn | grep ^dn: | sed 's/^dn: //' | while read -r DN; do udm users/user modify --dn "$DN" --set sambaUserWorkstations= ; done
QA - `udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="mytestuser1" --set lastname="Römmes" --set password="password"` - `udm users/user modify --dn="uid=mytestuser1,cn=users,dc=school,dc=test" --set sambaRID=(mytestuser1 sambaRID + 2)` - start exam Before patch - traceback occurs ``` Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam-master/init.py", line 341, in create_exam_user ldap_admin_write, ldap_position, uidNum File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 90, in requestUserSid return request(lo, position, 'sid', sid) File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 220, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type]) File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 209, in acquireUnique univention.admin.locking.lock(lo, position, type, value.encode('utf-8'), scope=scope) File "/usr/lib/python3/dist-packages/univention/admin/locking.py", line 118, in lock raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (type,)) univention.admin.uexceptions.noLock: Could not acquire lock: The attribute 'sid' could not get locked. ``` - exam-* accounts are not created After patch - traceback does not occur - exam-* accounts are created OK: advisory OK: Test (I could not find another setup like the comment above that would cause a false positive) Successful build Package: ucs-school-umc-exam Version: 10.0.9 Branch: ucs_5.0-0 Scope: ucs-school-5.0 Successful build Package: ucs-test-ucsschool Version: 7.3.135 Branch: ucs_5.0-0 Scope: ucs-school-5.0
Errata updates for UCS@school 5.0 v3 have been released. https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog.html If this error occurs again, please clone this bug.
(In reply to Carlos García-Mauriño from comment #12) > Errata updates for UCS@school 5.0 v3 have been released. > > https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog. > html > > If this error occurs again, please clone this bug. In wich errata number will that fixed?
(In reply to Mirac Erdemiroglu from comment #13) > (In reply to Carlos García-Mauriño from comment #12) > > Errata updates for UCS@school 5.0 v3 have been released. > > > > https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog. > > html > > > > If this error occurs again, please clone this bug. > > In wich errata number will that fixed? Hi Miraç, UCS@school does not use errata number as UCS does. The fix is available in UCS@school 5.0 v3: `ucs-school-umc-exam` version `10.0.9`. Just a regular package update is enough.