Bug 54848 – Exam Mode (silently) can not create exam users if SID calculation has offset

Bug 54848 - Exam Mode (silently) can not create exam users if SID calculation has offset


Summary:	Exam Mode (silently) can not create exam users if SID calculation has offset

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	UMC - Exam mode
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal with 2 votes (vote)
Target Milestone:	UCS@school 5.0 v3-errata
Assigned To:	Johannes Königer
QA Contact:	Johannes Keiser

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-06-09 16:28 CEST by Dirk Schnick
Modified:	2023-06-07 10:20 CEST (History)
CC List:	11 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022060821000537, 2023032321000404
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schnick

2022-06-09 16:28:40 CEST

This is a complicated problem; I absolutely do not know what the root cause is; but I will explain how to reproduce the problem. It happened in a customer environment and was not easy to debug.

If you try to create a user that contains an actual invalid (idn is valid, but not in UCS! see bug #46753) mailaddress (maybe happen also with other invalid options)

udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="Römmes" --set lastname="Römmes" --set password="password" --set mailPrimaryAddress=Römmes@reiherwaldschule.intranet

the creation will fail. If you now directly (I think within 5 minutes lock timeout) create that user without the mailaddress the SID will no longer match the calculation uidNumber * 2 + 1000 it will be uidNumber * 2 + 1000 + 2

This offset will now transported to all following new user. UDM and UMC seems to have no problem with that but the exam mode will not be able to create the exam users any more. You will see this traceback on the master:

08.06.22 10:10:56.578  MODULE      ( ERROR   ) : create_exam_user:491  Creation of exam user account failed: Das Attribut 'sid' konnte nicht gesperrt werden.
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/schoolexam-master/__init__.py", line 340, in create_exam_user
    ldap_admin_write, ldap_position, uidNum
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 83, in requestUserSid
    return request(lo, position, 'sid', sid)
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 208, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 202, in acquireUnique
    raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (type,))
noLock: Das Attribut 'sid' konnte nicht gesperrt werden.
08.06.22 10:10:56.583  MODULE      ( PROCESS ) : Interner Server-Fehler in "schoolexam-master/create-exam-user".


I opened the bug against the exam module as here are two problems. First one why is the module not able to create the exam users; udm can do.
The second problem is, that there was absolutely no hint given to the teacher that something went wrong.

It may be possible (for me it looks like) that the root cause is the behavior of udm (failing create must from my point of view release the lock of SID) but please fix the silence to the teacher in such a case.


Recreation:
UCS@school env: UCS4.4-9 ucsschool v9

1) udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="Römmes" --set lastname="Römmes" --set password="password" --set mailPrimaryAddress=Römmes@reiherwaldschule.intranet
2) within less than a minute after step 1: 
udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="Römmes" --set lastname="Römmes" --set password="password" 
3) Try to start an exam

Comment 2 Julia Bremer

2022-06-10 09:35:52 CEST

The exam-mode has copied the code from udms function generate_user_sid
with a few differences. 

On the first try of allocating the SID that is the uid * 2 + 1000,
udm catches a bare except while the schoolexammode catches (ldap.LDAPError, univention.admin.uexceptions.ldapError)

The code afterwards, which increments the SID until it get's a lock is therefore never reached, if the lock for the initially calculated SID fails.


This patch was sufficient to successfully start an exam. 

--- a/ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py
+++ b/ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py
@@ -339,7 +339,7 @@ class Instance(SchoolBaseModule):
                     userSid = univention.admin.allocators.requestUserSid(
                         ldap_admin_write, ldap_position, uidNum
                     )
-                except (ldap.LDAPError, univention.admin.uexceptions.ldapError):
+                except (ldap.LDAPError, univention.admin.uexceptions.ldapError,univention.admin.uexceptions.noLock):
                     pass
             if not userSid or userSid == "None":
                 num = uidNum

Comment 3 Dirk Schnick

2022-06-10 10:23:10 CEST

Customer reported that the normal accounts of the students will not be activated again after finishing the exam. If you run into that situation, you can correct this with:
  
univention-ldapsearch -LLL '(&(sambaUserWorkstations=$)(objectClass=ucsschoolStudent))' dn | grep ^dn: | sed 's/^dn: //' | while read -r DN; do udm users/user modify --dn "$DN" --set sambaUserWorkstations= ; done

Comment 10 Johannes Keiser

2023-05-26 12:44:21 CEST

QA

- `udm users/user create --position "cn=users,$(ucr get ldap/base)" --set username="mytestuser1" --set lastname="Römmes" --set password="password"`

- `udm users/user modify --dn="uid=mytestuser1,cn=users,dc=school,dc=test" --set sambaRID=(mytestuser1 sambaRID + 2)`

- start exam

Before patch

- traceback occurs
```
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam-master/init.py", line 341, in create_exam_user
	ldap_admin_write, ldap_position, uidNum
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 90, in requestUserSid
	return request(lo, position, 'sid', sid)
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 220, in request
	return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 209, in acquireUnique
	univention.admin.locking.lock(lo, position, type, value.encode('utf-8'), scope=scope)
  File "/usr/lib/python3/dist-packages/univention/admin/locking.py", line 118, in lock
	raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (type,))
univention.admin.uexceptions.noLock: Could not acquire lock: The attribute 'sid' could not get locked.
```

- exam-* accounts are not created

After patch
- traceback does not occur
- exam-* accounts are created

OK: advisory

OK: Test (I could not find another setup like the comment above that would cause a false positive)

Successful build
Package: ucs-school-umc-exam
Version: 10.0.9
Branch: ucs_5.0-0
Scope: ucs-school-5.0

Successful build
Package: ucs-test-ucsschool
Version: 7.3.135
Branch: ucs_5.0-0
Scope: ucs-school-5.0

Comment 12 Carlos García-Mauriño

2023-06-07 09:54:42 CEST

Errata updates for UCS@school 5.0 v3 have been released.

https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog.html

If this error occurs again, please clone this bug.

Comment 13 Mirac Erdemiroglu

2023-06-07 10:06:03 CEST

(In reply to Carlos García-Mauriño from comment #12)
> Errata updates for UCS@school 5.0 v3 have been released.
> 
> https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog.
> html
> 
> If this error occurs again, please clone this bug.

In wich errata number will that fixed?

Comment 14 Carlos García-Mauriño

2023-06-07 10:20:04 CEST

(In reply to Mirac Erdemiroglu from comment #13)
> (In reply to Carlos García-Mauriño from comment #12)
> > Errata updates for UCS@school 5.0 v3 have been released.
> > 
> > https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog.
> > html
> > 
> > If this error occurs again, please clone this bug.
> 
> In wich errata number will that fixed?

Hi Miraç,

UCS@school does not use errata number as UCS does. The fix is available in UCS@school 5.0 v3: `ucs-school-umc-exam` version `10.0.9`. Just a regular package update is enough.