Univention Bugzilla – Full Text Bug Listing |
Summary: | Unable to delete computer object in AD due to child objects | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | S4 Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | alexander.wotschke, gohmann, meybohm, michelsmidt, najjar, petersen, scheinig, stephan.hendl, thorp-hansen |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.2-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=31090 https://forge.univention.org/bugzilla/show_bug.cgi?id=45311 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.137 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2015070921000814, 2015071421000439, 2015120721000451, 2016011321000155, 2017031721000311 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 45311 |
Description
Sönke Schwardt-Krummrich
2014-01-09 13:37:24 CET
Also seen at [Ticket#2015070921000814]: If one install a Windows terminalserver there will be also an object CN=TermServLicensing as subobject of the terminalserver created. Once one want to delete the terminalserver itself via UMC there will be a reject created since the subobject cannot be deleted (AFAIK the LDAP doesn't know anything about this subobject). 09.07.2015 14:24:50,11 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1435824301.685845 09.07.2015 14:24:50,26 LDAP (PROCESS): sync from ucs: [windowscomputer] [ delete] CN=w2k8termp,OU=223,OU=windowsserver,DC=local,DC=de 09.07.2015 14:24:50,746 LDAP (WARNING): delete subobject: CN=TermServLicensing,CN=w2k8termp,OU=223,OU=windowsserver,DC=local,DC=de 09.07.2015 14:24:50,764 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1435824301.685845 09.07.2015 14:24:50,765 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 801, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2536, in sync_from_ucs self.delete_in_s4( object, property_type ) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2590, in delete_in_s4 if not self.sync_from_ucs(key, subobject, object_mapping['dn']): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2243, in sync_from_ucs if self.property[property_type].sync_mode in ['read', 'none']: KeyError: None Happened again at 2015071421000439 - bumped version to 4.0, adjusted TM You have to remove all Subobjects (also happend sfor hyper-v metaobjects for example), then the connector removes the machine object. Happened again at 2015120721000451. UCS-Version 4.1 Happened again at Ticket#2016011321000155 after update to 4.1 *** Bug 31090 has been marked as a duplicate of this bug. *** (In reply to Stefan Gohmann from comment #5) > *** Bug 31090 has been marked as a duplicate of this bug. *** See Bug #31090 for a similar case. I've adjusted the delete_in_s4 method to support removal of unmapped sub-objects. Before this the DNs of those objects needed to be whitelisted (Bug #26210) in a "con_subtree_delete_objects" mapping attribute. I've removed that now, too. Advisroy: univention-s4-connecor. (In reply to Arvid Requate from comment #7) > I've adjusted the delete_in_s4 method to support removal of unmapped > sub-objects. > Before this the DNs of those objects needed to be whitelisted (Bug #26210) > in a "con_subtree_delete_objects" mapping attribute. I've removed that now, > too. Wouldn't it be better to use the con_subtree_delete_objects and allow to add values via UCR? This could be logged and the Administrator can expand the UCR variable and we should add some of the objects which are part of the tickets. Otherwise it could result in a deletion of a complete AD tree for example if a rename fails or the Listener gives wrong values due to a cache problem. Ok, googling for these kind of UCS tracebacks I find these RDNs: ======================================================== CN=winhost1-HP Officejet 6700 (Netzwe0023004711 CN=TermServLicensing CN=Windows Virtual Machine CN=RouterIdentity CN={3cefcc1a-6c7a-4f56-b7c3-951849cdb5f8} ======================================================== * The first probably is of objectClass=printQueue, added by clicking on "List in the Directory", see https://blogs.technet.microsoft.com/askperf/2009/05/05/printing-and-active-directory/ * The next three are of objectClass=serviceConnectionPoint (SCP), see https://msdn.microsoft.com/en-us/library/windows/desktop/ms677638(v=vs.85).aspx . There are other SCPs, like "CN=IASIdentity" and there are also objects of class "serviceAdministrationPoint", so maybe we should allow removal of the parent class "connectionPoint" to catch all of those types. * Another frequent sub-object object could be "CN=NTFRS Subscriptions", which has objectclass=nTFRSMember. Ok, I've reverted my changes and implemented the filter based approach. Advisroy: univention-s4-connecor.yaml con_subtree_delete_objects is set for 'dc' objects, we probably want this for 'windowscomputer' to OK - connector deletes unknown subobjects of objectclass 'objectClass=rIDSet', 'objectClass=connectionPoint' or 'objectclass=nTFRSMember' for dc and windowscomputer objects OK - connector does not delete other unknown subobjects OK - univention-s4-connector.yaml |