Bug 42115

Summary: DRS replication blocks on re-created deleted objects
Product: UCS Reporter: Arvid Requate <requate>
Component: S4 ConnectorAssignee: Arvid Requate <requate>
Status: CLOSED DUPLICATE QA Contact: Stefan Gohmann <gohmann>
Severity: major    
Priority: P1 CC: gohmann, grandjean, schwardt
Version: UCS 4.1   
Target Milestone: UCS 4.1-4   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=42120
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2016082321000589 Bug group (optional): Error handling, Troubleshooting
Max CVSS v3 score:
Bug Depends on: 42624    
Bug Blocks:    

Description Arvid Requate univentionstaff 2016-08-24 19:38:16 CEST 
During analysis of Ticket#2016082321000589 we saw replication issues (for deleted objects) that are probably caused by the changes for Bug #41864.

On the DRS-replicating Samba/AD DCs showrepl showed WERR_BAD_NET_RESP for INCOMING changes on the domain partition of the UCS DC Master (S4-Connector).

log.samba on the DRS-replicating Samba/AD DC shows messages like these:

===============================================================================
[2016/08/24 17:30:23.627065,  0, pid=3924] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectGUID in cn=username\0ADEL:96833c07-835e-4853-a2e5-2635b03957c5\0ACNF:96833c07-835e-4853-a2e5-2635b03957c5,CN=Deleted Objects,DC=ucsschool,DC=local - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectGUID in cn=username\0ADEL:96833c07-835e-4853-a2e5-2635b03957c5\0ACNF:96833c07-835e-4853-a2e5-2635b03957c5,CN=Deleted Objects,DC=ucsschool,DC=local: Entry already exists
===============================================================================

It looks like the changes for Bug #41864 cause the accounts to be re-created with the same objectSid but a different objectGuid and in the end that causes DRS-replication to block. Maybe it's also due to three or more Samba AD/DCs replicating.
Comment 1 Arvid Requate univentionstaff 2016-10-31 14:22:22 CET 
See Bug 41864 Comment 7, we need to fix this.
Comment 2 Arvid Requate univentionstaff 2016-11-03 20:49:34 CET 
Ok, the patch for Bug 42120 removes the ill-advised mechanism of object re-creation implemented for Bug 41864 that caused the this problem.

I had another look at the sibling Bug 41756, which allows the sync_from_ucs to happen for objects whose entryUUID has been marked as deleted in UCS but reappears. In UCS@school that can happen when a student account it moved from one school to another via UMC and then back again. This change is ok.

Even though Bug 35345 is still open and allows objects deleted and then re-created in Samba/AD to get synchronized back into OpenLDAP: They will get a different entryUUID three and the change of Bug 41756 doesn't apply and cannot cause any change in behavior, e.g. in standard UCS.

*** This bug has been marked as a duplicate of bug 42120 ***
Comment 3 Stefan Gohmann univentionstaff 2016-11-07 15:18:51 CET 
OK
Comment 4 Stefan Gohmann univentionstaff 2016-11-08 13:26:36 CET 
UCS 4.1-4 has been released:
 https://docs.software-univention.de/release-notes-4.1-4-en.html
 https://docs.software-univention.de/release-notes-4.1-4-de.html

If this error occurs again, please use "Clone This Bug".