Univention Bugzilla – Full Text Bug Listing |
Summary: | Traceback with cross-school users after being removed from a school | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | S4 Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | botner, gohmann, heidelberger, markus.daehlmann, petersen, requate, scheinig |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=46470 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.171 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018031621000473 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | 25709 | ||
Bug Blocks: | 46692, 46971, 47104, 47636 | ||
Attachments: | skip_object_memberships_sync_to_ucs_if_group_syncmode_write.patch |
Description
Sönke Schwardt-Krummrich
2018-03-16 13:22:00 CET
I cannot reproduce it, neither in UCS 4.2-3 nor UCS 4.3-0, trying three different approaches of removal of the teacher account from "school2": A) Remove school2 from ucsschoolSchool and the user from the groups in one step via UMC B) First remove school2 from ucsschoolSchool via UMC, save. Then remove user from the groups in separate step, save. C) First remove user from groups via UMC, save. Then school2 from ucsschoolSchool in separate step, save. No success. It would be very interesting to know, if the user object already had been removed in Samba/AD at that point, but Samba failed to also remove the group membership. That's the only scenario I can currently think of. If we cannot get more information we might have to add some debugging code which runs s4search on the problematic member object. Anyway, fact is, that Samba cannot remove the group membership. Maybe a samba-tool dbcheck would be required to fix this. We probably cannot fix that in the S4-Connector "group_members_sync_from_ucs". But what we should do, is to avoid synchronizing the group memberships back, especially since we have connector/s4/mapping/group/syncmode=write ! Currently I can think of two ways to do this: 1) *If* the user object is already removed in Samba/AD, then why do group memberships synchronized back? Maybe we could skip that. 2) The mapping still calls "object_memberships_sync_to_ucs" even though the group syncmode is "write". We sh/could remove that call in this configuration. See attached patch sketch. Created attachment 9484 [details]
skip_object_memberships_sync_to_ucs_if_group_syncmode_write.patch
Switching to "NEW" → otherwise the bug would not show up in several reporting tools 3e9db0b31a | skip object_memberships_sync_to_ucs if group syncmode is write 0d1a2affb4 | Advisory --- mirror/ftp/4.3/unmaintained/component/4.3-0-errata/source/univention-s4-connector_12.0.2-10A~4.3.0.201804161312.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/univention-s4-connector_12.0.2-11A~4.3.0.201804261933.dsc @@ -1,6 +1,11 @@ -12.0.2-10A~4.3.0.201804161312 [Mon, 16 Apr 2018 13:12:03 +0200] Univention builddaemon <buildd@univention.de>: +12.0.2-11A~4.3.0.201804261933 [Thu, 26 Apr 2018 19:33:53 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +12.0.2-11 [Thu, 26 Apr 2018 19:27:48 +0200] Arvid Requate <requate@univention.de>: + + * Bug #46682: skip object_memberships_sync_to_ucs + if group syncmode is write 12.0.2-10 [Mon, 16 Apr 2018 13:10:35 +0200] Felix Botner <botner@univention.de>: *** Bug 33466 has been marked as a duplicate of this bug. *** QA for Bug 46971 showed that my initial patch was not effective. *** Bug 47104 has been marked as a duplicate of this bug. *** Commits cherrypicked from 4.2-4: 147232dc33^..035dbabe63 and 7b9fef72c9. Two patch hunks ignored from commit 92f8e177e9 because the target code has been removed in 4.3-0 (due to commit 01447fb6ce for Bug #47013) 774394cabe | Advisory package version 0af5140b73 | Changelog & Advisory cef3856cf9 | Fix code comment d7ad96f5f5 | Fix traceback b8be095cfc | Code cleanup: Improve readability 1005980bc4 | Code cleanup: Improve readability OK - univention-s4-connector OK - yaml |