Univention Bugzilla – Full Text Bug Listing |
Summary: | UCS@school: Allow re-creation of deleted group object with same objectSid in Samba/AD | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | S4 Connector | Assignee: | Julia Bremer <bremer> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | major | ||
Priority: | P2 | CC: | best, bremer, gohmann, heidelberger, markus.daehlmann, requate, scheinig, schwardt, thorp-hansen |
Version: | UCS 4.4 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.4-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=50108 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.114 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2019031921001054, 2019101821000598, 2019102321001078 | Bug group (optional): | Release Goal, Troubleshooting |
Max CVSS v3 score: | |||
Attachments: | allow-recreation-of-samba-deleted-object-v2.patch |
Description
Arvid Requate
2019-07-04 13:53:59 CEST
Created attachment 10104 [details]
allow-recreation-of-samba-deleted-object-v2.patch
The same reject also occur for groups on a school slave. I have heard this was implemented for users (because of the cross-school users) in the first place. I will try the patch on a school slave too. The traceback seems to be same. This is the reject on a school slave ------------------------------- 23.07.2019 13:53:35.287 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1562662385.677988 23.07.2019 13:53:35.289 LDAP (PROCESS): __sync_file_from_ucs: Object with entryUUID e23403c4-3666-1039-9cfe-4df289a4a00d has been removed before but became visible again. 23.07.2019 13:53:35.290 LDAP (INFO ): __sync_file_from_ucs: object was modified 23.07.2019 13:53:35.292 LDAP (INFO ): _ignore_object: Do not ignore cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me 23.07.2019 13:53:35.292 LDAP (INFO ): _object_mapping: map with key group and type ucs 23.07.2019 13:53:35.293 LDAP (INFO ): _dn_type ucs 23.07.2019 13:53:35.294 LDAP (INFO ): samaccount_dn_mapping: check newdn for key dn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.297 LDAP (INFO ): samaccount_dn_mapping: premapped S4 object not found 23.07.2019 13:53:35.297 LDAP (INFO ): samaccount_dn_mapping: got an UCS-Object 23.07.2019 13:53:35.297 LDAP (INFO ): samaccount_dn_mapping: search in s4 for (&(objectclass=group)(samaccountname=sun-2a)) 23.07.2019 13:53:35.299 LDAP (INFO ): samaccount_dn_mapping: newdn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.299 LDAP (INFO ): samaccount_dn_mapping: newdn for key dn: 23.07.2019 13:53:35.299 LDAP (INFO ): samaccount_dn_mapping: olddn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.300 LDAP (INFO ): samaccount_dn_mapping: newdn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.300 LDAP (INFO ): samaccount_dn_mapping: check newdn for key olddn: None 23.07.2019 13:53:35.300 LDAP (INFO ): sid_to_s4_mapping 23.07.2019 13:53:35.302 LDAP (INFO ): _ignore_object: Do not ignore cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me 23.07.2019 13:53:35.303 LDAP (INFO ): __sync_file_from_ucs: finished mapping 23.07.2019 13:53:35.303 LDAP (INFO ): sync_from_ucs: sync object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.303 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.305 LDAP (INFO ): sync_from_ucs: add object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.306 LDAP (INFO ): sync_from_ucs: lock UCS entryUUID: e23403c4-3666-1039-9cfe-4df289a4a00d 23.07.2019 13:53:35.306 LDAP (INFO ): LockingDB: Execute SQL command: 'INSERT INTO UCS_LOCK(uuid) VALUES(?);', '('e23403c4-3666-1039-9cfe-4df289a4a00d',)' 23.07.2019 13:53:35.312 LDAP (INFO ): groupType: -2147483646 23.07.2019 13:53:35.312 LDAP (INFO ): to add: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.312 LDAP (ALL ): sync_from_ucs: addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xa9\x80\x00\x00']), ('sAMAccountName', [u'sun-2a'])] 23.07.2019 13:53:35.334 LDAP (ERROR ): sync_from_ucs: traceback during add object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.335 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xa9\x80\x00\x00']), ('sAMAccountName', [u'sun-2a'])] 23.07.2019 13:53:35.340 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1562662385.677988 23.07.2019 13:53:35.341 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=sun-2a,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=me - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=sun-2a,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=me', 'desc': 'Constraint violation'}· manual tombstone reanimation worked btw. I applied the patch ion the master, and it worked. 30 rejects gone, thank you. I set the ticket to waiting for Errata ant the bug to wating for support. The customer cannot update further Erratas without this Issue fixed. Happens in an other school environment (In reply to Christina Scheinig from comment #5) > The customer cannot update further Erratas without this Issue fixed. Why not? (In reply to Sönke Schwardt-Krummrich from comment #7) > (In reply to Christina Scheinig from comment #5) > > The customer cannot update further Erratas without this Issue fixed. > > Why not? "cannot update" → this is an effort issue not a technical issue. → the customer has a lot of systems and has to patch all systems again if the S4 connector has been altered via an errata update. Next school customer with patch applied in the environment Successful build Package: univention-s4-connector Version: 13.0.2-58A~4.4.0.201911211556 Branch: ucs_4.4-0 Scope: errata4.4-2 User: jbremer efe7866667 Bug #49792: yaml 5d0d2ea6f3 Bug #49792: Changelog dc487e6d60 Bug #49792: Allow recreation of samba deleted object built with the attached patch. Reproducible: # udm groups/group create --set name=foogroup2 --set sambaRID=12529 WARNING: The object is not going to be created underneath of its default containers. Object created: cn=foogroup2,l=school,l=dev # udm groups/group remove --dn cn=foogroup2,l=school,l=dev Object removed: cn=foogroup2,l=school,l=dev # udm groups/group create --set name=foogroup2 --set sambaRID=12529 WARNING: The object is not going to be created underneath of its default containers. Object created: cn=foogroup2,l=school,l=dev I wondered if the patch can cause a recursion error/dead loop * for ldap.CONSTRAINT_VIOLATION errors which are not "unique index violation on objectSid" * because ldap.CONSTRAINT_VIOLATION is catched in sync_from_ucs() and in that except block sync_from_ucs() is called again. But it seems the check "no conflicting deleted object found" prevents this. 18.10.2019 16:31:37.003 LDAP (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4 18.10.2019 16:31:37.003 LDAP (INFO ): sync_from_ucs: search filter: (&(sAMAccountName=foogroup6)(objectSid=S-1-5-21-2678360992-1148200938-341953966-12531)(isDeleted=TRUE)) 18.10.2019 16:31:37.003 LDAP (PROCESS): sync_from_ucs: no conflicting deleted object found 18.10.2019 16:31:37.005 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1571409057.399389 18.10.2019 16:31:37.005 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2408, in sync_from_ucs self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) CONSTRAINT_VIOLATION: {'info': '0000202F: samldb: samAccountName has 2 values, should be single-valued!', 'desc': 'Constraint violation'} OK: groups with same sambaRID and same name as a removed group get restored again. It still raises CONSTRAINT_VIOLATION if only the SID is taken but the name changed. OK: YAML |