Univention Bugzilla – Full Text Bug Listing |
Summary: | The transport connection is now disconnected | ||
---|---|---|---|
Product: | UCS | Reporter: | Christina Scheinig <scheinig> |
Component: | AD Connector | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Julia Bremer <bremer> |
Severity: | normal | ||
Priority: | P5 | CC: | best, botner, bremer, castens, gohmann, gulden, requate, steuwer, stoeckigt, voelker |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-6-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.143 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2020061621000436 | Bug group (optional): | Large environments |
Max CVSS v3 score: | |||
Bug Depends on: | 45127 | ||
Bug Blocks: | 52432, 48266 | ||
Attachments: | reconnect_set_password_in_ad.patch |
Description
Christina Scheinig
2020-06-16 11:33:15 CEST
OK, took me a while to understand this, the old bug description confused me. To be sure: - this happens with an up to date Windows Server (not the 2008 mentioned in the cloned bug reported in 2017) - the traceback at the end of the bug report is the current one, occuring with UCS 4.4 and Windows Server 2016 - the affected customer is an @school environment (therefore I change the flags from enterprise to school) - the issue happens after every restart / downtime of the AD DC Maybe this has been introduced with the new password retrieval mechanism that can get the kerbers hashes? (In reply to Ingo Steuwer from comment #1) > OK, took me a while to understand this, the old bug description confused me. > > To be sure: > > - this happens with an up to date Windows Server (not the 2008 mentioned in > the cloned bug reported in 2017) > > - the traceback at the end of the bug report is the current one, occuring > with UCS 4.4 and Windows Server 2016 > > - the affected customer is an @school environment (therefore I change the > flags from enterprise to school) > > - the issue happens after every restart / downtime of the AD DC The issue occues after some time, maybe after an import of school users, but that is a guess. I am waiting for a reply of the customer for this question. So after some time, the customer gets a lot of rejects after importing students and teachers. These rejects causes the teachers to get deactivated accounts. Resolving these rejects with restarting the ad-connector, because the message "NTSTATUSError: (3221225996, 'The transport connection is now disconnected.')" occurs in the log, also solves the deactivation of the users. Created attachment 10395 [details] reconnect_set_password_in_ad.patch Tha attached custom patch was applied in the customer environment at the 2nd of June to fix a similar/related support issue at that time, but for some reason it's not applied in the file any longer on the customer system. Jusdging from the timestamp it looks like the file has been overwritten by https://errata.software-univention.de/ucs/4.4/554.html , maybe. Anyway, the attached patch may be an improvement for the AD-Connector. (In reply to Arvid Requate from comment #5) > Created attachment 10395 [details] > reconnect_set_password_in_ad.patch Just a superficial look: Why do the reconnection on "Exception" and not only on "NTSTATUSError" ? Applied patch Package: univention-ad-connector Version: 13.0.0-52A~4.4.0.202009291828 Branch: ucs_4.4-0 Scope: errata4.4-6 changed file: services/univention-ad-connector/modules/univention/connector/ad/password.py commits (4.4-6): 7ad8faf09a67ceeff9965ce8eecece7bc9053672 (changes and changelog) b7a6d30b3ebf49909621ebbe40ba4698976cc200 (yaml) see jenkins ad connector tests 29.09.2020 23:13:14.726 LDAP (WARNING): sync failed, saved as rejected 29.09.2020 23:13:14.744 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 803, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, object_old))): File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2640, in sync_from_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/password.py", line 408, in password_sync_ucs res = set_password_in_ad(connector, object['attributes']['sAMAccountName'][0], pwd, reconnect=True) TypeError: set_password_in_ad() got an unexpected keyword argument 'reconnect' (In reply to Felix Botner from comment #9) > see jenkins ad connector tests > > 29.09.2020 23:13:14.726 LDAP (WARNING): sync failed, saved as rejected > 29.09.2020 23:13:14.744 LDAP (WARNING): Traceback (most recent call > last): > File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", > line 803, in __sync_file_from_ucs > or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, > old_dn, object_old))): > File > "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line > 2640, in sync_from_ucs > f(self, property_type, object) > File > "/usr/lib/python2.7/dist-packages/univention/connector/ad/password.py", line > 408, in password_sync_ucs > res = set_password_in_ad(connector, > object['attributes']['sAMAccountName'][0], pwd, reconnect=True) > TypeError: set_password_in_ad() got an unexpected keyword argument > 'reconnect' I think this part is missing -def set_password_in_ad(connector, samaccountname, pwd): +def set_password_in_ad(connector, samaccountname, pwd, reconnect=False): please fix and restart the ad connector test. fix + new build: Package: univention-ad-connector Version: 13.0.0-53A~4.4.0.202009301026 Branch: ucs_4.4-0 Scope: errata4.4-6 commits (4.4-6) e056eb354aa661b4529cc14565749360cb366140 (fix and changelog version update) cd4cffe46b04224cb97fad75cf374cd2266e4d5d (yaml update) FAIL - yaml, i don't like this message (but i don't have a better one, maybe something like "the initialization of the service for password changes has been fixed??) TODO - jenkins Tests (wait) OK - univention-ad-connector (manual tests) TODO - yaml TODO - merge to 5.0 OK - Jenkins tests revised yaml file: commit (4.4-6): d07788d09895e9c92667685a7dfbb99f62d463a9 created merge request: https://git.knut.univention.de/univention/ucs/-/merge_requests OK Why is nobody answering the question in comment #7? (In reply to Florian Best from comment #7) > (In reply to Arvid Requate from comment #5) > > Created attachment 10395 [details] > > reconnect_set_password_in_ad.patch > Just a superficial look: > Why do the reconnection on "Exception" and not only on "NTSTATUSError" ? sorry, totally forgot that, i will speak to christian on Monday, depends on if we can make that change (NTSTATUSError instead of Exception) in the current sprint b62a5e990ecd0bfe6fb89a459a1f6ee38cbcea78 - univention-ad-connector ae3595feda62f42ed948c31a58b0540aaa365e8d - yaml Package install: OK Code review: OK Password change still works: OK Exception handling fixed: OK Merge request updated: OK Yaml: OK Verified |