Univention Bugzilla – Bug 34184
dnsZones/Nodes not synced to UCS after univention-ad-takeover (w2k8R2)
Last modified: 2016-10-11 09:50:09 CEST
UCS 3.1 and a w2k8R2 I created some DNS reverse zones and PTR records in the windows ad. Then the ad-takeover was started. But after the ad-takeover none of my reverse zones/ptr records exists in the UCS ldap. There are several problems. (a) wrong position for dns objects The ad created the dns objects in CN=MicrosoftDNS,DC=DomainDnsZones,$base but the connector dns con_default_dn and position_mapping is configured to CN=MicrosoftDNS,CN=System,$base (b) connector standard search does not follow referrals I changed the dns con_default_dn and position_mapping but still the connector does not find the dns objects. The problem seems to be, that the connector does not search across NC boundaries and the DomainDnsZones subtree seems to be on a different "partition". -> univention-s4search dn| grep DomainDnsZone SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS ref: ldap://test.fb/DC=DomainDnsZones,DC=test,DC=fb -> univention-s4search --cross-ncs dn| grep DomainDnsZone ... dn: DC=199,DC=9.200.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=_ldap._tcp.pdc._msdcs,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=@,DC=9.200.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=7.200.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=_msdcs,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=three,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=@,DC=3.200.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb dn: DC=_kerberos-adm._tcp,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC ... After changing the base dn to "DC=DomainDnsZones,DC=test,DC=fb" in "__search_s4 (s4connector/s4/__init__.py)" the objects were successfully synced. (c) several rejected objects I managed to get the connector to sync the objects below "DC=DomainDnsZones,DC=test,DC=fb". Reverse zones and ptr records were successfully synced. But there are now a couple of rejected objects. -> univention-s4connector-list-rejected UCS rejected S4 rejected 1: S4 DN: DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 2: S4 DN: DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 3: S4 DN: DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 4: S4 DN: DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 5: S4 DN: DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 6: S4 DN: DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 7: S4 DN: DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 8: S4 DN: DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 9: S4 DN: DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 10: S4 DN: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 11: S4 DN: DC=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 12: S4 DN: DC=_ldap._tcp.DomainDnsZones,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> 13: S4 DN: DC=DomainDnsZones,DC=test,DC=fb UCS DN: <not found> (c1) 24.02.2014 12:58:03,776 LDAP (PROCESS): sync to ucs: [ dns] [ add] DC=i.root-servers.net,dc=rootdnsservers,cn=dns,dc=test,dc=fb 24.02.2014 12:58:03,778 LDAP (ERROR ): Unknown Exception during sync_to_ucs 24.02.2014 12:58:03,779 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1292, in sync_to_ucs result = self.property[property_type].ucs_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dns.py", line 946, in con2ucs ucs_host_record_create(s4connector, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dns.py", line 464, in ucs_host_record_create newRecord= univention.admin.handlers.dns.host_record.object(None, s4connector.lo, position, dn=None, superordinate=superordinate, attributes=[], update_zone=False) File "/usr/lib/pymodules/python2.6/univention/admin/handlers/dns/host_record.py", line 156, in __init__ raise univention.admin.uexceptions.insufficientInformation, _( 'superordinate object not present' ) insufficientInformation: superordinate object not present (c2) 24.02.2014 12:58:03,826 LDAP (PROCESS): sync to ucs: Resync rejected dn: DC=DomainDnsZones,DC=test,DC=fb 24.02.2014 12:58:03,829 LDAP (PROCESS): sync to ucs: [ container_dc] [ add] DC=DomainDnsZones,dc=test,dc=fb 24.02.2014 12:58:03,829 LDAP (ERROR ): Unknown Exception during sync_to_ucs 24.02.2014 12:58:03,830 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1292, in sync_to_ucs result = self.property[property_type].ucs_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dc.py", line 131, in con2ucs sambadomainnameObject = univention.admin.handlers.settings.sambadomain.lookup(None, s4connector.lo, 'sambaSID=%s' % object['attributes'].get('objectSid', [])[0]) IndexError: list index out of range (c3) 24.02.2014 12:58:03,820 LDAP (PROCESS): sync to ucs: Resync rejected dn: DC=_ldap._tcp.DomainDnsZones,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=fb 24.02.2014 12:58:03,823 LDAP (PROCESS): sync to ucs: [ dns] [ add] DC=_ldap._tcp.DomainDnsZones,dc=test.fb,cn=dns,dc=test,dc=fb 24.02.2014 12:58:03,825 LDAP (ERROR ): Unknown Exception during sync_to_ucs 24.02.2014 12:58:03,825 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1292, in sync_to_ucs result = self.property[property_type].ucs_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dns.py", line 964, in con2ucs ucs_srv_record_create(s4connector, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dns.py", line 667, in ucs_srv_record_create newRecord.create() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 333, in create return self._create() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 654, in _create self._ldap_pre_create() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/dns/srv_record.py", line 148, in _ldap_pre_create self.dn='%s=%s,%s' % (mapping.mapName('name'), mapping.mapValue('name', self['name']), self.position.getDn()) File "/usr/lib/pymodules/python2.6/univention/admin/mapping.py", line 149, in mapValue res=self._map[map_name][1](value) File "/usr/lib/pymodules/python2.6/univention/admin/handlers/dns/srv_record.py", line 108, in mapName return '_{0}._{1}'.format( *old[ : 2 ] ) IndexError: tuple index out of range See http://forum.univention.de/viewtopic.php?f=48&t=3103&p=10934 for a possible patch for (c3).
Reported again at 2014050821006709
(In reply to Felix Botner from comment #0) > (c3) > > 24.02.2014 12:58:03,820 LDAP (PROCESS): sync to ucs: Resync rejected > dn: > DC=_ldap._tcp.DomainDnsZones,DC=test.fb,CN=MicrosoftDNS,DC=DomainDnsZones, > DC=test,DC=fb > 24.02.2014 12:58:03,823 LDAP (PROCESS): sync to ucs: [ > dns] [ add] > DC=_ldap._tcp.DomainDnsZones,dc=test.fb,cn=dns,dc=test,dc=fb > 24.02.2014 12:58:03,825 LDAP (ERROR ): Unknown Exception during > sync_to_ucs > 24.02.2014 12:58:03,825 LDAP (ERROR ): Traceback (most recent call > last): > File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", > line 1292, in sync_to_ucs > result = self.property[property_type].ucs_sync_function(self, > property_type, object) > File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dns.py", line > 964, in con2ucs > ucs_srv_record_create(s4connector, object) > File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dns.py", line > 667, in ucs_srv_record_create > newRecord.create() > File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", > line 333, in create > return self._create() > File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", > line 654, in _create > self._ldap_pre_create() > File > "/usr/lib/pymodules/python2.6/univention/admin/handlers/dns/srv_record.py", > line 148, in _ldap_pre_create > self.dn='%s=%s,%s' % (mapping.mapName('name'), mapping.mapValue('name', > self['name']), self.position.getDn()) > File "/usr/lib/pymodules/python2.6/univention/admin/mapping.py", line 149, > in mapValue > res=self._map[map_name][1](value) > File > "/usr/lib/pymodules/python2.6/univention/admin/handlers/dns/srv_record.py", > line 108, in mapName > return '_{0}._{1}'.format( *old[ : 2 ] ) > IndexError: tuple index out of range > > See http://forum.univention.de/viewtopic.php?f=48&t=3103&p=10934 for a > possible patch for (c3). I've split this to Bug #35780
Let's focus this Bug report on point (a) here and split off the other parts. After AD-Takeover the migrated DNS-records are simply not found by UCS named and S4-Connector because in modern AD versions they are located in separate partitions of the Samba/AD directory service (e.g. DC=DomainDnsZones). This understandibly causes unnecessary irritation for customers and partners. The records are migrated to Samba4 but UCS doesn't consider them. Either we modify the S4-Connector to synchronize the DC=DomainDNSZones and DC=ForestDnsZones partitions if nothing is found below CN=MicrosoftDNS and modify AD-Takeover to clean up any records in that legacy location or we do a workaround first and adjust the AD takeover to copy the migrated AD-zones to the location where the S4-Connector (and named/dlz_bind9 and samba-tool) expect them.
Created attachment 6610 [details] sync_domaindnszones.patch The attached patch adds support for synchronization of DNS objects located in the DC=DomainDNSZones partition. I attach it here first as there are other errata bugs in the QA-pipeline currently. The patch avoids these points: > (a) wrong position for dns objects > (c) several rejected objects During package update, the new UCR variable connector/s4/mapping/dns/position gets set to 'legacy'. If it is not set to legacy, the connector will additionally look for objects located in the DC=DomainDNSZones partition. > (b) connector standard search does not follow referrals The patch doesn't change this point. On the contrary, it adds an LDAP control to instruct the Samba LDAP server to not even suggest them in LDAP results. We skip them anyway and this simplifies result filtering.
Created attachment 7046 [details] support_dns_partitions.patch This is a new patch version which uses a dn_mapping_function instead of the static position_mapping. This is required because Active Directory has three possible locations for DNS zones (see https://support.microsoft.com/en-us/kb/867464 ). We may define where we write new DNS zones by default but we need to be "liberal in what we accept".
* I also needed to relax the UDM syntax for dns/forward_zone in univention-directory-manager-modules to allow a forward zone named "_msdcs.<domainname>". SVN r62606 * univention-management-console-module-adtakeover also needed adjustment SVN r62607
About the adjustment for univention-management-console-module-adtakeover: * The UCR variable connector/s4/mapping/dns/position gets unset during takeover before starting the S4 Connector (after the join) * relativeDomainName=*._msdcs records (host, alias and srv) existing in UDM are removed before starting the S4 Connector. Otherwise the user ends up with a mess of redundant records in UDM. Merged to ucs-4-1-0 : svn r62634 Advisory: 2015-08-03-univention-s4-connector.yaml Advisory: 2015-08-04-univention-management-console-module-adtakeover.yaml Advisory: 2015-07-17-univention-directory-manager-modules.yaml
Please also note Bug #39081, which we might want to fix at some later point. And then there is Bug #39080 also, but that's pretty unrelated.
Postponed to errata4.0-3. Reason: Additional care needs to be taken for backwards-compatibility with existing UCS DCs, especially those, that use univention-dnsedit to create _msdcs records in univention-samba4 Joinscript. SVN changes reverted in errata4.0-2, package rebuilt with new version number: * univention-s4-connector_9.0.16-40.571.201508061242_all.deb Advisory adjusted.
I've disabled the test cases because they are unstable: 52_s4connector/175sync_create_dns_aaaa_record 52_s4connector/175sync_create_dns_a_record Please re-enable them if the issue has been fixed. svn r62773 - 62775 *** BEGIN *** ['/usr/bin/python', '175sync_create_dns_a_record'] *** *** 52_s4connector/175sync_create_dns_a_record *** Univention-s4-connector dns a record syncronisation *** *** START TIME: 2015-08-07 00:28:42 *** ========== create DNS zone in UDM ========== Creating dns/forward_zone object with {'a': '192.34.199.247', 'nameserver': 'master091.AutoTest091.local', 'zone': 'wczdffcliv.t5acgvl86z'} Waiting for replication: OK: replication complete (nid=15276 lid=15276) Done: replication complete. Testing Ldap object : A Record Success Waiting 30 seconds for sync... Waiting for replication: OK: replication complete (nid=15276 lid=15276) Done: replication complete. Waiting for postrun Dig Output : ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> wczdffcliv.t5acgvl86z A +noall +answer ;; global options: +cmd wczdffcliv.t5acgvl86z. 900 IN A 192.34.199.247 OK: DNS synced Testing Ldap object : A Record Success ========== modify address in Samba ========== Host master091.AutoTest091.local not found: 3(NXDOMAIN) Host master091.AutoTest091.local not found: 3(NXDOMAIN) master091.AutoTest091.local has address 10.210.0.41 server master091.AutoTest091.local zone wczdffcliv.t5acgvl86z. ; debug yes ; update delete wczdffcliv.t5acgvl86z. A update add wczdffcliv.t5acgvl86z. 1200 IN A 63.95.132.243 ; show send quit Waiting 30 seconds for sync... Dig Output : ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> wczdffcliv.t5acgvl86z A +noall +answer ;; global options: +cmd wczdffcliv.t5acgvl86z. 1200 IN A 192.34.199.247 wczdffcliv.t5acgvl86z. 1200 IN A 63.95.132.243 OK: DNS synced Testing Ldap object : A Record Failed Verification of Ldap object failed: DN: zoneName=wczdffcliv.t5acgvl86z,dc=AutoTest091,dc=local aRecord: ['192.34.199.247'], missing: '63.95.132.243' Cleanup after exception: <type 'exceptions.SystemExit'> 1 Performing UCSTestUDM cleanup... UCSTestUDM cleanup done *** END TIME: 2015-08-07 00:30:27 *** *** TEST DURATION (H:MM:SS.ms): 0:01:44.711698 *** *** END *** 1 *** *** BEGIN *** ['/usr/bin/python', '175sync_create_dns_aaaa_record'] *** *** 52_s4connector/175sync_create_dns_aaaa_record *** Univention-s4-connector dns aaaa record syncronisation *** *** START TIME: 2015-08-07 00:30:27 *** ========== create DNS zone in UDM ========== Creating dns/forward_zone object with {'a': '2fc1:4d7f:49d9:6e5f:e495:cb7b:d98d:c2ed', 'nameserver': 'master091.AutoTest091.local', 'zone': '2fg08crgpz.nzr2ygqf7q'} Waiting for replication: OK: replication complete (nid=15278 lid=15278) Done: replication complete. Testing Ldap object : AAAA Record Success Waiting 30 seconds for sync... Waiting for replication: OK: replication complete (nid=15278 lid=15278) Done: replication complete. Waiting for postrun 2fc1:4d7f:49d9:6e5f:e495:cb7b:d98d:c2ed Dig Output : ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> 2fg08crgpz.nzr2ygqf7q AAAA +noall +answer ;; global options: +cmd 2fg08crgpz.nzr2ygqf7q. 900 IN AAAA 2fc1:4d7f:49d9:6e5f:e495:cb7b:d98d:c2ed OK: DNS synced Testing Ldap object : AAAA Record Success ========== modify address in Samba ========== Host master091.AutoTest091.local not found: 3(NXDOMAIN) Host master091.AutoTest091.local not found: 3(NXDOMAIN) master091.AutoTest091.local has address 10.210.0.41 server master091.AutoTest091.local zone 2fg08crgpz.nzr2ygqf7q. ; debug yes ; update delete 2fg08crgpz.nzr2ygqf7q. AAAA update add 2fg08crgpz.nzr2ygqf7q. 1200 IN AAAA deb1:d59a:bbcd:760c:79d5:a303:50c0:2329 ; show send quit Waiting 30 seconds for sync... deb1:d59a:bbcd:760c:79d5:a303:50c0:2329 Dig Output : ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> 2fg08crgpz.nzr2ygqf7q AAAA +noall +answer ;; global options: +cmd 2fg08crgpz.nzr2ygqf7q. 1200 IN AAAA deb1:d59a:bbcd:760c:79d5:a303:50c0:2329 OK: DNS synced Testing Ldap object : AAAA Record Failed Verification of Ldap object failed: DN: zoneName=2fg08crgpz.nzr2ygqf7q,dc=AutoTest091,dc=local aAAARecord: ['2fc1:4d7f:49d9:6e5f:e495:cb7b:d98d:c2ed'], missing: 'deb1:d59a:bbcd:760c:79d5:a303:50c0:2329' Cleanup after exception: <type 'exceptions.SystemExit'> 1 Performing UCSTestUDM cleanup... UCSTestUDM cleanup done *** END TIME: 2015-08-07 00:31:52 *** *** TEST DURATION (H:MM:SS.ms): 0:01:24.849265 *** *** END *** 1 ***
Created attachment 7104 [details] Case Matrix for Installation / Update / AD-Takeover Yes, the new and adjusted test cases only work with the new errata update. Before my adjustments *none* of the DNS tests checked the Samba4->UDM sync. Now, these two do and without the fix for Bug #39040 they fail: 52_s4connector/175sync_create_dns_aaaa_record 52_s4connector/175sync_create_dns_a_record There are two new test cases: 52_s4connector/175sync_create_dns_msdcs_record_con2ucs 52_s4connector/175sync_create_dns_msdcs_record_ucs2con These test cases are relevant, because the _msdcs.dom.ucs records are stored in a separate sub-domain in post-W2k3. And to make things even more fun, this zone is stored on DC=ForestDNnsZones instead of DC=DomainDnsZones. The adjustments for this Bug take case of that and ensure that nothing changes on the UDM/OpenLDAP side, where the _msdcs records are stored directly in the dom.ucs Zone. The attached case matrix shows the possible scenarios of this errata update. I'll mark this as fixed now to get feedback from QA. There are many aspects and some corner cases to the DNS S4-Connector sync, I can only hope to have covered the relevant ones. Advisory: 2015-08-03-univention-s4-connector.yaml
Another advisory: 2015-08-04-univention-management-console-module-adtakeover.yaml The 2015-07-17-univention-directory-manager-modules.yaml is not relevant any more, the patch is not required.
Can you have a look at tests/51_samba4/55dns_update. The test case fails on all S4 systems since a few days: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-3/job/Autotest%20MultiEnv/14/SambaVersion=s4,Systemrolle=backup/testReport/51_samba4/55dns_update/test/ http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-3/job/Autotest%20MultiEnv/14/SambaVersion=s4,Systemrolle=master/testReport/51_samba4/55dns_update/test/ http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-3/job/Autotest%20MultiEnv/14/SambaVersion=s4,Systemrolle=slave/testReport/51_samba4/55dns_update/test/ *** BEGIN *** ['/bin/bash', '55dns_update'] *** *** 51_samba4/55dns_update *** Checks dnsupdate operations with dns-$hostname *** *** START TIME: 2015-08-15 20:51:11 *** error 2015-08-15 20:51:12 new IPv4 address not registered: 10.199.92.161 error 2015-08-15 20:51:12 **************** Test failed above this line (110) **************** *** END TIME: 2015-08-15 20:51:12 *** *** TEST DURATION (H:MM:SS.ms): 0:00:01.405285 *** *** END *** 110 ***
The following test case also fails on a S4 slave since the same time. http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-3/job/Autotest%20MultiEnv/14/SambaVersion=s4,Systemrolle=slave/testReport/51_samba4/56evaluate_windows_gpo/test/ *** BEGIN *** ['/usr/bin/python', '56evaluate_windows_gpo'] *** *** 51_samba4/56evaluate_windows_gpo *** Test if GPOs created on a native Windows Server work with S4 *** *** START TIME: 2015-08-15 20:44:57 *** Looking for 'IP-0AD2A189' host ip address: ### FAIL ### Could not determine the Host IP from DNS record ### ### Removing GPOs created for the test: test_user_gpo_h6jn An Error occured while removing GPO remotely: NameError("global name 'Win' is not defined",) Removing GPOs created for the test: test_machine_gpo_ovkh An Error occured while removing GPO remotely: NameError("global name 'Win' is not defined",) Removing 'ucs_test_gpo_user_u5xl' user: ERROR(exception): Failed to remove user "ucs_test_gpo_user_u5xl" - Unable to find user "ucs_test_gpo_user_u5xl" File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 266, in run samdb.deleteuser(username) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 479, in deleteuser raise Exception('Unable to find user "%s"' % username) *** END TIME: 2015-08-15 20:44:59 *** *** TEST DURATION (H:MM:SS.ms): 0:00:02.117631 *** *** END *** 1 ***
I adjusted 51_samba4/55dns_update to use dig instead of searching for objects in Samba4 LDB. 51_samba4.56evaluate_windows_gpo.test didn't fail in may installation, closing for now.
There is a reject that occurrs e.g. when 51_samba4/45dns_tests is run a second time on the same DC Master: =================================================================== UCS rejected 1: UCS DN: relativeDomainName=alias1,zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa S4 DN: dc=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa Filename: /var/lib/univention-connector/s4/1443624354.616956 2: UCS DN: relativeDomainName=_45dnstest_srv_record._tcp.foobar,zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa S4 DN: dc=_45dnstest_srv_record._tcp.foobar,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa Filename: /var/lib/univention-connector/s4/1443624354.698535 S4 rejected last synced USN: 4061 =================================================================== This is the corresponding connector-s4.log from UCS 4.1-0 MS1 at connector/debug/level=3: =================================================================== 30.09.2015 16:45:54,906 LDAP (INFO ): _ignore_object: Do not ignore relativeDomainName=alias1,zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:45:54,906 LDAP (INFO ): __sync_file_from_ucs: object was added: relativeDomainName=alias1,zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:45:54,906 LDAP (INFO ): _ignore_object: Do not ignore relativeDomainName=alias1,zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:45:54,907 LDAP (INFO ): _object_mapping: map with key dns and type ucs 30.09.2015 16:45:54,907 LDAP (INFO ): _dn_type ucs 30.09.2015 16:45:54,907 LDAP (INFO ): dns_dn_mapping: check newdn for key 'dn' 30.09.2015 16:45:54,908 LDAP (INFO ): dns_dn_mapping: premapped S4 object not found 30.09.2015 16:45:54,908 LDAP (INFO ): dns_dn_mapping: dn: dc=alias1,dc=ar41d1.qa,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,908 LDAP (INFO ): dns_dn_mapping: got an UCS-Object 30.09.2015 16:45:54,908 LDAP (INFO ): dns_dn_mapping: get dns_dn_mapping for target zone dc=ar41d1.qa,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,908 LDAP (INFO ): dns_dn_mapping: check newdn for key 'dn' 30.09.2015 16:45:54,908 LDAP (INFO ): get_object: got object: DC=ar41d1.qa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,908 LDAP (INFO ): dns_dn_mapping: premapped S4 object: DC=ar41d1.qa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,909 LDAP (INFO ): dns_dn_mapping: check newdn for key 'olddn' 30.09.2015 16:45:54,909 LDAP (INFO ): dns_dn_mapping: search in S4 base cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,909 LDAP (INFO ): Search S4 with filter: (&(objectClass=dnsNode)(dc=alias1)) 30.09.2015 16:45:54,910 LDAP (INFO ): dns_dn_mapping: target object not found 30.09.2015 16:45:54,910 LDAP (INFO ): dns_dn_mapping: mapping for key 'dn': 30.09.2015 16:45:54,910 LDAP (INFO ): dns_dn_mapping: source DN: dc=alias1,dc=ar41d1.qa,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,910 LDAP (INFO ): dns_dn_mapping: mapped DN: DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,910 LDAP (INFO ): dns_dn_mapping: check newdn for key 'olddn' 30.09.2015 16:45:54,911 LDAP (INFO ): _ignore_object: Do not ignore DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,911 LDAP (INFO ): __sync_file_from_ucs: finished mapping 30.09.2015 16:45:54,911 LDAP (INFO ): sync_from_ucs: sync object: DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,911 LDAP (PROCESS): sync from ucs: [ dns] [ add] DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,911 LDAP (INFO ): sync_from_ucs: add object: DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,912 LDAP (INFO ): sync_from_ucs: lock UCS entryUUID: b2890dea-fbcd-1034-82d5-751587d7add5 30.09.2015 16:45:54,912 LDAP (INFO ): LockingDB: Execute SQL command: 'INSERT INTO UCS_LOCK(uuid) VALUES(?);', '('b2890dea-fbcd-1034-82d5-751587d7add5',)' 30.09.2015 16:45:54,913 LDAP (INFO ): dns ucs2con: Object (DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa) is of type alias 30.09.2015 16:45:54,914 LDAP (INFO ): __create_s4_dns_node: dn: DC=alias1,cn=microsoftdns,dc=domaindnszones,DC=ar41d1,DC=qa 30.09.2015 16:45:54,914 LDAP (INFO ): __create_s4_dns_node: al: [('objectClass', ['top', 'dnsNode']), ('dc', ['alias1']), ('dnsRecord', ['\x16\x00\x05\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x00\x00\x00\x00\x14\x03\x08master60\x06ar41d1\x02qa\x00'])] 30.09.2015 16:45:54,916 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1443624354.616956 30.09.2015 16:45:54,919 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 802, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2363, in sync_from_ucs self.property[property_type].con_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1360, in ucs2con s4_cname_create(s4connector, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1024, in s4_cname_create dnsNodeDn=s4_dns_node_base_create(s4connector, object, dnsRecords) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 809, in s4_dns_node_base_create __create_s4_dns_node(s4connector, dnsNodeDn, relativeDomainNames, dnsRecords) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 459, in __create_s4_dns_node s4connector.lo_s4.lo.add_s(dnsNodeDn, al) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 202, in add_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NAMING_VIOLATION: {'info': '00002037: structural objectClass dnsNode is not a valid child class for CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa', 'desc': 'Naming violation'} =================================================================== I guess that this is somehow caused by the delete operation of the previous test run. These are the relevant messages of that previous delete: =================================================================== 30.09.2015 16:42:53,525 LDAP (INFO ): _ignore_object: Do not ignore dc=alias1,DC=ar41d1.qa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa 30.09.2015 16:42:53,525 LDAP (INFO ): _object_mapping: map with key dns and type con 30.09.2015 16:42:53,525 LDAP (INFO ): _dn_type con 30.09.2015 16:42:53,526 LDAP (INFO ): dns_dn_mapping: check newdn for key 'dn' 30.09.2015 16:42:53,526 LDAP (INFO ): dns_dn_mapping: premapped UCS object not found 30.09.2015 16:42:53,526 LDAP (INFO ): dns_dn_mapping: dn: relativedomainname=alias1,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,526 LDAP (INFO ): dns_dn_mapping: got an S4-Object 30.09.2015 16:42:53,527 LDAP (INFO ): dns_dn_mapping: get dns_dn_mapping for zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,527 LDAP (INFO ): dns_dn_mapping: check newdn for key 'dn' 30.09.2015 16:42:53,527 LDAP (INFO ): dns_dn_mapping: premapped UCS object: zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,527 LDAP (INFO ): dns_dn_mapping: check newdn for key 'olddn' 30.09.2015 16:42:53,527 LDAP (INFO ): dns_dn_mapping: UCS filter: (&(objectClass=dNSZone)(relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021)) 30.09.2015 16:42:53,528 LDAP (INFO ): dns_dn_mapping: UCS base: zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,528 LDAP (INFO ): dns_dn_mapping: mapping for key 'dn': 30.09.2015 16:42:53,528 LDAP (INFO ): dns_dn_mapping: source DN: relativedomainname=alias1,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,528 LDAP (INFO ): dns_dn_mapping: mapped DN: relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,528 LDAP (INFO ): dns_dn_mapping: check newdn for key 'olddn' 30.09.2015 16:42:53,529 LDAP (INFO ): _ignore_object: Do not ignore relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,529 LDAP (INFO ): get_ucs_object: object not found: relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,529 LDAP (PROCESS): sync to ucs: [ dns] [ delete] relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,530 LDAP (INFO ): sync_to_ucs: set position to zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,530 LDAP (INFO ): The following attributes have been changed: [] 30.09.2015 16:42:53,530 LDAP (INFO ): dns con2ucs: Object (relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa): {'dn': u'relativeDomainName=alias1\nDEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa', 'attributes': {'distinguishedName': [u'dc=alias1\\0ADEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,CN=Deleted Objects,DC=DomainDnsZones,DC=ar41d1,DC=qa'], 'name': [u'alias1\nDEL:22a0fa1e-50f8-4363-b6dc-f9224301a021'], 'objectClass': [u'top', u'dnsNode'], 'isRecycled': [u'TRUE'], 'objectGUID': [u'\x1e\xfa\xa0"\xf8PcC\xb6\xdc\xf9"C\x01\xa0!'], 'dc': [u'alias1\nDEL:22a0fa1e-50f8-4363-b6dc-f9224301a021'], 'whenChanged': [u'20150930144251.0Z'], 'lastKnownParent': [u'DC=ar41d1.qa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa'], 'whenCreated': [u'20150930144250.0Z'], 'uSNCreated': [u'3819'], 'uSNChanged': [u'3832'], 'instanceType': [u'4'], 'isDeleted': [u'TRUE']}, 'deleted_dn': u'dc=alias1\\0ADEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,CN=Deleted Objects,DC=DomainDnsZones,DC=ar41d1,DC=qa', 'modtype': 'delete', 'changed_attributes': []} 30.09.2015 16:42:53,530 LDAP (INFO ): dns con2ucs: Ignore unkown dns object: relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa 30.09.2015 16:42:53,530 LDAP (INFO ): sync_to_ucs: unlock S4 guid: 22a0fa1e-50f8-4363-b6dc-f9224301a021 30.09.2015 16:42:53,530 LDAP (INFO ): LockingDB: Execute SQL command: 'DELETE FROM S4_LOCK WHERE guid = ?;', '('22a0fa1e-50f8-4363-b6dc-f9224301a021',)' 30.09.2015 16:42:53,530 LDAP (INFO ): Return result for DN (relativeDomainName=alias1 DEL:22a0fa1e-50f8-4363-b6dc-f9224301a021,zonename=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa) 30.09.2015 16:42:53,534 LDAP (INFO ): __dn_from_deleted_object: get DN from lastKnownParent (DC=ar41d1.qa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa) and rdn (dc=_45dnstest_srv_record._tcp.foobar) 30.09.2015 16:42:53,534 LDAP (INFO ): object_from_element: DN of removed object: dc=_45dnstest_srv_record._tcp.foobar,DC=ar41d1.qa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ar41d1,DC=qa ======================================================================
Ok, the latest package version built in errata4.0-3 had not been build in ucs4.1-0. What an incredible luck, that this test case 51_samba4/45dns_test didn't use random DNS names but static ones!! There was another, possibly independent strangeness in the connector-s4.log: A certain kind of DNS related Samba4 DNs is truncated: ======================================================== 30.09.2015 16:42:53,667 LDAP (INFO ): _ignore_object: Do not ignore DC=@,DC=_msdcs.ar41d1.qa,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ar41d1,DC=qa 30.09.2015 16:42:53,667 LDAP (INFO ): _object_mapping: map with key dns and type con 30.09.2015 16:42:53,667 LDAP (INFO ): _dn_type con 30.09.2015 16:42:53,667 LDAP (INFO ): dns_dn_mapping: check newdn for key 'dn' 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: not premapped (in first instance) 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: dn: DC=@,DC=_msdcs.ar41d1.qa,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ar41d1,DC=qa 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: got an S4-Object 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: get dns_dn_mapping for DC=_msdcs.ar41d1.qa,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ar41d1,DC=qa 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: check newdn for key 'dn' 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: not premapped (in first instance) 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: dn: DC=ar41d1.qa,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ar41d1 30.09.2015 16:42:53,668 LDAP (INFO ): dns_dn_mapping: got an S4-Object 30.09.2015 16:42:53,669 LDAP (INFO ): dns_dn_mapping: UCS filter: (&(objectClass=dNSZone)(zoneName=ar41d1.qa)) 30.09.2015 16:42:53,669 LDAP (INFO ): dns_dn_mapping: UCS base: dc=ar41d1,dc=qa 30.09.2015 16:42:53,670 LDAP (INFO ): dns_dn_mapping: newdn is ucsdn 30.09.2015 16:42:53,670 LDAP (INFO ): dns_dn_mapping: mapping for key 'dn': 30.09.2015 16:42:53,670 LDAP (INFO ): dns_dn_mapping: source DN: DC=ar41d1.qa,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ar41d1 30.09.2015 16:42:53,670 LDAP (INFO ): dns_dn_mapping: mapped DN: zoneName=ar41d1.qa,cn=dns,dc=ar41d1,dc=qa ========================================================= This is caused by univention.s4connector.s4.explode_unicode_dn: >>> import univention.s4connector.s4 >>> univention.s4connector.s4.explode_unicode_dn('DC=abc,DC=def') ['DC=abc'] s4connector.s4.explode_unicode_dn is as old as univention-ad-connector. I fixed this for the purpose of this bug by using: >>> import univention.uldap >>> univention.uldap.explodeDn('DC=abc,DC=def') ['DC=abc', 'DC=def'] I now added this explode_unicode_dn workaround in errata4.0-3 and rebuilt the univention-s4-connector package in that scope and updated the advisory. Then I cherrypicked the package int ucs_4.1-0 and rebuilt the package there as well. After fixing these issues, the repeated test runs fine in ucs_4.1-0.
*** Bug 39512 has been marked as a duplicate of this bug. ***
A reverse zone object created in s4 becomes a "univentionObjectType: dns/forward_zone" in UDM/ldap!
Fixed.
OK - dns sync after AD Takeover/new installation (new con base CN=MicrosoftDNS,DC=DomainDnsZones) OK - update does not change mapping dns con_default_dn OK - YAML OK - merged to 4.1
<http://errata.software-univention.de/ucs/4.0/344.html>
<http://errata.software-univention.de/ucs/4.0/343.html>
*** Bug 27808 has been marked as a duplicate of this bug. ***