Bug 42998 – Groups with windowscomputers are not synchronized

Bug 42998 - Groups with windowscomputers are not synchronized


Summary:	Groups with windowscomputers are not synchronized

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Felix Botner
QA Contact:	Stefan Gohmann

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-11-18 16:00 CET by Christina Scheinig
Modified:	2016-12-14 12:36 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.057
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016111621000201
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2016-11-18 16:00:04 CET

Environment Windows Server AD english version, UCS in membermode (4.1-4) → Read mode
Previous environment was installed with samba4 and the customer migrated to Microsoft based active directory.

The following tracebacks occured in /var/log/univention/connector.log
[...]
18.11.2016 15:12:56,640 LDP        (PROCESS): sync to ucs: Resync rejected dn: CN=Domain Computers,CN=Groups,DC=beispiel,DC=test,DC=de
18.11.2016 15:12:56,696 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=domain computers,cn=groups,o=beispiel,c=de
18.11.2016 15:13:02,922 LDAP        (ERROR  ): failed in post_con_modify_functions
18.11.2016 15:13:02,923 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1309, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 167, in group_members_sync_to_ucs
    return connector.group_members_sync_to_ucs(key, object)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1927, in group_members_sync_to_ucs
    del_members[k].append(member_dn)
KeyError: 'windowscomputer'

18.11.2016 15:13:02,948 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=cverw,CN=groups,OU=Verwaltung,DC=beispiel,DC=test,DC=de
18.11.2016 15:13:02,984 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=cverw,cn=groups,ou=verwaltung,o=beispiel,c=de
18.11.2016 15:13:03,352 LDAP        (ERROR  ): failed in post_con_modify_functions
18.11.2016 15:13:03,353 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1309, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 167, in group_members_sync_to_ucs
    return connector.group_members_sync_to_ucs(key, object)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1927, in group_members_sync_to_ucs
    del_members[k].append(member_dn)
KeyError: 'windowscomputer'

[...]

customer related search results of the groups are attached at the ticket#2016111621000201

Comment 1 Florian Best

2016-11-18 16:12:55 CET

The comment before the line which raises the exception says:

if self.modules[k].identify(member_dn, ucs_object['attributes']):
# identify if DN is a user or a group (will be ignored it is a host)

→ seems this is not true.

Comment 2 Stefan Gohmann

2016-11-18 16:19:55 CET

(In reply to Florian Best from comment #1)
> The comment before the line which raises the exception says:
> 
> if self.modules[k].identify(member_dn, ucs_object['attributes']):
> # identify if DN is a user or a group (will be ignored it is a host)
> 
> → seems this is not true.

Yes, the problem with comments... :)

I guess it was true before we started to synchronize windows clients: r51407

+     * Allow synchronisation of Windows clients (Bug #34091)

Comment 3 Stephan Hendl 2016-11-28 15:48:32 CET

Are there any new results available?

Comment 4 Stefan Gohmann

2016-12-06 16:18:14 CET

(In reply to Stephan Hendl from comment #3)
> Are there any new results available?

Not yet. Sorry. But I'll tag it as Erratum.

Comment 5 Felix Botner

2016-12-12 15:45:12 CET

* univention-ad-connector
  * added "windowscomputer" support to group_members_sync_to_ucs
  * 4.1-4 r75207
  * 4.2-0 r75208

* ucs-test
  * added 108sync_windowscomputer_groupmembership_ad_to_ucs
  * 4.1-4 r75212
  * 4.2-0 r75213

started ad jenkins tests

Comment 6 Felix Botner

2016-12-13 09:54:22 CET

these test failed now

 55_adconnector.156sync_ad_user_group_membership.test	
 55_adconnector.163sync_ad_remove_capital_user_from_group.test
 55_adconnector.256read_ad_user_group_membership.test

user is removed from group in ad, but not in ucs.


group_members_sync_to_ucs: ucs_members: ['uid=user1,cn=users,dc=w2k12,dc=test']
group_members_sync_to_ucs: ucs_members_from_ad: {'unknown': [], 'group': [], 'user': [], 'windowscomputer': []}
group_members_sync_to_ucs: uid=user1,cn=users,dc=w2k12,dc=test was found in group member ucs cache of cn=group1,cn=groups,dc=w2k12,dc=test
 _ignore_object: Do not ignore uid=user1,cn=users,dc=w2k12,dc=test
_ignore_object: Do not ignore uid=user1,cn=users,dc=w2k12,dc=test
_ignore_object: ignore object because of match_filter
group_members_sync_to_ucs: members to add: {'unknown': [], 'group': [], 'user': [], 'windowscomputer': []}
group_members_sync_to_ucs: members to del: {'group': [], 'user': [], 'windowscomputer': []}

added wrong self._ignore_object in group_members_sync_to_ucs, fixed with

-if not self._ignore_object('user', ucs_object) and not self._ignore_object('group', ucs_object) and not self._ignore_object('windowscomputer', ucs_object):

+if not self._ignore_object('user', ucs_object) and not self._ignore_object('group', ucs_object):

restarted tests

Comment 7 Felix Botner

2016-12-14 09:12:54 CET

jenkins tests are OK now.

Comment 8 Stefan Gohmann

2016-12-14 12:08:38 CET

Tests: OK

Jenkins: OK

Code review: OK

UCS 4.2 merge: OK

YAML: OK

Comment 9 Janek Walkenhorst

2016-12-14 12:36:49 CET

<http://errata.software-univention.de/ucs/4.1/359.html>