Univention Bugzilla – Bug 43368
Traceback after re-initializing the s4-connector
Last modified: 2017-05-02 17:15:03 CEST
In my test environment I happened to reinitialized the s4-connector and as a result I came across the following traceback in my s4-connector.log ------------------------------------------------------------------------------- 11.11.2016 08:25:24,389 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1478847638.880242 11.11.2016 08:25:24,394 LDAP (PROCESS): sync from ucs: [ group] [ add] cn=Printer-Admins,cn=groups,DC=acheron,DC=mail 11.11.2016 08:25:24,481 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1478847638.880242 11.11.2016 08:25:24,482 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2414, in sync_from_ucs objectSid = decode_sid(objectSid_attr_value) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 517, in decode_sid sid += "%d" % ord(value[0]) TypeError: 'NoneType' object has no attribute '__getitem__' 11.11.2016 08:25:24,483 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=Print Operators,CN=Builtin,DC=acheron,DC=mail 11.11.2016 08:25:24,492 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=Printer-Admins,cn=groups,dc=acheron,dc=mail 11.11.2016 08:25:24,493 LDAP (PROCESS): Unable to sync cn=Printer-Admins,cn=groups,dc=acheron,dc=mail (UUID: 150065a0-3ab0-1036-889b-9dfaca459e67). The object is currently locked. ----------------------------------------------------------------------------- I could reproduce it in an other test environment. Both environments have in common, that the cups-printserver is installed. According to the mapping.py [..] mapping_table = { 'cn': [ (u'Printer-Admins', u'Print Operators'), ] }, [..] I found -------------------------------------------------------------------------------- # univention-s4search cn='Print Operators' # record 1 dn: CN=Print Operators,CN=Builtin,DC=acheron,DC=mail objectClass: top objectClass: group cn: Print Operators description: Members can administer domain printers instanceType: 4 whenCreated: 20161109200716.0Z uSNCreated: 3569 name: Print Operators objectGUID: a3da13c3-9696-40e8-8cfa-5a40badc1e85 objectSid: S-1-5-32-550 adminCount: 1 sAMAccountType: 536870912 systemFlags: -1946157056 groupType: -2147483643 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=acheron,DC=mail isCriticalSystemObject: TRUE sAMAccountName: Printer-Admins whenChanged: 20161109201040.0Z uSNChanged: 3735 distinguishedName: CN=Print Operators,CN=Builtin,DC=acheron,DC=mail -------------------------------------------------------------------------------- and -------------------------------------------------------------------------------- # Printer-Admins, groups, acheron.mail dn: cn=Printer-Admins,cn=groups,dc=acheron,dc=mail objectClass: top objectClass: posixGroup objectClass: univentionGroup objectClass: sambaGroupMapping objectClass: univentionObject univentionObjectType: groups/group univentionGroupType: -2147483643 cn: Printer-Admins sambaSID: S-1-5-32-550 sambaGroupType: 5 gidNumber: 5016 description: Members can administer domain printers --------------------------------------------------------------------------------
Can you also attach /var/lib/univention-connector/s4/1478847638.880242 ?
Created attachment 8356 [details] s4-connector.log
Created attachment 8421 [details] pickle file I have the same problem on UCS 4.2 - the connector log is full of tracebacks.
Created attachment 8474 [details] reject file s4 rejects
I attached file if that helps, I also have a lot of "Printer operators" however I do not have a file for that in /var/lib/univention-connector/s4 1: S4 DN: CN=Print Operators,CN=Builtin,DC=domain,DC=com UCS DN: <not found>
The S4 mapping for 'group' uses dn_mapping_function=[ univention.s4connector.s4.group_dn_mapping ] and this calls samaccountname_dn_mapping, which correctly applies the mapping_table in this case to construct the search filter: (INFO ): samaccount_dn_mapping: search in s4 for (&(objectclass=group)(samaccountname=Print Operators)) The problem is, that in this special case, the objects sAMAccountName has been created without considering the mapping function: ========================================================================= root@ucs-5140:~# univention-s4search '(cn=Print Operators)' # record 1 dn: CN=Print Operators,CN=Builtin,DC=acheron,DC=mail objectClass: group cn: Print Operators sAMAccountName: Printer-Admins ========================================================================= This special behavior only causes a traceback now due to the new code added for Bug 41864 / Bug 42120. While this might actually be good for identity mapping (e.g. Bug 26693), the S4-Connector should consider this special case too.
Created attachment 8486 [details] bug43368.patch Handle the special case of UCS cn="Printer-Admins": * Add special case to univention.s4connector.s4.group_dn_mapping * Fix fetching the SID in sync_rom_ucs ALREADY_EXISTS handling (code introduced via Bug 41864 / Bug 42120)
(In reply to Arvid Requate from comment #7) > Created attachment 8486 [details] > bug43368.patch > > Handle the special case of UCS cn="Printer-Admins": > > * Add special case to univention.s4connector.s4.group_dn_mapping > * Fix fetching the SID in sync_rom_ucs ALREADY_EXISTS handling > (code introduced via Bug 41864 / Bug 42120) The patch is missing correct escaping of the LDAP filter.
Fixed for UCS 4.2 along with Bug #44276. Advisory updated. I'll clone the Bug again for errata4.1-4
please remove modules/univention/s4connector/s4/__init__.py (Revision 78780) @@ -322,6 +322,8 @@ + if ucsval == "Printer-Admins": + continue This breaks the sync of this group if a mapping_table entry exists for this group. 13.04.2017 14:46:25,927 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1492081790.892809 13.04.2017 14:46:25,929 LDAP (INFO ): _ignore_object: Do not ignore cn=Printer-Admins,cn=groups,dc=w2k12,dc=test ... 13.04.2017 14:46:25,931 LDAP (INFO ): samaccount_dn_mapping: check newdn for key dn: 13.04.2017 14:46:25,931 LDAP (INFO ): samaccount_dn_mapping: not premapped (in first instance) 13.04.2017 14:46:25,932 LDAP (INFO ): samaccount_dn_mapping: got an UCS-Object 13.04.2017 14:46:25,932 LDAP (INFO ): samaccount_dn_mapping: search in s4 for (&(objectclass=group)(samaccountname=Printer-Admins)) 13.04.2017 14:46:25,932 LDAP (INFO ): samaccount_dn_mapping: newdn: cn=Printer-Admins,cn=groups,dc=w2k12,dc=test 13.04.2017 14:46:25,933 LDAP (INFO ): samaccount_dn_mapping: newdn for key dn: 13.04.2017 14:46:25,933 LDAP (INFO ): samaccount_dn_mapping: olddn: cn=Printer-Admins,cn=groups,dc=w2k12,dc=test ... 13.04.2017 14:46:25,935 LDAP (INFO ): sync_from_ucs: sync object: cn=Printer-Admins,cn=groups,DC=w2k12,DC=test 13.04.2017 14:46:25,936 LDAP (PROCESS): sync from ucs: [ group] [ add] cn=Printer-Admins,cn=groups,DC=w2k12,DC=test 13.04.2017 14:46:25,936 LDAP (INFO ): sync_from_ucs: add object: cn=Printer-Admins,cn=groups,DC=w2k12,DC=test 13.04.2017 14:46:25,937 LDAP (INFO ): sync_from_ucs: lock UCS entryUUID: c12beafe-2c86-1035-80f1-4d2f8263a280 13.04.2017 14:46:25,937 LDAP (INFO ): LockingDB: Execute SQL command: 'INSERT INTO UCS_LOCK(uuid) VALUES(?);', '('c12beafe-2c86-1035-80f1-4d2f8263a280',)' 13.04.2017 14:46:25,943 LDAP (INFO ): groupType: -2147483643 13.04.2017 14:46:25,943 LDAP (INFO ): sambaSID: S-1-5-32-550 13.04.2017 14:46:25,943 LDAP (INFO ): to add: cn=Printer-Admins,cn=groups,DC=w2k12,DC=test 13.04.2017 14:46:25,947 LDAP (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4 13.04.2017 14:46:25,947 LDAP (INFO ): sync_from_ucs: search filter: (&(sAMAccountName=Opérateurs d’impression)(objectSid=S-1-5-32-550)(isDeleted=TRUE)) 13.04.2017 14:46:25,948 LDAP (PROCESS): sync_from_ucs: no conflicting deleted object found 13.04.2017 14:46:25,953 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1492081790.892809 13.04.2017 14:46:25,954 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2516, in sync_from_ucs self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 187, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ALREADY_EXISTS: {'info': "00002071: samldb: samAccountName 'Op\\C3\\A9rateurs\\20d\\E2\\80\\99impression' already in use!", 'desc': 'Already exists'}
I've adjusted the filter. See also Bug 42675#c1.
OK - re-initializing s4connector works, even with dn: CN=Print Operators,CN=Builtin,DC=four,DC=two cn: Print Operators sAMAccountName: Printer-Admins in samba
<http://errata.software-univention.de/ucs/4.2/2.html>