Univention Bugzilla – Bug 47025
AD Connector crash after MemoryError exception
Last modified: 2018-08-15 13:14:30 CEST
I just worked on a case where the AD Connector process repeatedly crashed. After some debugging we saw that a MemoryError exception was raised, apparently in ad.poll() -> __search_ad() -> encode_ad_resultlist() ->encode_ad_object() Before that we saw a couple (>100) of connector.log messages like 17.05.2018 12:00:22 LDAP ( WARN ) : encode_ad_object: encode attrib msPKIAccountCredentials failed, ignored! We were able to fix the AD-Connector crashes by extending the list of non-utf8 attributes. This is the line we finally used: elif key in ['objectGUID', 'ipsecData', 'repsFrom', 'replUpToDateVector', 'userCertificate', 'dNSProperty', 'dnsRecord', 'securityIdentifier', 'mS-DS-CreatorSID', 'logonHours', 'mSMQSites', 'mSMQSignKey', 'currentLocation', 'dSASignature', 'linkTrackSecret', 'mSMQDigests', 'mSMQEncryptKey', 'mSMQSignCertificates', 'may', 'sIDHistory', 'msExchMailboxSecurityDescriptor', 'msExchMailboxGuid', 'msExchMasterAccountSid', 'replicationSignature', 'repsTo', 'msRTCSIP- UserRoutingGroupId', 'msPKIRoamingTimeStamp', 'msDFS-GenerationGUIDv2', 'msDFS-LinkSecurityDescriptorv2', 'msDFS-LinkIdentityGUIDv2', 'msDFS- NamespaceIdentityGUIDv2', 'msDFS-TargetListv2', 'msPKIAccountCredentials', 'msPKIDPAPIMasterKeys']: in univention-ad-connector/modules/univention/connector/ad/__init__.py. From a quick glance at Bug #9674 I think pKTGuid should be added too.
I saw some more encode errors in a customer environment (UCS 4.3-0): 30.05.2018 17:14:20,973 LDAP (WARNING): encode_ad_object: encode attrib msExchBlockedSendersHash failed, ignored! 30.05.2018 17:14:20,991 LDAP (WARNING): encode_ad_object: encode attrib msExchSafeSendersHash failed, ignored!
Two more: 05.06.2018 11:47:01,415 LDAP (WARNING): encode_ad_object: encode attrib msExchSafeRecipientsHash failed, ignored! 05.06.2018 11:47:01,416 LDAP (WARNING): encode_ad_object: encode attrib msExchDisabledArchiveGUID failed, ignored!
Die Liste der Binärattribute muss einfach auf einen aktuellen Stand erweitert werden. Nice to have wäre, wenn sie per UCR erweiterbar wäre,
please set the bug to resolved if you think you are done remove the tab after the +ATTRIBUTE_LIST line make ATTRIBUTE_LIST configurable with ucr
always create/update univention-ad-connector.yaml (source package name.yaml) after building a package, so that we do not accidentally release a untested package
Created attachment 9615 [details] find_binary_samba_ad_schema_attributes.sh With the attaches script I've scanned the Samba/AD schema (Samba 4.7.5) and looked up the attributeSyntax of the attributes listed above. Then I've searched for all attributes that also have one of those attributeSyntax. I found this list of AD attribute syntaxes but I can't quite make sense of that: https://msdn.microsoft.com/en-us/library/cc223177.aspx I'll attach the output of my script.
Created attachment 9616 [details] find_binary_samba_ad_schema_attributes.log
ok, compared your list against a w2k12 binary attribute list -> ldbsearch --paged -H ldap://WIN-M1LHUHEJFSI.w2k12.test -U Administrator%Univention.99 --cross-ncs '(|(attributeSyntax=2.5.5.15)(attributeSyntax=2.5.5.10)(attributeSyntax=2.5.5.17)(attributeSyntax=2.5.5.7))' lDAPDisplayName | sed -ne 's|lDAPDisplayName: ||p' | sort found these additional attributes in w2k12 +msAuthz-CentralAccessPolicyID +msDNS-DNSKEYRecords +msDNS-SigningKeyDescriptors +msDNS-SigningKeys +msDS-AllowedToActOnBehalfOfOtherIdentity +msDS-GenerationId +msDS-GroupMSAMembership +msDS-ManagedPassword +msDS-ManagedPasswordId +msDS-ManagedPasswordPreviousId +msDS-TransformationRulesCompiled +msImaging-ThumbprintHash +msKds-KDFParam +msKds-RootKeyData +msKds-SecretAgreementParam +msSPP-ConfigLicense +msSPP-CSVLKSkuId +msSPP-IssuanceLicense +msSPP-KMSIds +msSPP-OnlineLicense +msSPP-PhoneLicense +msTPM-SrkPubThumbprint +netbootDUID so your list and these attributes is the new connecot binary attributes listr
Looks like resolved-fixed.
List complete, code review ok, advisory too. The new UCR variable (family) "con.*/ad/binary_attributes" allows extending the list of binary attributes.
<http://errata.software-univention.de/ucs/4.3/168.html>