First Last Prev Next    This bug is not in your last search results.
Bug 49792 - UCS@school: Allow re-creation of deleted group object with same objectSid in Samba/AD
UCS@school: Allow re-creation of deleted group object with same objectSid in ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.4
Other Linux
: P2 major (vote)
: UCS 4.4-2-errata
Assigned To: Julia Bremer
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-04 13:53 CEST by Arvid Requate
Modified: 2019-11-27 14:20 CET (History)
9 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019031921001054, 2019101821000598, 2019102321001078
Bug group (optional): Release Goal, Troubleshooting
Max CVSS v3 score:
requate: Patch_Available+

Attachments
allow-recreation-of-samba-deleted-object-v2.patch (945 bytes, patch)
2019-07-04 13:54 CEST, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-07-04 13:53:59 CEST 
In Ticket#: 2019031921001054 the S4-Connector on the UCS@School *Master* failed to re-create a group object in Samba/AD that had been removed before. It's still under investigation how this situation came about in the customer domain, but there is a lesson to be learned for the improvement of the So-Connector:

For Bug #41864 we added support for the "tombstone reanimation" method to the S4-Connector, but that code wasn't triggered in this case, because the exception thrown by Samba/AD during the LDAP ADD was a different one. It was not ldap.ALREADY_EXISTS in this case but ldap.CONSTRAINT_VIOLATION instead. No clue why, maybe the exception is different for a group?

The attached patch fixed this.
Comment 1 Arvid Requate univentionstaff 2019-07-04 13:54:18 CEST 
Created attachment 10104 [details]
allow-recreation-of-samba-deleted-object-v2.patch
Comment 2 Christina Scheinig univentionstaff 2019-07-24 15:32:45 CEST 
The same reject also occur for groups on a school slave.
I have heard this was implemented for users (because of the cross-school users) in the first place. 

I will try the patch on a school slave too. The traceback seems to be same.

This is the reject on a school slave
-------------------------------
23.07.2019 13:53:35.287 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1562662385.677988
23.07.2019 13:53:35.289 LDAP        (PROCESS): __sync_file_from_ucs: Object with entryUUID e23403c4-3666-1039-9cfe-4df289a4a00d has been removed before but became visible
 again.
23.07.2019 13:53:35.290 LDAP        (INFO   ): __sync_file_from_ucs: object was modified
23.07.2019 13:53:35.292 LDAP        (INFO   ): _ignore_object: Do not ignore cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me
23.07.2019 13:53:35.292 LDAP        (INFO   ): _object_mapping: map with key group and type ucs
23.07.2019 13:53:35.293 LDAP        (INFO   ): _dn_type ucs
23.07.2019 13:53:35.294 LDAP        (INFO   ): samaccount_dn_mapping: check newdn for key dn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.297 LDAP        (INFO   ): samaccount_dn_mapping: premapped S4 object not found
23.07.2019 13:53:35.297 LDAP        (INFO   ): samaccount_dn_mapping: got an UCS-Object
23.07.2019 13:53:35.297 LDAP        (INFO   ): samaccount_dn_mapping: search in s4 for (&(objectclass=group)(samaccountname=sun-2a))
23.07.2019 13:53:35.299 LDAP        (INFO   ): samaccount_dn_mapping: newdn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.299 LDAP        (INFO   ): samaccount_dn_mapping: newdn for key dn:
23.07.2019 13:53:35.299 LDAP        (INFO   ): samaccount_dn_mapping: olddn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.300 LDAP        (INFO   ): samaccount_dn_mapping: newdn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.300 LDAP        (INFO   ): samaccount_dn_mapping: check newdn for key olddn: None
23.07.2019 13:53:35.300 LDAP        (INFO   ): sid_to_s4_mapping
23.07.2019 13:53:35.302 LDAP        (INFO   ): _ignore_object: Do not ignore cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me
23.07.2019 13:53:35.303 LDAP        (INFO   ): __sync_file_from_ucs: finished mapping
23.07.2019 13:53:35.303 LDAP        (INFO   ): sync_from_ucs: sync object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.303 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.305 LDAP        (INFO   ): sync_from_ucs: add object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.306 LDAP        (INFO   ): sync_from_ucs: lock UCS entryUUID: e23403c4-3666-1039-9cfe-4df289a4a00d
23.07.2019 13:53:35.306 LDAP        (INFO   ): LockingDB: Execute SQL command: 'INSERT INTO UCS_LOCK(uuid) VALUES(?);', '('e23403c4-3666-1039-9cfe-4df289a4a00d',)'
23.07.2019 13:53:35.312 LDAP        (INFO   ): groupType: -2147483646
23.07.2019 13:53:35.312 LDAP        (INFO   ): to add: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.312 LDAP        (ALL    ): sync_from_ucs: addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xa9\x80\x00\x00']), ('sAMAccountName', [u'sun-2a'])]
23.07.2019 13:53:35.334 LDAP        (ERROR  ): sync_from_ucs: traceback during add object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me
23.07.2019 13:53:35.335 LDAP        (ERROR  ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xa9\x80\x00\x00']), ('sAMAccountName', [u'sun-2a'])]
23.07.2019 13:53:35.340 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1562662385.677988
23.07.2019 13:53:35.341 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls)  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=sun-2a,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=me - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=sun-2a,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=me', 'desc': 'Constraint violation'}·
Comment 3 Christina Scheinig univentionstaff 2019-07-24 15:33:22 CEST 
manual tombstone reanimation worked btw.
Comment 4 Christina Scheinig univentionstaff 2019-07-25 10:26:17 CEST 
I applied the patch ion the master, and it worked. 30 rejects gone, thank you.
Comment 5 Christina Scheinig univentionstaff 2019-08-16 12:40:54 CEST 
I set the ticket to waiting for Errata ant the bug to wating for support. The customer cannot update further Erratas without this Issue fixed.
Comment 6 Christina Scheinig univentionstaff 2019-10-21 14:50:04 CEST 
Happens in an other school environment
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2019-10-22 10:28:17 CEST 
(In reply to Christina Scheinig from comment #5)
> The customer cannot update further Erratas without this Issue fixed.

Why not?
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2019-10-22 10:44:35 CEST 
(In reply to Sönke Schwardt-Krummrich from comment #7)
> (In reply to Christina Scheinig from comment #5)
> > The customer cannot update further Erratas without this Issue fixed.
> 
> Why not?

"cannot update" → this is an effort issue not a technical issue.
→ the customer has a lot of systems and has to patch all systems again if the S4 
  connector has been altered via an errata update.
Comment 9 Christina Scheinig univentionstaff 2019-10-28 12:57:00 CET 
Next school customer with patch applied in the environment
Comment 10 Julia Bremer univentionstaff 2019-11-21 16:05:35 CET 
Successful build
Package: univention-s4-connector
Version: 13.0.2-58A~4.4.0.201911211556
Branch: ucs_4.4-0
Scope: errata4.4-2
User: jbremer


efe7866667 Bug #49792: yaml
5d0d2ea6f3 Bug #49792: Changelog
dc487e6d60 Bug #49792: Allow recreation of samba deleted object


built with the attached patch.
Comment 11 Florian Best univentionstaff 2019-11-21 17:19:00 CET 
Reproducible:

# udm groups/group create --set name=foogroup2 --set sambaRID=12529
WARNING: The object is not going to be created underneath of its default containers.
Object created: cn=foogroup2,l=school,l=dev
# udm groups/group remove --dn cn=foogroup2,l=school,l=dev
Object removed: cn=foogroup2,l=school,l=dev
# udm groups/group create --set name=foogroup2 --set sambaRID=12529
WARNING: The object is not going to be created underneath of its default containers.
Object created: cn=foogroup2,l=school,l=dev
Comment 12 Florian Best univentionstaff 2019-11-21 17:49:37 CET 
I wondered if the patch can cause a recursion error/dead loop
* for ldap.CONSTRAINT_VIOLATION errors which are not "unique index violation on objectSid"
* because ldap.CONSTRAINT_VIOLATION is catched in sync_from_ucs() and in that except block sync_from_ucs() is called again.
But it seems the check "no conflicting deleted object found" prevents this.

18.10.2019 16:31:37.003 LDAP        (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4
18.10.2019 16:31:37.003 LDAP        (INFO   ): sync_from_ucs: search filter: (&(sAMAccountName=foogroup6)(objectSid=S-1-5-21-2678360992-1148200938-341953966-12531)(isDeleted=TRUE))
18.10.2019 16:31:37.003 LDAP        (PROCESS): sync_from_ucs: no conflicting deleted object found
18.10.2019 16:31:37.005 LDAP        (WARNING): sync failed, saved as rejected            
        /var/lib/univention-connector/s4/1571409057.399389                               
18.10.2019 16:31:37.005 LDAP        (WARNING): Traceback (most recent call last):        
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2408, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls)  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s     
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3       
    resp_ctrl_classes=resp_ctrl_classes                                                  
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4       
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: samldb: samAccountName has 2 values, should be single-valued!', 'desc': 'Constraint violation'}
Comment 13 Florian Best univentionstaff 2019-11-22 09:29:28 CET 
OK: groups with same sambaRID and same name as a removed group get restored again.
It still raises CONSTRAINT_VIOLATION if only the SID is taken but the name changed.
OK: YAML
Comment 14 Arvid Requate univentionstaff 2019-11-27 14:20:06 CET 
<http://errata.software-univention.de/ucs/4.4/379.html>
First Last Prev Next    This bug is not in your last search results.