Univention Bugzilla – Bug 49792
UCS@school: Allow re-creation of deleted group object with same objectSid in Samba/AD
Last modified: 2019-11-27 14:20:06 CET
In Ticket#: 2019031921001054 the S4-Connector on the UCS@School *Master* failed to re-create a group object in Samba/AD that had been removed before. It's still under investigation how this situation came about in the customer domain, but there is a lesson to be learned for the improvement of the So-Connector: For Bug #41864 we added support for the "tombstone reanimation" method to the S4-Connector, but that code wasn't triggered in this case, because the exception thrown by Samba/AD during the LDAP ADD was a different one. It was not ldap.ALREADY_EXISTS in this case but ldap.CONSTRAINT_VIOLATION instead. No clue why, maybe the exception is different for a group? The attached patch fixed this.
Created attachment 10104 [details] allow-recreation-of-samba-deleted-object-v2.patch
The same reject also occur for groups on a school slave. I have heard this was implemented for users (because of the cross-school users) in the first place. I will try the patch on a school slave too. The traceback seems to be same. This is the reject on a school slave ------------------------------- 23.07.2019 13:53:35.287 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1562662385.677988 23.07.2019 13:53:35.289 LDAP (PROCESS): __sync_file_from_ucs: Object with entryUUID e23403c4-3666-1039-9cfe-4df289a4a00d has been removed before but became visible again. 23.07.2019 13:53:35.290 LDAP (INFO ): __sync_file_from_ucs: object was modified 23.07.2019 13:53:35.292 LDAP (INFO ): _ignore_object: Do not ignore cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me 23.07.2019 13:53:35.292 LDAP (INFO ): _object_mapping: map with key group and type ucs 23.07.2019 13:53:35.293 LDAP (INFO ): _dn_type ucs 23.07.2019 13:53:35.294 LDAP (INFO ): samaccount_dn_mapping: check newdn for key dn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.297 LDAP (INFO ): samaccount_dn_mapping: premapped S4 object not found 23.07.2019 13:53:35.297 LDAP (INFO ): samaccount_dn_mapping: got an UCS-Object 23.07.2019 13:53:35.297 LDAP (INFO ): samaccount_dn_mapping: search in s4 for (&(objectclass=group)(samaccountname=sun-2a)) 23.07.2019 13:53:35.299 LDAP (INFO ): samaccount_dn_mapping: newdn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.299 LDAP (INFO ): samaccount_dn_mapping: newdn for key dn: 23.07.2019 13:53:35.299 LDAP (INFO ): samaccount_dn_mapping: olddn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.300 LDAP (INFO ): samaccount_dn_mapping: newdn: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.300 LDAP (INFO ): samaccount_dn_mapping: check newdn for key olddn: None 23.07.2019 13:53:35.300 LDAP (INFO ): sid_to_s4_mapping 23.07.2019 13:53:35.302 LDAP (INFO ): _ignore_object: Do not ignore cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me 23.07.2019 13:53:35.303 LDAP (INFO ): __sync_file_from_ucs: finished mapping 23.07.2019 13:53:35.303 LDAP (INFO ): sync_from_ucs: sync object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.303 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.305 LDAP (INFO ): sync_from_ucs: add object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.306 LDAP (INFO ): sync_from_ucs: lock UCS entryUUID: e23403c4-3666-1039-9cfe-4df289a4a00d 23.07.2019 13:53:35.306 LDAP (INFO ): LockingDB: Execute SQL command: 'INSERT INTO UCS_LOCK(uuid) VALUES(?);', '('e23403c4-3666-1039-9cfe-4df289a4a00d',)' 23.07.2019 13:53:35.312 LDAP (INFO ): groupType: -2147483646 23.07.2019 13:53:35.312 LDAP (INFO ): to add: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.312 LDAP (ALL ): sync_from_ucs: addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xa9\x80\x00\x00']), ('sAMAccountName', [u'sun-2a'])] 23.07.2019 13:53:35.334 LDAP (ERROR ): sync_from_ucs: traceback during add object: cn=sun-2a,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=me 23.07.2019 13:53:35.335 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xa9\x80\x00\x00']), ('sAMAccountName', [u'sun-2a'])] 23.07.2019 13:53:35.340 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1562662385.677988 23.07.2019 13:53:35.341 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=sun-2a,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=me - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=sun-2a,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=me', 'desc': 'Constraint violation'}·
manual tombstone reanimation worked btw.
I applied the patch ion the master, and it worked. 30 rejects gone, thank you.
I set the ticket to waiting for Errata ant the bug to wating for support. The customer cannot update further Erratas without this Issue fixed.
Happens in an other school environment
(In reply to Christina Scheinig from comment #5) > The customer cannot update further Erratas without this Issue fixed. Why not?
(In reply to Sönke Schwardt-Krummrich from comment #7) > (In reply to Christina Scheinig from comment #5) > > The customer cannot update further Erratas without this Issue fixed. > > Why not? "cannot update" → this is an effort issue not a technical issue. → the customer has a lot of systems and has to patch all systems again if the S4 connector has been altered via an errata update.
Next school customer with patch applied in the environment
Successful build Package: univention-s4-connector Version: 13.0.2-58A~4.4.0.201911211556 Branch: ucs_4.4-0 Scope: errata4.4-2 User: jbremer efe7866667 Bug #49792: yaml 5d0d2ea6f3 Bug #49792: Changelog dc487e6d60 Bug #49792: Allow recreation of samba deleted object built with the attached patch.
Reproducible: # udm groups/group create --set name=foogroup2 --set sambaRID=12529 WARNING: The object is not going to be created underneath of its default containers. Object created: cn=foogroup2,l=school,l=dev # udm groups/group remove --dn cn=foogroup2,l=school,l=dev Object removed: cn=foogroup2,l=school,l=dev # udm groups/group create --set name=foogroup2 --set sambaRID=12529 WARNING: The object is not going to be created underneath of its default containers. Object created: cn=foogroup2,l=school,l=dev
I wondered if the patch can cause a recursion error/dead loop * for ldap.CONSTRAINT_VIOLATION errors which are not "unique index violation on objectSid" * because ldap.CONSTRAINT_VIOLATION is catched in sync_from_ucs() and in that except block sync_from_ucs() is called again. But it seems the check "no conflicting deleted object found" prevents this. 18.10.2019 16:31:37.003 LDAP (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4 18.10.2019 16:31:37.003 LDAP (INFO ): sync_from_ucs: search filter: (&(sAMAccountName=foogroup6)(objectSid=S-1-5-21-2678360992-1148200938-341953966-12531)(isDeleted=TRUE)) 18.10.2019 16:31:37.003 LDAP (PROCESS): sync_from_ucs: no conflicting deleted object found 18.10.2019 16:31:37.005 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1571409057.399389 18.10.2019 16:31:37.005 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2408, in sync_from_ucs self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) CONSTRAINT_VIOLATION: {'info': '0000202F: samldb: samAccountName has 2 values, should be single-valued!', 'desc': 'Constraint violation'}
OK: groups with same sambaRID and same name as a removed group get restored again. It still raises CONSTRAINT_VIOLATION if only the SID is taken but the name changed. OK: YAML
<http://errata.software-univention.de/ucs/4.4/379.html>