CN=Domain Computers in s4 connectior rejects


#1

We have been having rejects for a long time on our main domain controller. We do not know whether it was safe to remove them so we kept them, not knowing what else can we do. We have total of 11 now, new seem to appear from time to time.

Few days ago one more reject appeared, this time on both: main domain controller and a backup, and here is the output:

S4 rejected
 S4 DN: CN=Domain Computers,CN=Groups,DC=office,DC=com
 UCS DN: cn=domain computers,cn=groups,dc=office,dc=com

Is it anything critical?


#2

Maybe this articel helps, to debug this issue:

And you have to check the errormessages in your /var/log/univention/connector-s4.log


#3

Yes, that article I was referring to all the time to remove rejects. However, would it be safe to remove actual “Domain Computers” object which contains all the computers in LDAP?


#4

It is best not to simply remove the reject, but to analyze once what the error is. What traceback is there in the logfile?


#5

Thank you for helping me out and directing me in debugging the problem.
I ran two commands

univention-ldapsearch -b "CN=Domain Computers,CN=Groups,DC=office,DC=com"
univention-s4search -b "CN=Domain Computers,CN=Groups,DC=office,DC=com"

I think the output of both commands is correct, however I noticed one record in each of them.
from univention-ldapsearch:
uniqueMember: uid=payroll.server,cn=users,dc=office,dc=com
from univention-s4search:
member: CN=payroll.server,CN=Users,DC=office,DC=com

And that is the only computer listed in the output. I was expecting more? Is it not how it is in Windows domain?

We do have PAYROLLSERVER machine in our environment. Someone who added it into domain might have tried adding it with “name.server” name. However this computer does not appear in univention-s4connector-list-rejected output.


#6

To my previous post, this is relevant traceback

# numResponses: 2
14.03.2019 12:03:10,241 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Domain Computers,CN=Groups,DC=office,DC=com
14.03.2019 12:03:10,251 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=domain computers,cn=groups,dc=office,dc=com
14.03.2019 12:03:10,927 LDAP        (ERROR  ): failed in post_con_modify_functions
14.03.2019 12:03:10,927 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1638, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 87, in group_members_sync_to_ucs
    return s4connector.group_members_sync_to_ucs(key, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2115, in group_members_sync_to_ucs
    ucs_admin_object.fast_member_add(uniqueMember_add, memberUid_add)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 453, in fast_member_add
    return self.lo.modify(self.dn, ml)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 828, in modify
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Type or value exists: memberUid: value #0 provided more than once

#7

Just a quick update. I figured out something. As I used to manage Windows AD in other company, if I remember this correctly, in MS Windows AD there is a group “Domain Computers”, however in Univention, there is different group for that. Seeing this group in errors and having only one wrong “payroll.server” record in it, freaked me out.

I removed payroll.server from this group in LDAP directroy via web ui. Will see how events will unfold now.