CN=Domain Computers in s4 connectior rejects

Roman · March 4, 2019, 12:06pm

We have been having rejects for a long time on our main domain controller. We do not know whether it was safe to remove them so we kept them, not knowing what else can we do. We have total of 11 now, new seem to appear from time to time.

Few days ago one more reject appeared, this time on both: main domain controller and a backup, and here is the output:

S4 rejected
 S4 DN: CN=Domain Computers,CN=Groups,DC=office,DC=com
 UCS DN: cn=domain computers,cn=groups,dc=office,dc=com

Is it anything critical?

scheinig · March 14, 2019, 9:56am

Maybe this articel helps, to debug this issue:

And you have to check the errormessages in your /var/log/univention/connector-s4.log

Roman · March 14, 2019, 10:10am

Yes, that article I was referring to all the time to remove rejects. However, would it be safe to remove actual “Domain Computers” object which contains all the computers in LDAP?

scheinig · March 14, 2019, 11:11am

It is best not to simply remove the reject, but to analyze once what the error is. What traceback is there in the logfile?

Roman · March 14, 2019, 11:55am

Thank you for helping me out and directing me in debugging the problem.
I ran two commands

univention-ldapsearch -b "CN=Domain Computers,CN=Groups,DC=office,DC=com"
univention-s4search -b "CN=Domain Computers,CN=Groups,DC=office,DC=com"

I think the output of both commands is correct, however I noticed one record in each of them.
from univention-ldapsearch:
uniqueMember: uid=payroll.server,cn=users,dc=office,dc=com
from univention-s4search:
member: CN=payroll.server,CN=Users,DC=office,DC=com

And that is the only computer listed in the output. I was expecting more? Is it not how it is in Windows domain?

We do have PAYROLLSERVER machine in our environment. Someone who added it into domain might have tried adding it with “name.server” name. However this computer does not appear in univention-s4connector-list-rejected output.

Roman · March 14, 2019, 12:05pm

To my previous post, this is relevant traceback

# numResponses: 2
14.03.2019 12:03:10,241 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Domain Computers,CN=Groups,DC=office,DC=com
14.03.2019 12:03:10,251 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=domain computers,cn=groups,dc=office,dc=com
14.03.2019 12:03:10,927 LDAP        (ERROR  ): failed in post_con_modify_functions
14.03.2019 12:03:10,927 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1638, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 87, in group_members_sync_to_ucs
    return s4connector.group_members_sync_to_ucs(key, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2115, in group_members_sync_to_ucs
    ucs_admin_object.fast_member_add(uniqueMember_add, memberUid_add)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 453, in fast_member_add
    return self.lo.modify(self.dn, ml)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 828, in modify
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Type or value exists: memberUid: value #0 provided more than once

Roman · March 14, 2019, 12:28pm

Just a quick update. I figured out something. As I used to manage Windows AD in other company, if I remember this correctly, in MS Windows AD there is a group “Domain Computers”, however in Univention, there is different group for that. Seeing this group in errors and having only one wrong “payroll.server” record in it, freaked me out.

I removed payroll.server from this group in LDAP directroy via web ui. Will see how events will unfold now.