Computer is not synchronized due to Object class violation

It might happen that a computer object is not synchronized from Samba 4 / Active Directrory to OpenLDAP. Thus, the client does not work completely for example the GPO could not be evaluated by the client or the computer lost its trust relationship.

This can have different causes. The log file /var/log/univention/connector-s4.log should be checked.

File “/usr/lib/python2.6/dist-packages/ldap/”, line 426, in result2
res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
File “/usr/lib/python2.6/dist-packages/ldap/”, line 432, in result3
ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
File “/usr/lib/python2.6/dist-packages/ldap/”, line 96, in _ldap_call
result = func(*args,**kwargs)
OBJECT_CLASS_VIOLATION: {‘info’: “attribute ‘shadowLastChange’ not allowed”, ‘desc’: ‘Object class violation’}

If the traceback above is listed for the computer object, please download the script, execute the script and insert the username and a password of a Domain Admin account, for example:

python ./kerberize_from_samba4
Username: Administrator

Afterwards, the Kerberos attributes are copied from the Samba 4 / Active Directory the corresponding objects OpenLDAP computer accounts and the synchronization will be continue.