How to deal with s4-connector rejects

s4-connector
servicesforwindows
ucs-4
samba4
samba-ad

#1

S4-Connector Rejects

Rejects

You can use the following command to have a look at the current S4-Connector replication status:

univention-s4connector-list-rejected

If you see rejected objects in the output it is recommended to have a look at the relevant log files to determine the reason for the reject. The relevant log file is /var/log/univention/connector-s4.log.

UCS rejected refers to object modifications that have been detected in UCS/OpenLDAP and could not be synchronized to the Samba/AD directory service. S4 rejected on the other hand refers to object modifications that have been detected in Samba/AD and could not be synchronized to the UCS/OpenLDAP directory service.

In most cases you will find a corresponding traceback which you can hand over to your supporter if in doubt.
If the shown reason is not obvious (or not accurate) it could be suggestive to compare the rejected object in Samba 4 and LDAP. You can use the following commands:

univention-ldapsearch -b "objectdn"
univention-s4search -b "objectdn"

for example:

# User
univention-ldapsearch -b "uid=administrator,cn=users,dc=domain,dc=de"
univention-s4search -b "cn=administrator,cn=users,dc=domain,dc=de"

# DNS
univention-ldapsearch -b "relativeDomainName=_ldap_tcp,zoneName=domain.de,cn=dns,dc=domain,dc=de"
univention-s4search -b "dc=_ldap._tcp.DomainDnsZones,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de" --cross-ncs

If the objects are equal and you are sure about this, the reject perhaps is already resolved. This can happen if discrepancies are resolved apart from the connector. In these cases the rejects can be removed. This could also be the case if you removed unwanted objects with ldbdel for example.
Rejects are saved in a sqlite database. Therefore you have to remove the rejects in the database. There are helper tools for this task - for example:

Remove S4 reject:

root@master:~# /usr/share/univention-s4-connector/remove_s4_rejected.py \
                              CN=Administrator,CN=Users,DC=domain,DC=de

Remove UCS/LDAP reject:

root@master:~# /usr/share/univention-s4-connector/remove_ucs_rejected.py \
                              uid=Administrator,cn=users,dc=domain,dc=de

You can also try to sync changes from one directory service to the other - for example trigger a resync from one Samba/AD object to OpenLDAP.

Trigger S4 resync:

root@master:~# /usr/share/univention-s4-connector/resync_object_from_s4.py --filter cn=Administrator
resync triggered for CN=Administrator,CN=Users,DC=domain,DC=de
Estimated sync in 50 seconds.

Trigger UCS resync:

root@master:~# /usr/share/univention-s4-connector/resync_object_from_ucs.py --filter uid=Administrator
resync triggered for uid=Administrator,cn=users,dc=domain,dc=de

Again: univention-s4connector-list-rejected
S4 Connector rejects
S4 not synced objects
S4-Connector Probleme
UCS s4connector list rejected
DNS problem, after upgrade
Critical: Check kerberos authenticated DNS update (on DC Master)
Upgrading to 4.3 blocked
Name user s-1-5-21-4207580657-3862206303-1239993745 And Lost of files permision
Kerberos not working?
[UCS 4.3] S4 Connector rejects
Update to 4.3 breaks on 98univention-samba4-saml-kerberos.inst
Systemdiagnostic -> S4 Connector Object not syn
S4rejects again - unsure how to remove - tried SDB suggestion
Issue in s4 connector