How to deal with s4-connector rejects

S4-Connector Rejects


You can use the following command to have a look at the current S4-Connector replication status:


If you see rejected objects in the output it is recommended to have a look at the relevant log files to determine the reason for the reject. The relevant log file is /var/log/univention/connector-s4.log.

UCS rejected refers to object modifications that have been detected in UCS/OpenLDAP and could not be synchronized to the Samba/AD directory service. S4 rejected on the other hand refers to object modifications that have been detected in Samba/AD and could not be synchronized to the UCS/OpenLDAP directory service.

In most cases you will find a corresponding traceback which you can hand over to your supporter if in doubt.
If the shown reason is not obvious (or not accurate) it could be suggestive to compare the rejected object in Samba 4 and LDAP. You can use the following commands:

univention-ldapsearch -b "objectdn"
univention-s4search -b "objectdn"

for example:

# User
univention-ldapsearch -b "uid=administrator,cn=users,dc=domain,dc=de"
univention-s4search -b "cn=administrator,cn=users,dc=domain,dc=de"

univention-ldapsearch -b "relativeDomainName=_ldap_tcp,,cn=dns,dc=domain,dc=de"
univention-s4search -b "dc=_ldap._tcp.DomainDnsZones,,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de" --cross-ncs

If the objects are equal and you are sure about this, the reject perhaps is already resolved. This can happen if discrepancies are resolved apart from the connector. In these cases the rejects can be removed. This could also be the case if you removed unwanted objects with ldbdel for example.
Rejects are saved in a sqlite database. Therefore you have to remove the rejects in the database. There are helper tools for this task - for example:

Remove S4 reject:

root@master:~# /usr/share/univention-s4-connector/ \

Remove UCS/LDAP reject:

root@master:~# /usr/share/univention-s4-connector/ \

You can also try to sync changes from one directory service to the other - for example trigger a resync from one Samba/AD object to OpenLDAP.

Trigger S4 resync:

root@master:~# /usr/share/univention-s4-connector/ --filter cn=Administrator
resync triggered for CN=Administrator,CN=Users,DC=domain,DC=de
Estimated sync in 50 seconds.

Trigger UCS resync:

root@master:~# /usr/share/univention-s4-connector/ --filter uid=Administrator
resync triggered for uid=Administrator,cn=users,dc=domain,dc=de

In case you can not resolve the rejects in this way check this article.

1 Like