System: UCS: 5.0-9 errata1200
Problem: New user does not log in on client OS (Linux Ubuntu/Mint or Windows 10/11)
When a new user named “ad345” is created, a warning immediately appears in System - System Diagnostic - Warning: S4 Connector
Found 1 UCS rejects and 0 S4 rejects.
See [Univention Support Database - How to deal with s4-connector rejects](https://help.univention.com/t/how-to-deal-with-s4-connector-rejects/33) for more information.
UCS rejected:
UCS DN: uid=ad345,cn=users,dc=kt,dc=local, S4 DN: not found, Filename: /var/lib/univention-connector/s4/1738420976.206446
root@ucs1:~# univention-s4connector-list-rejected
UCS rejected
1: UCS DN: uid=ad345,cn=users,dc=kt,dc=local
S4 DN: <not found>
Filename: /var/lib/univention-connector/s4/1738420976.206446
S4 rejected
last synced USN: 3758415
root@ucs1:~# univention-ldapsearch -b "uid=ad345,cn=users,dc=kt,dc=local"
# extended LDIF
#
# LDAPv3
# base <uid=ad345,cn=users,dc=kt,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ad345, users, kt.local
dn: uid=ad345,cn=users,dc=kt,dc=local
krb5MaxLife: 86400
krb5MaxRenew: 604800
uid: ad345
uidNumber: 2116
sn: ad345
gecos: ad345
displayName: ad345
homeDirectory: /home/ad345
loginShell: /bin/bash
cn: ad345
krb5PrincipalName: ad345@KT.LOCAL
krb5KDCFlags: 126
userPassword:: blah-blah
krb5Key:: blah-blah
krb5Key:: blah-blah
krb5Key:: blah-blah
krb5Key:: blah-blah
krb5Key:: blah-blah
krb5Key:: blah-blah
krb5Key:: blah-blah
krb5KeyVersionNumber: 1
pwhistory:: blah-blah
sambaNTPassword: blah-blah
shadowLastChange: 20120
sambaPwdLastSet: 1738419853
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaAcctFlags: [U ]
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: univentionObject
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: automount
objectClass: univentionMail
objectClass: sambaSamAccount
sambaSID: S-1-4-2116
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-4224285416-2759168370-409101215-513
univentionObjectType: users/user
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
root@ucs1:~# univention-s4search -b "cn=ad345,cn=users,dc=kt,dc=local"
search error - LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:968> <>
cat /var/log/univention/connector-s4.log
22.02.2025 12:57:05.103 LDAP (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1738420976.206446
22.02.2025 12:57:05.106 LDAP (PROCESS): sync UCS > AD: [ user] [ add] 'cn=ad345,cn=users,DC=kt,DC=local'
22.02.2025 12:57:05.112 LDAP (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4
22.02.2025 12:57:05.113 LDAP (PROCESS): sync_from_ucs: no conflicting deleted object found
22.02.2025 12:57:05.115 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1738420976.206446
22.02.2025 12:57:05.115 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 828, in __sync_file_from_ucs
if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2070, in sync_from_ucs
self.lo_s4.lo.add_ext_s(object['dn'], addlist, serverctrls=ctrls)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 414, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.CONSTRAINT_VIOLATION: {'desc': 'Constraint violation', 'info': '0000202F: ../../lib/ldb/ldb_key_value/ldb_kv_index.c:3065: Failed to re-index objectSid in CN=ad345,CN=Users,DC=kt,DC=local - ../../lib/ldb/ldb_key_value/ldb_kv_index.c:2910: unique index violation on objectSid in CN=ad345,CN=Users,DC=kt,DC=local'}
If you remove UCS/LDAP reject, as described in the error instructions, the warning disappears. But the user still cannot log in to the client OS. The same result when executing UCS resync.
Tell me, what could be the problem and what other logs should be shown to localize the problem as accurately as possible? Because I could not find the log that describes the creation of a new user to see possible errors.