Problem: Ad-Connector reject for windows clients

scheinig · January 15, 2026, 3:47pm

Problem:

Ad-Connector reject for windows clients like:

2026-01-09T11:09:38.064976+01:00    ERROR [         -] sync_from_ucs: traceback during add object: cn=cat-nk01-04,ou=computer,ou=managedclients,DC=schein,DC=me
2026-01-09T11:09:38.065143+01:00    ERROR [         -] sync_from_ucs: traceback due to addlist: [('objectClass', [b'top', b'computer']), ('userAccountControl', [b'4096'])

, ('cn', [b'CAT-NK01-04']), ('description', [b'.']), ('operatingSystem', [b'Windows 11 Education']), ('operatingSystemVersion', [b'10.0 (26100)']), ('sAMAccountName', [b' CAT-NK01-04$'])]  
2026-01-09T11:09:38.070825+01:00  WARNING [         -] sync failed, saved as rejected 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 803, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, object_old):            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 2153, in sync_from_ucs
    self.lo_ad.lo.add_ext_s(object['dn'], addlist, serverctrls=ctrls)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1009, in add_ext_s
    return self._apply_method_s(SimpleLDAPObject.add_ext_s,*args,**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 968, in _apply_method_s
    return func(self,*args,**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 222, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 543, in result3
    resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
                                                                           ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 553, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 128, in _ldap_call
    result = func(*args,**kwargs)
             ^^^^^^^^^^^^^^^^^^^^
ldap.ALREADY_EXISTS: {'msgtype': 105, 'msgid': 23, 'result': 68, 'desc': 'Already exists', 'ctrls': [], 'info': '00000524: UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS), data 0\n'}

Solution:

It’s useless (but we do) to synchronize Windows computer objects between UCS and Microsoft AD domains, because they are only joined into one of both domains.

In this case, why the reject comes up, the object in ad changed its position, without the connectors notice, and therefor in the sqlite database, the mapping between the object in UCS and the object in AD was not adjusted.

sqlite3 /etc/univention/connector/internal.sqlite 'select * from "DN Mapping UCS"' | grep -i cn=cat-nk01-04
cn=cat-nk01-04,ou=computer,ou=managedclients,dc=portal,dc=schein,dc=intranet|cn=cat-nk01-04,ou=raum-01,ou=cat,ou=wlan-notebooks,ou=schulgeraete,ou=managedclients,dc=schein,dc=me

To get this adjusted, and knowing that the clients are joined in ad, we can resync the object from ad to ucs

/usr/share/univention-ad-connector/resync_object_from_ad.py 'CN=CAT-NK01-04,OU=raum-01,OU=cat,OU=WLAN-Notebooks,OU=schulgeraete,OU=managedclients,DC=schein,DC=me'