Problem:
AD-Rejcts due to insufficent access of the sync-user.
A reject could look like this.
27.01.2022 15:32:58.219 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.219 LDAP (INFO ): get_object: got object: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.219 LDAP (INFO ): sync_from_ucs: add object: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.220 LDAP (INFO ): to add: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.220 LDAP (ALL ): sync_from_ucs: addlist: [('objectClass', ['top', 'group']), ('groupType', [u'-2147483646']), ('sAMAccountName', [u'Domain Users'])]
27.01.2022 15:32:58.235 LDAP (WARNING): sync failed, saved as rejected
27.01.2022 15:32:58.236 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 823, in __sync_file_from_ucs
or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, object_old))):
File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2663, in sync_from_ucs
self.lo_ad.lo.add_s(compatible_modstring(object['dn']), compatible_addlist(addlist)) # FIXME encoding
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 210, in add_s
return self.result(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 503, in result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 507, in result2
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
ALREADY_EXISTS: {'info': '00000526: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0\n', 'desc': 'Already exists'}
Investigation:
In the rejcts traceback you can see, that the domain users groups should be modified:
27.01.2022 15:32:58.219 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=domain users,cn=users,DC=aha,DC=schein,DC=de
And therefor the group should be added:
27.01.2022 15:32:58.220 LDAP (INFO ): to add: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
but this is not possible, because:
ALREADY_EXISTS: {'info': '00000526: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0\n', 'desc': 'Already exists'}
So lets read the AD, like the ad-connector does.
root@ucs:~# ldbsearch -H ldap://adserver.windows.aha.schein.de --simple-bind-dn="$(ucr get connector/ad/ldap/binddn)" --password="$(</etc/univention/connector/ad/bindpw)" CN="Domain Users"
Yahtzee, the group is not there, but AD says it is. So the user is not allowed to read/see it.
Also, the objects below "CN=Users,DC=aha,DC=schein=de" cannot be read. So maybe more checks could be done here.
Solution:
There is a modification to the “Domain Users” group, this change is to be synced to AD. The sync user (ucr get connector/ad/ldap/binddn) looks in AD and does not get back a group with the name (because he is not allowed to read it). Therefore he wants to create it again. The AD then says, no that’s nonsense, I already have the group (already exists) and refuses the execution.
To syncronize passwords, it is also necessary, that the AD user is allowed to read, computerobject of the MS AD DCs, and/or the serverReferenceBL object.