Problem: AD-Rejcts due to insufficent access of the sync-user

Problem:

AD-Rejcts due to insufficent access of the sync-user.
A reject could look like this.

27.01.2022 15:32:58.219 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.219 LDAP        (INFO   ): get_object: got object: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.219 LDAP        (INFO   ): sync_from_ucs: add object: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.220 LDAP        (INFO   ): to add: cn=domain users,cn=users,DC=aha,DC=schein,DC=de
27.01.2022 15:32:58.220 LDAP        (ALL    ): sync_from_ucs: addlist: [('objectClass', ['top', 'group']), ('groupType', [u'-2147483646']), ('sAMAccountName', [u'Domain Users'])]
27.01.2022 15:32:58.235 LDAP        (WARNING): sync failed, saved as rejected
27.01.2022 15:32:58.236 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 823, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, object_old))):
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2663, in sync_from_ucs
    self.lo_ad.lo.add_s(compatible_modstring(object['dn']), compatible_addlist(addlist))  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 210, in add_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 503, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 507, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ALREADY_EXISTS: {'info': '00000526: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0\n', 'desc': 'Already exists'}

Investigation:

In the rejcts traceback you can see, that the domain users groups should be modified:
27.01.2022 15:32:58.219 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=domain users,cn=users,DC=aha,DC=schein,DC=de

And therefor the group should be added:
27.01.2022 15:32:58.220 LDAP (INFO ): to add: cn=domain users,cn=users,DC=aha,DC=schein,DC=de

but this is not possible, because:
ALREADY_EXISTS: {'info': '00000526: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0\n', 'desc': 'Already exists'}

So lets read the AD, like the ad-connector does.

root@ucs:~# ldbsearch -H ldap://SNHDC01.snh.schulen-hannover.de --simple-bind-dn="$(ucr get connector/ad/ldap/binddn)" --password="$(</etc/univention/connector/ad/bindpw)" CN="Domain Users"

Yahtzee, the group is not there, but AD says it is. So the user is not allowed to read/see it.

Also, the objects below "CN=Users,DC=aha,DC=schein=de" cannot be read. So maybe more checks could be done here.

Solution:

There is a modification to the “Domain Users” group, this change is to be synced to AD. The sync user (ucr get connector/ad/ldap/binddn) looks in AD and does not get back a group with the name (because he is not allowed to read it). Therefore he wants to create it again. The AD then says, no that’s nonsense, I already have the group (already exists) and refuses the execution.

To syncronize passwords, it is also necessary, that the AD user is allowed to read, computerobject of the MS AD DCs, and/or the serverReferenceBL object.