Problem: Failed to re-index objectSid - an other scenario

Problem:

(occured in an ucsschool environment)

20.10.2019 06:27:12.944 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1534251946.710590
20.10.2019 06:27:12.981 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=Computers,cn=groups,DC=schein,DC=me
20.10.2019 06:27:13.033 LDAP        (ERROR  ): sync_from_ucs: traceback during add object: cn=Computers,cn=groups,DC=schein,DC=me
20.10.2019 06:27:13.034 LDAP        (ERROR  ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xa9\xbeJ<\xb6W\x84%n\xd1PFO\x04\x00\x00']), ('groupType', [u'-2147483646']), ('sAMAccountName', [u'Computers'])]
20.10.2019 06:27:13.050 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1534251946.710590
20.10.2019 06:27:13.080 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls)  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=Computers,CN=Groups,DC=schein,DC=me - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=Computers,CN=Groups,DC=schein,DC=me', 'desc': 'Constraint violation'}

We already have an article about this kind of traceback,


but in this scenario we cannot re-animate. There ist not a deleted object.

Investigation:

  1. Finding the conflicted SID:
    Take the dn of the rejected object:
    univention-ldapsearch -b cn=computers,cn=groups,($ucr get ldap/base) sambaSID
  2. Now search for the SID in samba to know who owns it now:
    univention-s4search objectSid=S-1-5-21-2310927035-1632660085-1980360486-11015
  • In this case the SID was used by the dns-$(hostname) user. This user is generated via 98univentionsamba-dns.inst, which created the user on the school-slave.
    ldbdel -H /var/lib/samba/private/sam.ldb CN=dns-slave-moon,CN=Users,DC=schein,DC=me

  • You have to delete the deleted object (empty the paperbin)
    univention-s4search --cross-ncs --show-deleted cn='dns-slave-moon*'
    ldbdel -H /var/lib/samba/private/sam.ldb 'CN=dns-slave-moon\0ADEL:4c0df927-6afa-4c74-8426-07d81e212949,CN=Deleted Objects,DC=schein,DC=me' --relax

Note: If there is an other object holding the expected SID, search for this object in openLDAP if,it exists or has an other SID there. Then you should not delete this object. The SID can be changed in samba.

Solution:

The rejected Object cn=computers should now be re-indexed, because the SID is free now.

Now the dns-$(hostname) Object is needed, so it has to be created again. The joinscript can do this for us:

univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst
Mastodon