Problem:
(occured in an ucsschool environment)
20.10.2019 06:27:12.944 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1534251946.710590
20.10.2019 06:27:12.981 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=Computers,cn=groups,DC=schein,DC=me
20.10.2019 06:27:13.033 LDAP (ERROR ): sync_from_ucs: traceback during add object: cn=Computers,cn=groups,DC=schein,DC=me
20.10.2019 06:27:13.034 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xa9\xbeJ<\xb6W\x84%n\xd1PFO\x04\x00\x00']), ('groupType', [u'-2147483646']), ('sAMAccountName', [u'Computers'])]
20.10.2019 06:27:13.050 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1534251946.710590
20.10.2019 06:27:13.080 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs
if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs
self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=Computers,CN=Groups,DC=schein,DC=me - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=Computers,CN=Groups,DC=schein,DC=me', 'desc': 'Constraint violation'}
We already have an article about this kind of traceback,
but in this scenario we cannot re-animate. There ist not a deleted object.
Investigation:
- Finding the conflicted SID:
Take the dn of the rejected object:
univention-ldapsearch -b cn=computers,cn=groups,($ucr get ldap/base) sambaSID - Now search for the SID in samba to know who owns it now:
univention-s4search objectSid=S-1-5-21-2310927035-1632660085-1980360486-11015
-
In this case the SID was used by the dns-$(hostname) user. This user is generated via 98univentionsamba-dns.inst, which created the user on the school-slave.
ldbdel -H /var/lib/samba/private/sam.ldb CN=dns-slave-moon,CN=Users,DC=schein,DC=me -
You have to delete the deleted object (empty the paperbin)
univention-s4search --cross-ncs --show-deleted cn='dns-slave-moon*'
ldbdel -H /var/lib/samba/private/sam.ldb 'CN=dns-slave-moon\0ADEL:4c0df927-6afa-4c74-8426-07d81e212949,CN=Deleted Objects,DC=schein,DC=me' --relax
Note: If there is an other object holding the expected SID, search for this object in openLDAP if,it exists or has an other SID there. Then you should not delete this object. The SID can be changed in samba.
Solution:
The rejected Object cn=computers should now be re-indexed, because the SID is free now.
Now the dns-$(hostname) Object is needed, so it has to be created again. The joinscript can do this for us:
univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst