Problem: Failed to re-index objectSid - an other scenario

Problem:

(occured in an ucsschool environment)

20.10.2019 06:27:12.944 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1534251946.710590
20.10.2019 06:27:12.981 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=Computers,cn=groups,DC=schein,DC=me
20.10.2019 06:27:13.033 LDAP        (ERROR  ): sync_from_ucs: traceback during add object: cn=Computers,cn=groups,DC=schein,DC=me
20.10.2019 06:27:13.034 LDAP        (ERROR  ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xa9\xbeJ<\xb6W\x84%n\xd1PFO\x04\x00\x00']), ('groupType', [u'-2147483646']), ('sAMAccountName', [u'Computers'])]
20.10.2019 06:27:13.050 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1534251946.710590
20.10.2019 06:27:13.080 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls)  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=Computers,CN=Groups,DC=schein,DC=me - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=Computers,CN=Groups,DC=schein,DC=me', 'desc': 'Constraint violation'}

We already have an article about this kind of traceback,


but in this scenario we cannot re-animate. There ist not a deleted object.

Investigation:

  1. Finding the conflicted SID:
    Take the dn of the rejected object:
    univention-ldapsearch -b cn=computers,cn=groups,($ucr get ldap/base) sambaSID
  2. Now search for the SID in samba to know who owns it now:
    univention-s4search objectSid=S-1-5-21-2310927035-1632660085-1980360486-11015
  • In this case the SID was used by the dns-$(hostname) user. This user is generated via 98univentionsamba-dns.inst, which created the user on the school-slave.
    ldbdel -H /var/lib/samba/private/sam.ldb CN=dns-slave-moon,CN=Users,DC=schein,DC=me

  • You have to delete the deleted object (empty the paperbin)
    univention-s4search --cross-ncs --show-deleted cn='dns-slave-moon*'
    ldbdel -H /var/lib/samba/private/sam.ldb 'CN=dns-slave-moon\0ADEL:4c0df927-6afa-4c74-8426-07d81e212949,CN=Deleted Objects,DC=schein,DC=me' --relax

Solution:

The rejected Object cn=computers should now be re-indexed, because the SID is free now.

Now the dns-$(hostname) Object is needed, so it has to be created again. The joinscript can do this for us:

univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst