Problem: Failed to re-index objectSid - non school

Problem:

Failed to re-index objectSid in a non ucs@school environment, may happen if you add a user.

21.12.2020 15:15:44.228 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=cscheini,cn=users,DC=cc,DC=schein,DC=ig
21.12.2020 15:15:44.245 LDAP        (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4
21.12.2020 15:15:44.246 LDAP        (PROCESS): sync_from_ucs: no conflicting deleted object found
21.12.2020 15:15:44.256 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1608543247.897682
21.12.2020 15:15:44.256 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs 
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2402, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls)  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=cscheini,CN=users,DC=cc,DC=schein,DC=ig - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=cscheini,CN=users,DC=cc,DC=schein,DC=ig', 'desc': 'Constraint violation'}

Investigation:

The message indicates, that the SID, samba would like to give, is already occupied by an other userobject.
To find out, you can check the ‘Rid Set’ of the server.

ldbsearch -H /var/lib/samba/private/sam.ldb \
CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)" \
rIDAllocationPool rIDNextRID

dn: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=schein,DC=ig
rIDNextRID: 1161
The attribute rIDNextRID shows the last successfully given RID.
Now you can check if this RID (should ) and the next following RID (should not ) (be)/is used.
Take the SID from an other user or extract the Domain SID part:

univention-ldapsearch -xLLL sambaDomainName=* sambaSID | sed -ne 's|sambaSID: ||p'
S-1-5-21-2438365080-1175145288-4246282840
univention-ldapsearch -LLL sambaSID=S-1-5-21-2438365080-1175145288-4246282840-1161 dn

dn: uid=b.baumann,cn=users,dc=schein,dc=ig :heavy_check_mark:

univention-ldapsearch -LLL sambaSID=S-1-5-21-2438365080-1175145288-4246282840-1162 dn

dn: uid=l.croft,cn=users,dc=schein,dc=ig :heavy_multiplication_x:
The user l.croft already occupies the rid, which should be next in samba’s opinion. So this is the cause of the ‘“constraint violation”’ from.

Solution:

Edit the ‘Rid Set’ in samba to the last successfully used RID.
ldbedit -H /var/lib/samba/private/sam.ldb CN="RID Set" -b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"

# editing 1 records
# record 1
dn: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=schein,DC=ig
objectClass: top
objectClass: rIDSet
cn: RID Set
instanceType: 4
whenCreated: 20190514144243.0Z
whenChanged: 20190514144243.0Z
uSNCreated: 3667
uSNChanged: 3667
showInAdvancedViewOnly: TRUE
name: RID Set
objectGUID: 993ec2b2-c611-4cb4-8924-781111a47832
rIDAllocationPool: 1100-1599
rIDPreviousAllocationPool: 1100-1599
rIDUsedPool: 0
objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=schein,DC=ig
rIDNextRID: 1162
distinguishedName: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=schein,DC=ig
2 Likes
Mastodon