Problem:
The s4-connector on a school replica has a reject synchronising the primary DC object into the ucsschool-replica. (This reject might be present for a long time)
Failed to re-index objectSid
15.03.2026 00:00:05.129 LDAP (PROCESS): sync UCS > AD: [ dc] [ add] 'cn=UCS,ou=Domain Controllers,DC=EXAMPLE,DC=ORG'
15.03.2026 00:00:05.134 LDAP (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4
15.03.2026 00:00:05.135 LDAP (PROCESS): sync_from_ucs: no conflicting deleted object found
15.03.2026 00:00:05.137 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1717684575.583122
15.03.2026 00:00:05.140 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 828, in __sync_file_from_ucs
if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2070, in sync_from_ucs
self.lo_s4.lo.add_ext_s(object['dn'], addlist, serverctrls=ctrls)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 414, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.CONSTRAINT_VIOLATION: {'desc': 'Constraint violation', 'info': '0000202F: ../../lib/ldb/ldb_key_value/ldb_kv_index.c:3065: Failed to re-index objectSid in CN=UCS,OU=Domain Controllers,DC=example,DC=org - ../../lib/ldb/ldb_key_value/ldb_kv_index.c:2910: unique index violation on objectSid in CN=UCS,OU=Domain Controllers,DC=example,DC=org'}
UCS rejected
1: UCS DN: cn=ucs,cn=dc,cn=computers,dc=example,dc=org S4 DN: <not found> Filename: /var/lib/univention-connector/s4/1492506428.710477S4 rejected
last synced USN: 86693
Investigation:
The SIDs were valid domain SIDs, but the RIDs differed/conflicted on the Slaves:
UCS Master:
dn: cn=ucs-327,cn=dc,cn=server,cn=computers,ou=327,dc=example,dc=org
sambaSID: S-1-5-21-2422323242-444428286-1234123112-54538
objectSID: S-1-5-21-2422323242-444428286-1234123112-54538
dn: cn=ucs,cn=dc,cn=computers,dc=example,dc=org
sambaSID: S-1-5-21-2422323242-444428286-1234123112-1000
objectSid: S-1-5-21-2422323242-444428286-1234123112-1000
-> OK
UCS@school Slave:
dn: cn=ucs-327,cn=dc,cn=server,cn=computers,ou=327,dc=example,dc=org
sambaSID: S-1-5-21-2422323242-444428286-1234123112-54538
objectSid: S-1-5-21-2422323242-444428286-1234123112-1000
dn: cn=ucs,cn=dc,cn=computers,dc=example,dc=org
sambaSID: S-1-5-21-2422323242-444428286-1234123112-1000
objectSid: -> Object "ucs" not present in Samba/AD
-> Not OK
Solution
In this case it was sufficient to manually trigger a resync the UCS@school Slave object on the ucsschool replica.
/usr/share/univention-s4-connector/resync_object_from_ucs.py cn=ucs-327,cn=dc,cn=server,cn=computers,ou=327,dc=example,dc=org
This corrected the RID of the UCS@school Slave in Samba/AD (objectSid). The S4 reject of the Master was then resolved automatically during the next resync interval for S4 rejects.