Problem:
You find the following kind of reject in
univention-s4connector-list-rejected
UCS rejected
1: UCS DN: cn=sun-Abg,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=de
S4 DN: cn=sun-abg,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=ig
Filename: /var/lib/univention-connector/s4/1561549699.941943
and thiis traceback in /var/log/univention/connector-s4.log
01.07.2019 09:39:01.754 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1561549699.941943
01.07.2019 09:39:01.755 LDAP (PROCESS): __sync_file_from_ucs: Object with entryUUID 0a494220-26f4-1039-9bfd-1b55c5be503f has been removed before but became visible again.
01.07.2019 09:39:01.759 LDAP (PROCESS): sync from ucs: [ group] [ add] cn=sun-abg,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=ig
01.07.2019 09:39:01.792 LDAP (ERROR ): sync_from_ucs: traceback during add object: cn=sun-abg,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=ig
01.07.2019 09:39:01.793 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [('objectClass', ['top', 'group']), ('objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x84!\xaa\x92\xb0\xeb^\x1a\x18.\x99^\xf1\x7f\x00\x00']), ('sAMAccountName', [u'sun-Abg'])]
01.07.2019 09:39:01.808 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1561549699.941943
01.07.2019 09:39:01.808 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs
if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2559, in sync_from_ucs
self.lo_s4.lo.add_ext_s(compatible_modstring(object['dn']), compatible_addlist(addlist), serverctrls=ctrls) # FIXME encoding
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 195, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: ../../ldb_key_value/ldb_kv_index.c:2506:` Failed to re-index objectSid `in CN=sun-abg,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=ig - ../../ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=sun-abg,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=de', 'desc': 'Constraint violation'}
Investigation:
The messages:
__sync_file_from_ucs: Object with entryUUID 0a494220-26f4-1039-9bfd-1b55c5be503f has been removed before but became visible again.
and
CONSTRAINT_VIOLATION: {‘info’: ‘0000202F: …/…/ldb_key_value/ldb_kv_index.c:2506: Failed to re-index objectSid in CN=sun-abg,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=ig - …/…/ldb_key_value/ldb_kv_index.c:2351: unique index violation on objectSid in CN=sun-abg,CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,DC=de’, ‘desc’: ‘Constraint violation’}
indicated, that the object was deleted and now the object is to be recreated again. So the objectsSid is already in use on a samba4 object. This may the same object, but we have to make sure:
First: Searching the Object in ldap
root@master:~# univention-ldapsearch cn=sun-abg sambaSID -LLL
dn: cn=sun-Abg,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=de
sambaSID: S-1-5-21-1965273560-2518893881-2166918580-11225
Second: use the SambaSid for the samba4 search:
root@master:~# univention-s4search objectSID=S-1-5-21-1965273560-2518893881-2166918580-11225 --show-deleted --cross-ncs
# record 1
dn: cn=sun-abg\0ADEL:7815db36-20ec-492b-a92f-cc5e6c3afc5d,CN=Deleted Objects,DC=schein,DC=ig
objectClass: top
objectClass: group
instanceType: 4
whenCreated: 20190619154637.0Z
whenChanged: 20190619154637.0Z
uSNCreated: 850174
objectGUID: 7815db36-20ec-492b-a92f-cc5e6c3afc5d
objectSid: S-1-5-21-1965273560-2518893881-2166918580-11225
sAMAccountName: sun-Abg
groupType: -2147483646
isDeleted: TRUE
lastKnownParent: CN=klassen,CN=schueler,CN=groups,OU=sun,DC=schein,
DC=ig
isRecycled: TRUE
cn:: ZnNfc2ZqdC1hYmcKREVMOjc4MTVkYjM2LTIwZWMtNDkyYi1hOTJmLWNjNWU2YzNhZmM1ZA==
name:: ZnNfc2ZqdC1hYmcKREVMOjc4MTVkYjM2LTIwZWMtNDkyYi1hOTJmLWNjNWU2YzNhZmM1ZA=
=
uSNChanged: 850176
distinguishedName: cn=sun-abg\0ADEL:7815db36-20ec-492b-a92f-cc5e6c3afc5d,CN=Deleted Objects,DC=schein,DC=ig
This object is the same here. Now you have two choices:
Solution:
Reanimate the object (Tombstone reanimation)
This has to be done on the system with the s4-connector installed. (This can be the master or a slave in ucs@school environments)
To reanimate the object you have to do this via ldbmodify, in the exact order:
- The dn is the deleted Object dn which was found with the SID in samba4
- The distinguishedName is the path, were the object was placed before. You can take it from the
univention-s4connector-list-rejectedoutput
ldbmodify -H /var/lib/samba/private/sam.ldb --cross-ncs --show-deleted <<%EOF
dn: cn=sun-abg\0ADEL:7815db36-20ec-492b-a92f-cc5e6c3afc5d,CN=Deleted Objects,DC=schein,DC=ig
changetype: modify
delete: isDeleted
-
replace: distinguishedName
distinguishedName: cn=sun-abg,cn=klassen,cn=schueler,cn=groups,ou=sun,DC=schein,DC=ig
%EOF
This should give you a successful modification for the object. After that you should check, if the reject is gone (ls -l /var/lib/univention-connector/s4/1561549699.941943) and the object exists in samba4 now
Final deletetion of the object…
…so it can be recreated again. BUT
Attention: the final deletion of objects can lead to problems, especially if they are DRS replication participants.
ldbdel -H /var/lib/samba/private/sam.ldb --relax --cross-ncs 'cn=sun-abg\0ADEL:7815db36-20ec-492b-a92f-cc5e6c3afc5d,CN=Deleted Objects,DC=schein,DC=ig'
If this error occurs again, please also check if the errata update UCS 5.0 - 745 has been installed. More details can be found in the original bug report: Bug #56309.