Problem: Remove S4 Connector Rejects Which Does Not Exist in LDAP

Christian_Voelker · June 6, 2019, 6:10am

Problem:

You see S4-Connector rejects but you are not able to remove them based on this article.

Investigation

Step 1

Identify object DN’s of the rejects:

root@dc-01:~# univention-s4connector-list-rejected

UCS rejected

S4 rejected

1:    S4 DN: CN=EU.MULTI.UCS,CN=Computers,DC=eu,DC=multi,DC=ucs
UCS DN: <not found>
2:    S4 DN: CN=EU.MULTI.UCS,CN=Computers,DC=eu,DC=multi,DC=ucs
UCS DN: <not found>

last synced USN: 254054

Step 2

Check if the object exists in OpenLDAP:


root@dc-01:/~# univention-ldapsearch -b CN=EU.MULTI.UCS,CN=Computers,DC=eu,DC=multi,DC=ucs -LLL
No such object (32)
Matched DN: cn=computers,dc=eu,dc=multi,dc=ucs

In this example the object is not found in OpenLDAP.

Step 3

Check if the object exists in Samba:

root@dc-01:/~ # univention-s4search -b CN=EU.MULTI.UCS,CN=Computers,DC=eu,DC=multi,DC=ucs
# record 1
dn: CN=EU.MULTI.UCS,CN=Computers,DC=eu,DC=multi,DC=ucs
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: EU.MULTI.UCS
[...]
distinguishedName: CN=EU.MULTI.UCS,CN=Computers,DC=eu,DC=multi,DC=ucs

Here, the object is found in Samba-LDAP.

Step 4

Trying to remove the reject with the provided scripts (either way) fails with an error (as it does not exists in OpenLDAP):

root@dc-01:~# /usr/share/univention-s4-connector/remove_ucs_rejected.py cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs
ERROR: The object cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs was not found.

root@dc-01:~# /usr/share/univention-s4-connector/remove_s4_rejected.py cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs
ERROR: The object cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs was not found.

Additionally you might notice following error messages in /var/log/univention/connector-s4.log:

31.05.2019 13:15:11,187 LDAP        (PROCESS): sync to ucs: Resync rejected dn: cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs
31.05.2019 13:15:11,194 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [       add] cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs
31.05.2019 13:15:11,267 LDAP        (ERROR  ): InvalidSyntax: Windows workstation/server name: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed. (cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs)

The logfile points us to the root cause of the issue: A computer object has been created which does not follow the allowed syntax. Here ist is a full qualifiedd domain name instead of just the computer name.

Solution

Remove the object directly from the Samba database with the ldbdel command:

root@dc-01:~# /etc/init.d/samba stop
root@dc-01:~# ldbdel -H /var/lib/samba/private/sam.ldb "cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs"
root@dc-01:~# /etc/init.d/samba start

Christian_Voelker · June 6, 2019, 6:11am