Problem: S4 Connector Rejects Due to LDAP Constraint Violation on objectSid

Knowledge Base Community
, , ,
1

S4 Connector Rejects Due to LDAP Constraint Violation on objectSid

Problem Description:

In a UCS environment with a primary (ucs5primary) and a replica (ucs5replica) DC, the S4 Connector reported rejects due to unsynchronized objects. The primary DC object could not be added or modified in Active Directory because of a unique SID conflict, causing constraint violations. Investigation revealed that the replica’s objectSid in Samba did not match its LDAP sambaSID, resulting in rejected synchronization attempts and errors in the connector logs.

Key Points:

  • UCS primary and replica DCs exist in the same domain.
  • S4 Connector rejects occurred for the primary DC (ucs5primary).
  • Connector logs indicate CONSTRAINT_VIOLATION due to objectSid duplication.
  • Replica DC’s Samba objectSid did not match its LDAP entry, preventing proper synchronization.

UCS Version: 5.x

Affected Hosts:

  • UCS Primary DC: ucs5primary
  • UCS Replica: ucs5replica

Error in the system diagnostic module:

During S4 Connector checks, the following error appears:

############################# Start 43_connectors4_rejects ############################
## Check failed: 43_connectors4_rejects - Nicht synchronisierte S4 Connector Objekte ##
1 nicht synchronisierte UCS Objekte und 0 nicht synchronisierte S4 Objekte. Weitere Hinweise finden Sie unter Univention Support Database - Wie mit S4-Connector Konflikten umgehen (https://help.univention.com/t/how-to-deal-with-s4-connector-rejects/33).
Nicht synchronisierte UCS Objekte:
UCS DN: cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com, S4 DN: nicht gefunden, Dateiname: /var/lib/univention-connector/s4/1760525315.836549
############################## End 43_connectors4_rejects #############################

Rejected Objects List:

root@ucs5replica:~/univention-support# univention-s4connector-list-rejected

UCS rejected

    1:   UCS DN: cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1760525315.836549

    2:   UCS DN: cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1760915154.325939

    3:   UCS DN: cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1760915169.653103

Connector-s4 Log:

/var/log/univention/connector-s4.log

15.10.2025 12:59:29.285 LDAP        (PROCESS): sync UCS > AD: [            dc] [       add] 'cn=ucs5primary,ou=Domain Controllers,DC=EXAMPLE,DC=COM'
15.10.2025 12:59:29.290 LDAP        (PROCESS): sync_from_ucs: error during add, searching for conflicting deleted object in S4
15.10.2025 12:59:29.291 LDAP        (PROCESS): sync_from_ucs: no conflicting deleted object found
15.10.2025 12:59:29.293 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1760525315.836549
15.10.2025 12:59:29.293 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 828, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2070, in sync_from_ucs
    self.lo_s4.lo.add_ext_s(object['dn'], addlist, serverctrls=ctrls)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 414, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONSTRAINT_VIOLATION: {'desc': 'Constraint violation', 'info': 'unique index violation on objectSid in CN=ucs5primary,OU=Domain Controllers,DC=example,DC=com'}

Investigation:

Commands and output on primary host:

root@ucs5primary:~/univention-support# univention-ldapsearch cn=ucs5primary sambaSID -LLL
dn: cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com
sambaSID: S-1-5-21-262092250-3554280320-960752464-1000

root@ucs5primary:~/univention-support# univention-s4search cn=ucs5primary objectSid
dn: CN=UCS5PRIMARY,OU=Domain Controllers,DC=example,DC=com
objectSid: S-1-5-21-262092250-3554280320-960752464-1000

root@ucs5primary:~/univention-support# univention-ldapsearch cn=ucs5replica sambaSID -LLL
dn: cn=ucs5replica,cn=dc,cn=server,cn=computers,ou=FSGE,dc=example,dc=com
sambaSID: S-1-5-21-262092250-3554280320-960752464-51946

root@ucs5primary:~/univention-support# univention-s4search cn=ucs5replica objectSid
dn: CN=UCS5REPLICA,OU=Domain Controllers,DC=example,DC=com
objectSid: S-1-5-21-262092250-3554280320-960752464-1000

Additional checks from replica host:

root@ucs5replica:~/univention-support# univention-ldapsearch cn=ucs5primary sambaSID -LLL
dn: cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com
sambaSID: S-1-5-21-262092250-3554280320-960752464-1000

root@ucs5replica:~/univention-support# univention-ldapsearch cn=ucs5replica sambaSID -LLL
dn: cn=ucs5replica,cn=dc,cn=server,cn=computers,ou=FSGE,dc=example,dc=com
sambaSID: S-1-5-21-262092250-3554280320-960752464-51946

root@ucs5replica:~/univention-support# univention-s4search cn=ucs5replica objectSid
dn: CN=UCS5REPLICA,OU=Domain Controllers,DC=example,DC=com
objectSid: S-1-5-21-262092250-3554280320-960752464-1000

Solution:

Disclaimer

:warning: Warning: This procedure involves direct modifications of the Samba backend.
No automatic validation is performed. Manual edits to the Samba database entries must be performed carefully and conscientiously to avoid inconsistencies or data loss.

Correct the SID of the replica in Samba using via ldbedit:

ldbedit -H /var/lib/samba/private/sam.ldb --controls=provision:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.3:0 -b "CN=UCS5REPLICA,OU=Domain Controllers,DC=example,DC=com"

Set objectSid to match UCS sambaSID:

dn: CN=UCS5REPLICA,OU=Domain Controllers,DC=example,DC=com
objectSid: S-1-5-21-262092250-3554280320-960752464-51946

Verification

/var/log/univention/connector-s4.log
24.10.2025 15:49:19.103 LDAP        (PROCESS): sync AD > UCS: [dc] [modify] 'cn=ucs5replica,cn=dc,cn=server,cn=computers,ou=fsge,dc=example,dc=com'
24.10.2025 15:49:36.775 MAIN        (------ ): DEBUG_INIT
24.10.25 15:49:36.775  DEBUG_INIT
24.10.25 15:49:36.799  DEBUG_EXIT
24.10.2025 15:50:10.365 LDAP        (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1760525315.836549
24.10.2025 15:50:10.367 LDAP        (PROCESS): sync UCS > AD: [dc] [add] 'cn=ucs5primary,ou=Domain Controllers,DC=EXAMPLE,DC=COM'
24.10.2025 15:50:10.404 LDAP        (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1760915154.325939
24.10.2025 15:50:10.406 LDAP        (PROCESS): sync UCS > AD: [dc] [modify] 'cn=ucs5primary,ou=domain controllers,DC=example,DC=com'
24.10.2025 15:50:10.413 LDAP        (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1760915169.653103
24.10.2025 15:50:10.414 LDAP        (PROCESS): sync UCS > AD: [dc] [modify] 'cn=ucs5primary,ou=domain controllers,DC=example,DC=com'
24.10.2025 15:50:15.447 LDAP        (PROCESS): sync AD > UCS: [dc] [modify] 'cn=ucs5primary,cn=dc,cn=computers,dc=example,dc=com'
24.10.2025 15:50:19.639 MAIN        (------ ): DEBUG_INIT
24.10.25 15:50:19.639  DEBUG_INIT
24.10.25 15:50:19.664  DEBUG_EXIT

root@ucs5replica:~/univention-support# univention-s4connector-list-rejected

UCS rejected


S4 rejected


There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.

        last synced USN: 8933

root@ucs5replica:~/univention-support# univention-s4search cn=ucs5primary dn objectSid
# record 1
dn: CN=ucs5primary,OU=Domain Controllers,DC=example,DC=com
objectSid: S-1-5-21-262092250-3554280320-960752464-1000

root@ucs5replica:~/univention-support# univention-s4search cn=ucs5replica dn objectSid
# record 1
dn: CN=UCS5REPLICA,OU=Domain Controllers,DC=example,DC=com
objectSid: S-1-5-21-262092250-3554280320-960752464-51946

Result

:white_check_mark: S4 Connector rejects for the DC master ucs5primary were resolved after correcting the replica objectSid. No rejected objects remain.