Problem: S4 connector rejects: primary_group_sid = decode_sid ... NoneType object is not subscriptable

Knowledge Base Community
, , ,
#1

Problem

We have many S4 connector rejects and tracebacks in the connector-s4.log like this:

22.11.2024 12:46:28.912 LDAP        (PROCESS): sync UCS > AD: [          user] [    modify] 'cn=user.name,cn=schueler,cn=users,ou=schoolXY,DC=schule,DC=local'
22.11.2024 12:46:28.977 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1732275862.309002
22.11.2024 12:46:28.977 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 828, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2054, in sync_from_ucs
    con_create_extension(self, property_type, object, addlist, ctrls)
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 124, in add_primary_group_to_addlist
    primary_group_sid = decode_sid(ldap_object_ad_group['objectSid'][0])
TypeError: 'NoneType' object is not subscriptable

Investigation

We look up one of the rejected user objects and their sambaPrimaryGroupSID:

# univention-ldapsearch uid=user.name sambaPrimaryGroupSID
dn: uid=user.name,cn=......
sambaSID: S-1-5-21-12345-67890-12345-67890

Now we look up what this SID looks like in LDAP:

# univention-ldapsearch -LLL sambasid=S-1-5-21-12345-67890-12345-67890 dn
dn: cn=Domain Users schoolXY,cn=groups,ou=schoolXY,dc=schule,dc=local

We check if this group exists in AD and in LDAP:

univention-s4search cn="Domain Users schoolXY"
univention-ldapsearch cn="Domain Users schoolXY"

Result: The group object does not exist in LDAP!

Solution

We can trigger a resync of the group from the AD → UCS to add the missing group Domain Users schoolXY to LDAP:

/usr/share/univention-s4-connector/resync_object_from_ucs.py cn="Domain Users schoolXY,cn=groups,ou=schoolXY,dc=schule,dc=local" --first

With the --first flag we can make sure that those objects are handled before anything else.
Afterwards the connector was able to process the rejected users by itself.

Because there were many more rejects with different school OUs that were missing from the LDAP, we triggered a global (*) resync like this, so that all the missing OUs are present in the LDAP:

/usr/share/univention-s4-connector/resync_object_from_ucs.py --filter cn="Domain Users *" --first
#2
#3

This topic was automatically closed after 24 hours. New replies are no longer allowed.

Mastodon