S4-Connector Probleme

german
ucs-4
samba4

#1

Hallo zusammen,

meine Konfiguration ist eine DC-Master DC-Slave Konfiguration, aktuell gepatcht auf 4.2-3 error 310. Seitdem ich die root-Mails umleiten lasse, werde ich genervt von Nagios Meldungen, die S4-Connector-Probleme anzeigen.

univention-s4connector-list-rejected zeigt:

UCS rejected

    1:   UCS DN: zoneName=msbe.local,cn=dns,dc=msbe,dc=local
          S4 DN: dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
         Filename: /var/lib/univention-connector/s4/1508431548.934227

    2:   UCS DN: zoneName=msbe.local,cn=dns,dc=msbe,dc=local
          S4 DN: dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
         Filename: /var/lib/univention-connector/s4/1512486138.758671

    3:   UCS DN: zoneName=msbe.local,cn=dns,dc=msbe,dc=local
          S4 DN: dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
         Filename: /var/lib/univention-connector/s4/1512489021.926985

    4:   UCS DN: zoneName=msbe.local,cn=dns,dc=msbe,dc=local
          S4 DN: dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
         Filename: /var/lib/univention-connector/s4/1513268252.757453


S4 rejected


        last synced USN: 421063

In /var/log/univention/connector-s4.log finde ich (sorry, viel Text):


07.03.2018 17:08:42,392 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1508431548.934227
07.03.2018 17:08:42,395 LDAP        (PROCESS): sync from ucs: [           dns] [    modify] dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
07.03.2018 17:08:42,467 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1508431548.934227
07.03.2018 17:08:42,467 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2588, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1583, in ucs2con
    s4_zone_create_wrapper(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 859, in s4_zone_create_wrapper
    result = s4_zone_create(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 801, in s4_zone_create
    s4connector.lo_s4.modify(soa_dn, [('dnsRecord', old_dnsRecords, dnsRecords)])
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 473, in modify
    self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 513, in modify_ext_s
    rtype, rdata, rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 336, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': "attribute 'dnsRecord': value #1 on 'DC=@,DC=msbe.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=msbe,DC=local' provided more than once", 'desc': 'Type or value exists'}

07.03.2018 17:08:42,467 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1512486138.758671
07.03.2018 17:08:42,470 LDAP        (PROCESS): sync from ucs: [           dns] [    modify] dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
07.03.2018 17:08:42,534 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1512486138.758671
07.03.2018 17:08:42,534 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2588, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1583, in ucs2con
    s4_zone_create_wrapper(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 859, in s4_zone_create_wrapper
    result = s4_zone_create(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 801, in s4_zone_create
    s4connector.lo_s4.modify(soa_dn, [('dnsRecord', old_dnsRecords, dnsRecords)])
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 473, in modify
    self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 513, in modify_ext_s
    rtype, rdata, rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 336, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': "attribute 'dnsRecord': value #1 on 'DC=@,DC=msbe.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=msbe,DC=local' provided more than once", 'desc': 'Type or value exists'}

07.03.2018 17:08:42,534 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1512489021.926985
07.03.2018 17:08:42,537 LDAP        (PROCESS): sync from ucs: [           dns] [    modify] dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
07.03.2018 17:08:42,597 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1512489021.926985
07.03.2018 17:08:42,597 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2588, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1583, in ucs2con
    s4_zone_create_wrapper(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 859, in s4_zone_create_wrapper
    result = s4_zone_create(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 801, in s4_zone_create
    s4connector.lo_s4.modify(soa_dn, [('dnsRecord', old_dnsRecords, dnsRecords)])
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 473, in modify
    self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 513, in modify_ext_s
    rtype, rdata, rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 336, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': "attribute 'dnsRecord': value #1 on 'DC=@,DC=msbe.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=msbe,DC=local' provided more than once", 'desc': 'Type or value exists'}

07.03.2018 17:08:42,597 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1513268252.757453
07.03.2018 17:08:42,600 LDAP        (PROCESS): sync from ucs: [           dns] [    modify] dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local
07.03.2018 17:08:42,660 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1513268252.757453
07.03.2018 17:08:42,660 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2588, in sync_from_ucs
    self.property[property_type].con_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 1583, in ucs2con
    s4_zone_create_wrapper(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 859, in s4_zone_create_wrapper
    result = s4_zone_create(s4connector, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dns.py", line 801, in s4_zone_create
    s4connector.lo_s4.modify(soa_dn, [('dnsRecord', old_dnsRecords, dnsRecords)])
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 473, in modify
    self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 513, in modify_ext_s
    rtype, rdata, rmsgid, resp_ctrls = self.lo.modify_ext_s(dn, ml, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 336, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': "attribute 'dnsRecord': value #1 on 'DC=@,DC=msbe.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=msbe,DC=local' provided more than once", 'desc': 'Type or value exists'}


Aufgrund dieses Beitrags habe ich noch univention-ldapsearch zonename=msbe.local | grep nSRecord aufgrufen und erhalte:

nSRecord: userver.msbe.local.
nSRecord: vserver.msbe.local.

Es sind zwei DNS-Server im System vorhanden - das sollte eigentlich kein Problem sein.

Aber wie komme ich dem Problem (und damit seiner Lösung) näher ?

Danke

Martin


#2

Moin,

die nSRecord-Einträge sind hier nicht das Problem, sondern die Samba4-seitigen dNSRecord-Attribute im Vergleich zu den OpenLDAP-seitigen aRecord/aAAARecord-Attributen. Vergleichen Sie mal, welche IP-Adressen es OpenLDAP- und Samba4-LDAP-seitig gibt. Dazu posten Sie bitte die Ausgabe der folgenden zwei Befehle:

univention-ldapsearch -s base -b zoneName=$(ucr get domainname),cn=dns,$(ucr get ldap/base) aRecord aAAARecord
univention-s4search -s base --show-binary -b dc=@,dc=$(ucr get domainname),cn=microsoftdns,dc=domaindnszones,$(ucr get ldap/base) dnsRecord

GruĂź
mosu


#3

Hier die Ergebnisse:

 univention-ldapsearch -s base -b zoneName=$(ucr get domainname),cn=dns,$(ucr get ldap/base) aRecord aAAARecord
# extended LDIF
#
# LDAPv3
# base <zoneName=msbe.local,cn=dns,dc=msbe,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: aRecord aAAARecord
#

# msbe.local, dns, msbe.local
dn: zoneName=msbe.local,cn=dns,dc=msbe,dc=local
aRecord: 192.168.0.3
aRecord: 192.168.0.2

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

und

univention-s4search -s base --show-binary -b dc=@,dc=$(ucr get domainname),cn=microsoftdns,dc=domaindnszones,$(ucr get ldap/base) dnsRecord
# record 1
dn: DC=@,DC=msbe.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=msbe,DC=local
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0016 (22)
        wType                    : DNS_TYPE_NS (2)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 2)
        ns                       : userver.msbe.local

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0016 (22)
        wType                    : DNS_TYPE_NS (2)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 2)
        ns                       : vserver.msbe.local

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x003d (61)
        wType                    : DNS_TYPE_SOA (6)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000330 (816)
        dwTtlSeconds             : 0x00002a30 (10800)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 6)
        soa: struct dnsp_soa
            serial                   : 0x00000330 (816)
            refresh                  : 0x00007080 (28800)
            retry                    : 0x00001c20 (7200)
            expire                   : 0x00093a80 (604800)
            minimum                  : 0x00000e10 (3600)
            mname                    : userver.msbe.local
            rname                    : root.msbe.local

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0004 (4)
        wType                    : DNS_TYPE_A (1)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 1)
        ipv4                     : 192.168.0.3

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0004 (4)
        wType                    : DNS_TYPE_A (1)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 1)
        ipv4                     : 192.168.0.2


# returned 1 records
# 1 entries
# 0 referrals

Hilft das weiter ?

GruĂź
Martin


#4

Huhu,

danke, ja. Die beiden IPv4-Adressen, die OpenLDAP-seitig als aRecord eingetragen sind, sind Samba4-LDAP-seitig als dnsRecord vorhanden. Sprich da ist eigentlich nichts mehr zu tun. Daher würde ich die Rejects löschen (sind ja alle für dasselbe Objekt) und anschließend noch einen Resync vom Samba4 zum OpenLDAP starten:

/usr/share/univention-s4-connector/remove_ucs_rejected.py zoneName=msbe.local,cn=dns,dc=msbe,dc=local
/usr/share/univention-s4-connector/resync_object_from_s4.py dc=@,dc=msbe.local,cn=microsoftdns,dc=domaindnszones,DC=msbe,DC=local

Das Löschen passiert sofort. Nach dem Triggern des Resyncs dauert es allerdings bis zu einer Minute, bis der Connector den Resync des Objekts durchführt — also etwas Geduld. Zwischen den beiden Befehlen kann auch noch mal mit univention-s4connector-list-rejected nachgesehen werden, ob die Rejects wirklich gelöscht wurden und alle weg sind.

Mehr Infos dazu gibt’s in diesem Artikel.

GruĂź
mosu


#5

Vielen Dank,

hat sofort geklappt.

GruĂź
Martin