Hello,
I have a problem with the s4-connector. The group “Domain Users” get rejected when syncing from UCS to AC.
My environment (all UCS Servers are VMs):
- UCS Primary
- UCS Backup
- UCS Replica 1 (RADIUS)
- UCS Memberserver (CUPS) currently not used
Additional Information: I recently restored a snapshot of the UCS Primary VM. I did not created a snapshot of the backup and so I did not restored anything from backup server. This brought up another problem with RIDs but I think that is fixed. Maybe the rollback is the cause for this problem.
sudo univention-s4connector-list-rejected
UCS rejected
1: UCS DN: cn=Domain Users,cn=groups,dc=firma,dc=intranet
S4 DN: cn=domain users,cn=groups,DC=firma,DC=intranet
Filename: /var/lib/univention-connector/s4/1739457604.028684
S4 rejected
last synced USN: 3853196
Output from /var/log/univention/connector-s4.log:
14.02.2025 08:36:58.685 LDAP (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1739457604.028684
14.02.2025 08:36:58.687 LDAP (PROCESS): sync UCS > AD: [ group] [ modify] 'cn=domain users,cn=groups,DC=firma,DC=intranet'
14.02.2025 08:36:58.744 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1739457604.028684
14.02.2025 08:36:58.744 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 828, in __sync_file_from_ucs
if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2283, in sync_from_ucs
post_con_modify_function(self, property_type, object)
File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 74, in group_members_sync_from_ucs
return connector.group_members_sync_from_ucs(key, object)
File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 1377, in group_members_sync_from_ucs
self.lo_s4.lo.modify_s(object['dn'], [(ldap.MOD_REPLACE, 'member', [x.encode('UTF-8') for x in s4_members])])
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 629, in modify_s
return self.modify_ext_s(dn,modlist,None,None)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'desc': 'No such object', 'info': "00000525: specified dn doesn't exist at ../../source4/dsdb/samdb/ldb_modules/extended_dn_store.c:163:extended_dn_handle_fpo_attr"}
I noticed something strange when querying the group. While univention-ldapsearch shows all the members, univention-s4search only has the user Administrator as the only member.
When I open “Active Directory Users & Computers” on a windows machine, all members are shown.
I’m at my wit’s end and I couldn’t find any topics with this specific error message. Maybe someone can help me.
