S4 Rejects and System errors

ad-connection
ad-takeover
s4-connector
samba4

#1

Falls benötigt, schreibe ich folgendes gerne auch auf Deutsch. Danke für eure Hilfe.

In June 2017 I used UCS to takeover another samba 4 domain because the sernet-samba packages where discontinued for free use.
Since then I have some problems regarding s4 rejects (amongst other things).

My univention:

root@nathkucs1:~# univention-app info
UCS: 4.3-0 errata3
Installed: adconnector=12.0 adtakeover=5.0 cups=2.2.1 nagios=4.3 samba4=4.7
Upgradable:

“Teste die lokale AD Datenbank auf Fehler”

root@nathkucs1:~# samba-tool dbcheck
Checking 592 objects
ERROR(<type 'exceptions.IndexError'>): uncaught exception - string index out of range
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 160, in run
    controls=controls, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 219, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 2240, in check_object
    elif obj[attrname][0][1] == '\x00' and obj[attrname][0][2] == '\x00' and obj[attrname][0][3] == '\x00' and obj[attrname][0][4] != '\x00' and obj[attrname][0][5] == '\x00':

“Nicht synchronisierte S4 Connector Objekte”

root@nathkucs1:~# univention-s4connector-list-rejected

UCS rejected

    1:   UCS DN: <NORESYNC=broken file:1522559877.253004>;unknown
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1522559877.253004

    2:   UCS DN: uid=user.name,cn=users,dc=domain,dc=lan
          S4 DN: cn=user.name,cn=users,DC=domain,DC=lan
         Filename: /var/lib/univention-connector/s4/1506328994.810048

    3:   UCS DN: uid=ucs-sso,cn=users,dc=domain,dc=lan
          S4 DN: cn=ucs-sso,cn=users,DC=domain,DC=lan
         Filename: /var/lib/univention-connector/s4/1521070128.723376
[...] and many more users [...]

S4 rejected
[...] and many more users [...]
   78:    S4 DN: CN=praktikan,CN=Users,DC=domain,DC=lan
         UCS DN: <not found>
   79:    S4 DN: CN=user1,CN=Users,DC=domain,DC=lan
         UCS DN: uid=user1,cn=users,dc=domain,dc=lan
   80:    S4 DN: CN=ucs-sso,CN=Users,DC=domain,DC=lan
         UCS DN: uid=ucs-sso,cn=users,dc=domain,dc=lan
   81:    S4 DN: CN=ldapper-m-nathkucs1,CN=Users,DC=domain,DC=lan
         UCS DN: uid=ldapper-m-nathkucs1,cn=users,dc=domain,dc=lan
   82:    S4 DN: CN=searchuser,CN=Users,DC=domain,DC=lan
         UCS DN: uid=searchuser,cn=users,dc=domain,dc=lan
   83:    S4 DN: CN=another.user,CN=Users,DC=domain,DC=lan
         UCS DN: uid=another.user,cn=users,dc=domain,dc=lan
   84:    S4 DN: CN=user2,CN=Users,DC=domain,DC=lan
         UCS DN: <not found>

[...] and even more [...]

When searching for problems in the /var/log/univention/connector-s4.log with “grep ucs-sso” for example, I get this:

13.06.2017 19:33:55,219 LDAP        (PROCESS): sync from ucs: [           dns] [       add] DC=ucs-sso,DC=domain.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=lan
13.06.2017 19:35:33,473 LDAP        (PROCESS): sync to ucs:   [           dns] [    modify] relativedomainname=ucs-sso,zonename=domain.lan,cn=dns,dc=domain,dc=lan

These lines are being logged every few minutes:

01.04.2018 17:33:47,299 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=ucs-sso,cn=users,DC=domain,DC=lan
01.04.2018 17:33:56,707 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=ucs-sso,CN=Users,DC=domain,DC=lan
01.04.2018 17:33:56,717 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=ucs-sso,cn=users,dc=domain,dc=lan
01.04.2018 17:33:56,769 LDAP        (ERROR  ): Value may not change: key=sambaRID old=2636 new=124955 (uid=ucs-sso,cn=users,dc=domain,dc=lan)

And using “head” I can see the inital problems from 2017 (for the user clb as example):

13.06.2017 19:25:21,332 LDAP        (PROCESS): sync from ucs: [          user] [       add] CN=clb,CN=Users,DC=domain,DC=lan
13.06.2017 19:25:22,676 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1497374667.685767
13.06.2017 19:25:22,677 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2726, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 582, in password_sync_ucs_to_s4
    unicodePwd_new = binascii.a2b_hex(ucsNThash)
TypeError: Non-hexadecimal digit found

To this error, I found this Bug Report Bug 35540 an this thread: Thread about the bug 35540
The only thing I tried so far was: How to deal with s4-connector rejects but this didn’t help.

My connector-s4.log has a big file size:

root@nathkucs1:/var/log/univention# ls -Shl
insgesamt 23G
-rw-r----- 1 root     adm   23G Apr  1 19:27 connector-s4.log
-rw-r----- 1 root     adm   26M Jun 13  2017 connector-s4.log.1
-rw-r----- 1 root     adm   15M Apr  1 19:00 system-stats.log
-rw-r----- 1 root     adm   12M Apr  1 19:27 connector.log

Do you have any ideas for a resolution of this problem. Thank you in advance.


#2

I have a similar issue, plus this error that i cannot get remove

Found 1 UCS rejects and 0 S4 rejects. See Univention Support Database - How to deal with s4-connector rejects for more information.
UCS rejected:
UCS DN: ;unknown, S4 DN: not found, Filename: /var/lib/univention-connector/s4/.1522319929.525067.swp

#3

The above described problems still persists with version

UCS: 4.3-1 errata116
Installed: adconnector=12.0 adtakeover=5.0 cups=2.2.1 nagios=4.3 samba4=4.7
Upgradable:

Hopefully someone can help me on this.


#4

I started a new UCS Domain with the same credentials as before and then used the AD Takeover.

Everythin is now perfectly working. All mistakes are gone.

Except for this one here:

samba-tool dbcheck
Checking 592 objects
ERROR(<type 'exceptions.IndexError'>): uncaught exception - string index out of range
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 160, in run
    controls=controls, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 219, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 2240, in check_object
    elif obj[attrname][0][1] == '\x00' and obj[attrname][0][2] == '\x00' and obj[attrname][0][3] == '\x00' and obj[attrname][0][4] != '\x00' and obj[attrname][0][5] == '\x00':