S4 Rejects for random user accounts with TYPE_OR_VALUE_EXISTS error in log

UCS - Univention Corporate Server
, , ,
#1

Hi All. I need help with UCS server.
English isn’t my mother tongue, so please excuse me for mistakes.
Version is 4.4-3 errata413 (Blumenthal).
Year ago my domain was migrated from MS Windows Server 2008 to UCS.
Total count of user accounts is about 50 and only one USC server in domain.
There is no issues with users/workstations (MS Windows 7, MS Windows 10), but diagnostic module reports about S4 Rejects like this:
S4 DN: CN=Петросян Евгений Ваганович,OU=Пользователи,DC=********,DC=*****, UCS DN: uid=petrosyan,ou=пользователи,dc=********,dc=*****

Rejects occurs only for user records. Every day I see one or two new rejects for random user accounts. Looks like system is working fine when I delete rejects, but I beleive it’s not a good practice.

Here is the tail of connector-s4.log, it shows TYPE_OR_VALUE_EXISTS error 
13.01.2020 20:58:25.031 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Петросян Евгений Ваганович,OU=Пользователи,DC=*********,DC=*****
13.01.2020 20:58:25.046 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] u'uid=petrosyan,ou=\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0438,dc=*********,dc=*****'
13.01.2020 20:58:30.496 LDAP        (ERROR  ): failed in post_con_modify_functions
13.01.2020 20:58:30.496 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1567, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 99, in object_memberships_sync_to_ucs
    return s4connector.object_memberships_sync_to_ucs(key, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1729, in object_memberships_sync_to_ucs
    self.one_group_member_sync_to_ucs(ucs_group_object, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1767, in one_group_member_sync_to_ucs
    self.lo.lo.modify_s(ucs_group_object['dn'], compatible_modlist(ml))
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 199, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 782, in modify_s
    self.lo.modify_ext_s(dn, ml)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 987, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 931, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': 'modify/add: uniqueMember: value #0 already exists', 'desc': 'Type or value exists'}

I also tried to compare the rejected object in Samba 4 and LDAP. Objects has too many differences, so I have no idea where to look.

Samba 4 object 
root@pdc-ucs:/var/log/univention# univention-s4search -b "CN=Петросян Евгений Ваганович,OU=Пользователи,DC=********,DC=*****"
# record 1
dn: CN=Савенкова Татьяна Юрьевна,OU=Пользователи,DC=********,DC=*****
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: 0KHQsNCy0LXQvdC60L7QstCwINCi0LDRgM0Y/QvdCwINCu0YDRjNC10LLQvdCw
sn:: 0KHQsNCy0LXQvdC60L7Qst
telephoneNumber: 4970
givenName:: 0KLQsNGC0Yzj9C90LA=
initials:: 0K4=
instanceType: 4
whenCreated: 20111215063212.0Z
displayName:: 0KHQsNCy0LXQvdC60L7QstCwINCi0LDRgtM0Y/QvdCwINCu0YDRjNC10LLQvdCw
uSNCreated: 4395
department:: 0JTQvtCz0L7QstC+0YDQdC+0Lk=
name:: 0KHQsNCy0LXQvdC60L7QstCwICi0LDRgtGM0Y/QvdCwINCu0YDRjNC10LLQvdCw
objectGUID: c300f0d0-bf46-4b34-bfb9-9ed244a7f3e3
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130742468763145943
primaryGroupID: 513
objectSid: S-1-5-21-1199442534-881430337-3625002669-1142
accountExpires: 9223372036854775807
sAMAccountName: petrosyan
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=********,DC=*****
mail: petrosyan@********.*****
memberOf:: Q0490J7RgtC00LXQuyDQtNC+0LPQvtCy0L7RgNC+0LIsQ049VXNlnMsREM9a3Jpc3RhLXR1bGEsREM9bG9jYWw=
memberOf:: Q049RGVwYXJ0bWVudHMuQWRtaW5pc3RyYXRpb24sT1U90JPRNGD0L/Qv9GLLERDPWtyaXN0YS10dWxhLERDPWxvY2Fs
memberOf:: Q049RGVwYXJ0bWVudHMuQWxsLE9VPdCT0YDRg9C/0L/RiyxQz1rcmlzdGEtdHVsYSxEQz1sb2NhbA==
userPrincipalName: petrosyan@********.*****
lastLogon: 132234090975085930
logonCount: 1050
lastLogonTimestamp: 132234090975085930
whenChanged: 20200113171137.0Z
uSNChanged: 72396
distinguishedName:: Q0490KHQsNCy0LXQvdC60L7QstCwINCi0LDRgtG0Y/QvdCwINCu0YDRjNC10LLQvdCwLE9VPdCf0L7Qu9GM0LfQvtCy0LDRgtC10LvQuCxEQz1rcmlzdGEtdHVsYSxEQz1sb2NhbA==

# returned 1 records
# 1 entries
# 0 referrals
LDAP Object 
root@pdc-ucs:/var/log/univention# univention-ldapsearch -b "uid=petrosyan,ou=пользователи,dc=********,dc=*****"
# extended LDIF
#
# LDAPv3
# base <uid=petrosyan,ou=пользователи,dc=********,dc=*****> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# petrosyana, \D0\9F\D0\BE\D0\BB\D1\8C\D0\B7\D0\BE\D0\B2\D0\B0\D1\82\D0\B5\D0\BB\D0\B8, ********.*****
dn:: dWlkPWl6bWFpbG92YSxvdT3Qn9C+0LvRjNC30L7QstCw0YLQtdC7ZGM9a3Jpc3RhLXR1bGEsZGM9bG9jYWw=
uid: petrosyan
krb5PrincipalName: petrosyan@********.*****
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionObject
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: posixAccount
uidNumber: 2048
sambaAcctFlags: [U          ]
sambaPasswordHistory: EF1D054E4B8C0652155F0B8B3E1085DBAF0FD86128855E9147B3EC808F
sambaBadPasswordCount: 0
krb5MaxLife: 86400
cn:: 0KLQsNGC0YzRj9C90LAg0KHQsNLvdC60L7QstCw
krb5MaxRenew: 604800
sambaBadPasswordTime: 0
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
telephoneNumber: 4970
displayName:: 0KHQsNCy0LXQvdC60L7QstCwINCi0LDRgtGM0Y/QvdCwINCu0jNC10LLQvdCw
mailPrimaryAddress: petrosyan@********.*****
sambaSID: S-1-5-21-1199442534-881430337-3625002669-1142
sn:: 0KHQsNCy0LXQvdC60L7QstCw
pwhistory: $6$SbsLU8mjqujZx.$vYan4gt40EhJWIoxII0a7yCGw6JGgYR8QDafeVzbJuRTciQsKoYa0fySZoo0.ezEPBkITJsH4DmGbRQ.
homeDirectory: /home/petrosyan
givenName:: 0KLQsNGC0YzRjC90LA=
sambaNTPassword: D5EB66097326E488573E3A6C071BF7
krb5Key:: MB2hGzAZoAMCARehQQ1etmCXMm5IbIVz46bAcb9w==
krb5Key:: MFShKzApoAMCARKhIgQg+nTisIUkdwT6RPDKtlooMZF24cJBU5Cy0yvYAay4+iJTAjoAMCAQOhHAQaS1JJU1RBLVRVTEEuTE9DQUxpem1haWxvdmE=
krb5Key:: MEShGzAZoAMCARGhEgQQif036IgLo9AdmHdjTwfaIlMCOgAwIBA6EcBBpLUklTVEEtVFVMQS5MT0NBTGl6bWFpbG92YQ==
krb5Key:: MDyhEzARoAMCAQOhCgQIj/6KKeNPMa6iJTAAMCAQOhHAQaS1JJU1RBLVRVTEEuTE9DQUxpem1haWxvdmE=
krb5KeyVersionNumber: 4
userPassword:: e0s1SZfQ==
shadowLastChange: 16548
sambaPwdLastSet: 1429773276
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-1199442534-881430337-3625002669-513

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Thanks for any help.

#2

Hi,

I am unsure if this matches correctly but there is a bug related to the error description. You might update at least to 4.4-3e289 to get this fixed.

Let’s see if it helps.

/CV

#3

Hello, thanks for the reply. I was trying to read about this bug, but it is pretty hard for me to understand all details . When I wrote this topic, UCS 4.4-3 errata413 was used. I upgrade it to 4.4-3 errata427 last week. Are you sure my system may be affected by this bug?

#4

Hi,

there are for reasons I do not know myself issues when syncing some of the OpenLDAP user attributes to AD/ Samba.

Looks like it depends somehow on language or charater set. However, for your issue it seems to be related to the “desc” field in OpenLDAP/ Samba.

Try to add it to the ignore list:
ucr set connector/s4/mapping/user/attributes/ignorelist="desc,$(ucr get connector/s4/mapping/user/attributes/ignorelist)"

#5

Thanks for your advice. Will see if it works.
By the way, field ‘description’ in AD is empty for all accounts with rejects.
And there are some more accounts, what never generate rejects (some with empty ‘description’ and some with cyrrilic symbols in this field).
I found only one regularity - rejects appear only for accounts, used by users. There is no rejects if user not logged in.

#6

Hi,
unfortunately rejects still appears.

Log the same: 
29.01.2020 10:23:09.872 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Чехов Антон Павлович,OU=Пользователи,DC=*******,DC=*****
29.01.2020 10:23:09.885 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] u'uid=chechov,ou=\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0438,dc=*******,dc=*****'
29.01.2020 10:23:14.521 LDAP        (ERROR  ): failed in post_con_modify_functions
29.01.2020 10:23:14.521 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1567, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 99, in object_memberships_sync_to_ucs
    return s4connector.object_memberships_sync_to_ucs(key, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1725, in object_memberships_sync_to_ucs
    self.one_group_member_sync_to_ucs(ucs_group_object, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1765, in one_group_member_sync_to_ucs
    self.lo.lo.modify_s(ucs_group_object['dn'], compatible_modlist(ml))
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 199, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 782, in modify_s
    self.lo.modify_ext_s(dn, ml)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 987, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 931, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': 'modify/add: uniqueMember: value #0 already exists', 'desc': 'Type or value exists'}

I was trying to fill the “description” field with “test” string in “Active Directory - users and computers” and in UCS users page. Changes are synchronized normally in both directions. But in log I still see the error and reject still there for this account.

Also I checked if command ucr set works correctly:

root@pdc-ucs:/var/log/univention# ucr get connector/s4/mapping/user/attributes/ignorelist
desc,unixhome,employeeType,employeeNumber,loginShell,title,gidNumber,uidNumber,departmentNumber,roomNumber,jpegPhoto,userCertificate,initials,physicalDeliveryOfficeName,postOfficeBox,preferredLanguage
#7

Have you tried to use “description” as this is the official attribute name?

#8

Yes, you can see it on screenshots:

UCS

UCS

AD

AD

Mastodon