S4 Rejects for random user accounts with TYPE_OR_VALUE_EXISTS error in log

Hi All. I need help with UCS server.
English isn’t my mother tongue, so please excuse me for mistakes.
Version is 4.4-3 errata413 (Blumenthal).
Year ago my domain was migrated from MS Windows Server 2008 to UCS.
Total count of user accounts is about 50 and only one USC server in domain.
There is no issues with users/workstations (MS Windows 7, MS Windows 10), but diagnostic module reports about S4 Rejects like this:
S4 DN: CN=Петросян Евгений Ваганович,OU=Пользователи,DC=********,DC=*****, UCS DN: uid=petrosyan,ou=пользователи,dc=********,dc=*****

Rejects occurs only for user records. Every day I see one or two new rejects for random user accounts. Looks like system is working fine when I delete rejects, but I beleive it’s not a good practice.

Here is the tail of connector-s4.log, it shows TYPE_OR_VALUE_EXISTS error
13.01.2020 20:58:25.031 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=Петросян Евгений Ваганович,OU=Пользователи,DC=*********,DC=*****
13.01.2020 20:58:25.046 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] u'uid=petrosyan,ou=\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0438,dc=*********,dc=*****'
13.01.2020 20:58:30.496 LDAP        (ERROR  ): failed in post_con_modify_functions
13.01.2020 20:58:30.496 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1567, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 99, in object_memberships_sync_to_ucs
    return s4connector.object_memberships_sync_to_ucs(key, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1729, in object_memberships_sync_to_ucs
    self.one_group_member_sync_to_ucs(ucs_group_object, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1767, in one_group_member_sync_to_ucs
    self.lo.lo.modify_s(ucs_group_object['dn'], compatible_modlist(ml))
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 199, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 782, in modify_s
    self.lo.modify_ext_s(dn, ml)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 987, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 931, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'info': 'modify/add: uniqueMember: value #0 already exists', 'desc': 'Type or value exists'}

I also tried to compare the rejected object in Samba 4 and LDAP. Objects has too many differences, so I have no idea where to look.

Samba 4 object
root@pdc-ucs:/var/log/univention# univention-s4search -b "CN=Петросян Евгений Ваганович,OU=Пользователи,DC=********,DC=*****"
# record 1
dn: CN=Савенкова Татьяна Юрьевна,OU=Пользователи,DC=********,DC=*****
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: 0KHQsNCy0LXQvdC60L7QstCwINCi0LDRgM0Y/QvdCwINCu0YDRjNC10LLQvdCw
sn:: 0KHQsNCy0LXQvdC60L7Qst
telephoneNumber: 4970
givenName:: 0KLQsNGC0Yzj9C90LA=
initials:: 0K4=
instanceType: 4
whenCreated: 20111215063212.0Z
displayName:: 0KHQsNCy0LXQvdC60L7QstCwINCi0LDRgtM0Y/QvdCwINCu0YDRjNC10LLQvdCw
uSNCreated: 4395
department:: 0JTQvtCz0L7QstC+0YDQdC+0Lk=
name:: 0KHQsNCy0LXQvdC60L7QstCwICi0LDRgtGM0Y/QvdCwINCu0YDRjNC10LLQvdCw
objectGUID: c300f0d0-bf46-4b34-bfb9-9ed244a7f3e3
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130742468763145943
primaryGroupID: 513
objectSid: S-1-5-21-1199442534-881430337-3625002669-1142
accountExpires: 9223372036854775807
sAMAccountName: petrosyan
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=********,DC=*****
mail: petrosyan@********.*****
memberOf:: Q0490J7RgtC00LXQuyDQtNC+0LPQvtCy0L7RgNC+0LIsQ049VXNlnMsREM9a3Jpc3RhLXR1bGEsREM9bG9jYWw=
memberOf:: Q049RGVwYXJ0bWVudHMuQWRtaW5pc3RyYXRpb24sT1U90JPRNGD0L/Qv9GLLERDPWtyaXN0YS10dWxhLERDPWxvY2Fs
memberOf:: Q049RGVwYXJ0bWVudHMuQWxsLE9VPdCT0YDRg9C/0L/RiyxQz1rcmlzdGEtdHVsYSxEQz1sb2NhbA==
userPrincipalName: petrosyan@********.*****
lastLogon: 132234090975085930
logonCount: 1050
lastLogonTimestamp: 132234090975085930
whenChanged: 20200113171137.0Z
uSNChanged: 72396
distinguishedName:: Q0490KHQsNCy0LXQvdC60L7QstCwINCi0LDRgtG0Y/QvdCwINCu0YDRjNC10LLQvdCwLE9VPdCf0L7Qu9GM0LfQvtCy0LDRgtC10LvQuCxEQz1rcmlzdGEtdHVsYSxEQz1sb2NhbA==

# returned 1 records
# 1 entries
# 0 referrals
LDAP Object
root@pdc-ucs:/var/log/univention# univention-ldapsearch -b "uid=petrosyan,ou=пользователи,dc=********,dc=*****"
# extended LDIF
#
# LDAPv3
# base <uid=petrosyan,ou=пользователи,dc=********,dc=*****> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# petrosyana, \D0\9F\D0\BE\D0\BB\D1\8C\D0\B7\D0\BE\D0\B2\D0\B0\D1\82\D0\B5\D0\BB\D0\B8, ********.*****
dn:: dWlkPWl6bWFpbG92YSxvdT3Qn9C+0LvRjNC30L7QstCw0YLQtdC7ZGM9a3Jpc3RhLXR1bGEsZGM9bG9jYWw=
uid: petrosyan
krb5PrincipalName: petrosyan@********.*****
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionObject
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: posixAccount
uidNumber: 2048
sambaAcctFlags: [U          ]
sambaPasswordHistory: EF1D054E4B8C0652155F0B8B3E1085DBAF0FD86128855E9147B3EC808F
sambaBadPasswordCount: 0
krb5MaxLife: 86400
cn:: 0KLQsNGC0YzRj9C90LAg0KHQsNLvdC60L7QstCw
krb5MaxRenew: 604800
sambaBadPasswordTime: 0
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
telephoneNumber: 4970
displayName:: 0KHQsNCy0LXQvdC60L7QstCwINCi0LDRgtGM0Y/QvdCwINCu0jNC10LLQvdCw
mailPrimaryAddress: petrosyan@********.*****
sambaSID: S-1-5-21-1199442534-881430337-3625002669-1142
sn:: 0KHQsNCy0LXQvdC60L7QstCw
pwhistory: $6$SbsLU8mjqujZx.$vYan4gt40EhJWIoxII0a7yCGw6JGgYR8QDafeVzbJuRTciQsKoYa0fySZoo0.ezEPBkITJsH4DmGbRQ.
homeDirectory: /home/petrosyan
givenName:: 0KLQsNGC0YzRjC90LA=
sambaNTPassword: D5EB66097326E488573E3A6C071BF7
krb5Key:: MB2hGzAZoAMCARehQQ1etmCXMm5IbIVz46bAcb9w==
krb5Key:: MFShKzApoAMCARKhIgQg+nTisIUkdwT6RPDKtlooMZF24cJBU5Cy0yvYAay4+iJTAjoAMCAQOhHAQaS1JJU1RBLVRVTEEuTE9DQUxpem1haWxvdmE=
krb5Key:: MEShGzAZoAMCARGhEgQQif036IgLo9AdmHdjTwfaIlMCOgAwIBA6EcBBpLUklTVEEtVFVMQS5MT0NBTGl6bWFpbG92YQ==
krb5Key:: MDyhEzARoAMCAQOhCgQIj/6KKeNPMa6iJTAAMCAQOhHAQaS1JJU1RBLVRVTEEuTE9DQUxpem1haWxvdmE=
krb5KeyVersionNumber: 4
userPassword:: e0s1SZfQ==
shadowLastChange: 16548
sambaPwdLastSet: 1429773276
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-1199442534-881430337-3625002669-513

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Thanks for any help.

Hi,

I am unsure if this matches correctly but there is a bug related to the error description. You might update at least to 4.4-3e289 to get this fixed.

Let’s see if it helps.

/CV