S4connector not syncing dns branch

I maintain our DNS stuff in UCS. It works most the time. But today I noticed that a host entry in UCS couldn’t be resolved. I checked for s4connector rejects, and sure, there were some, but none related to the dns branch in slapd.

Of course I looked at the connector-s4.log but there’s nothing in there.

11.01.2021 15:09:25.923 LDAP        (PROCESS): sync from ucs: [     container] [       add] cn=dns,DC=secuinfra,DC=com

Obviously, a forced resync does not recurse into the branch :frowning_face:. Any idea how to get it running again?

Additional info:

Samba 4 reports ucs-addc samba4[26591]: rndc: connect failed: 127.0.0.1#953: connection refused on service startup. Of course, bind9.service requests samba-ad-dc.service before it starts so this connection has to fail.

Additional info:

The drive is at 100%. I guess that’s the problem :smiley:. I’ll increase the virtual drive and try again.

Well, the connector didn’t pick up anything yet. So I force-resynced my whole zone:

for dn in $(univention-ldapsearch -b zonename=example.com,cn=dns,dc=example,dc=com dn | grep "^dn: re" | cut -d":" -f 2); do /usr/share/univention-s4-connector/resync_object_from_ucs.py "$dn"; done

Afterwards I deleted a test record to see if the connector syncs this deletion. It’s running, but changes in slapd aren’t picked up by the connector.

I’d say the s4connector works as intended but it isn’t notified of changes.

The forum suggested a post titled “problems with listener” which made me investigate there a little bit further. But the log files didn’t state anything obvious.

Only an error message which I used for a websearch:

LISTENER ( ERROR ) : notifier.c:129:notifier_wait_id_result LDAP failed No such object (32): id:7255

But it brought up Probleme mit UDN Replikation which again had a link to Troubleshooting: Listener-/Notifier which had a link to How-To: Check and Fix if Notifier Files are Corrupted

The most important takeways up to this point were:

  • There is a tool to check the replication status:
univention-directory-listener-ctrl status
  • And a nagios plugin that can be used on the command line
/usr/lib/nagios/plugins/check_univention_replication
  • There are the transaction log tail -1 /var/lib/univention-ldap/notify/transaction and the last transaction id cat /var/lib/univention-directory-listener/notifier_id

Afterwards I followed the guide, stopping the corrensponding services and backing up the data. It’s really nice that Univention provides a tool for checking the transaction log:

root@ucs-addc:~# /usr/share/univention-directory-notifier/univention-translog check
2021-01-22 11:10:19,543:ERROR:/var/lib/univention-ldap/notify/transaction:7255:'7258 relativeDomainName=db,zoneName=secuinfra.com,cn=dns,dc=secuinfra,dc=com a\n': Hole after '7254 cn=file,cn=memberserver,cn=computers,dc=secuinfra,dc=com m'

/var/lib/univention-ldap/notify/transaction needs fixing:
- missing transactions in sequence

You can re-run this tool with the option "--fix" in order to try to fix this issue.
See <https://help.univention.com/t/problem-umc-diagnostic-module-complains-about-problems-with-udn-replication/11707/1> for more details. 

It even suggests fixing:

root@ucs-addc:~# /usr/share/univention-directory-notifier/univention-translog check --fix
2021-01-22 11:10:37,902:ERROR:/var/lib/univention-ldap/notify/transaction:7255:'7258 relativeDomainName=db,zoneName=secuinfra.com,cn=dns,dc=secuinfra,dc=com a\n': Hole after '7254 cn=file,cn=memberserver,cn=computers,dc=secuinfra,dc=com m'

/var/lib/univention-ldap/notify/transaction needs fixing:
- missing transactions in sequence
root@ucs-addc:~# /usr/share/univention-directory-notifier/univention-translog check
root@ucs-addc:~# systemctl start univention-directory-listener.service univention-directory-notifier.service slapd.service 

It even has a section with my specific error that seems to be some kind of unspecific error

Result 6 Any other message or " missing transactions in sequence"

The tool is not sure about the issue as it appears to have broken lines somehow. Remove the lines and retry.
To find these lines easier, you can use the script from this article.
Transaction file checking

Well … I should have read this link before, shouldn’t I?

Currently this article is under development as some issues has been identified. Please do not follow the steps below as long as this information has been removed.

But right below

Important:

The following applies only for UCS lower then 4.3.3 - errata427
In later releases the behavior has vastly changed. You’ll find a related article here

Okay, another link. But this one seems familiar. Back to How-To: Check and Fix if Notifier Files are Corrupted. Did I drop into some kind of hellish loop of links? No answers, only references?

This time, ignoring the section with my error message from above, I continue to step 3 where I find out that my LDAP error from the start does have some meaning. Step 3, check 5 finally links to Problem: no change of listener transaction id for last 0 checks where it is described how to resolve my transaction issues.

And that’s how I resolved my problem with syncing the DNS branch. Actually, it didn’t sync anything beginning with the dns record where I first noticed the problem. Maybe someone will find this comment helpful or amusing. I can live with both :slight_smile: