Additional information:
There are more problems. A lot of groups weren’t in cn=groups but in cn=users. I moved them back. The user uid=krbtgt is missing and the s4connector rejects a sync with samba4. Additionally, relativeDomainName=@,zoneName=example.com,cn=dns,dc=example,dc=com is missing in s4.
I’d like to first solve the krbtgt issue, but [System diagnostic] User "krbtgt": S4 Connector & Check well known SIDs does not work for me. The log still shows
15.09.2020 13:41:49.660 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1598434249.010041
15.09.2020 13:41:49.663 LDAP (PROCESS): sync from ucs: [ dns] [ delete] DC=@,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
15.09.2020 13:41:49.681 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1598434249.010041
15.09.2020 13:41:49.681 LDAP (WARNING): Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs
if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2617, in sync_from_ucs
self.property[property_type].con_sync_function(self, property_type, object)
File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/dns.py", line 1630, in ucs2con
s4_zone_delete(s4connector, object)
File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/dns.py", line 880, in s4_zone_delete
res = s4connector.lo_s4.lo.delete_s(zone_dn)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 333, in delete_s
return self.delete_ext_s(dn,None,None)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 326, in delete_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
NOT_ALLOWED_ON_NONLEAF: {'info': '00002015: subtree_delete: Unable to delete a non-leaf node (it has 62 children)!', 'desc': 'Operation not allowed on non-leaf'}
15.09.2020 13:41:49.681 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=krbtgt,CN=Users,DC=example,DC=com
15.09.2020 13:41:49.686 LDAP (PROCESS): sync to ucs: [ user] [ add] u'uid=krbtgt,CN=Users,dc=example,dc=com'
15.09.2020 13:41:49.943 LDAP (ERROR ): Value may not change: key=gidNumber old=None new=5001 (u'uid=krbtgt,CN=Users,dc=example,dc=com')
I guess, both sync issues are connected to my DNS problem.