Sync to UCS failing due to DRSException for some users


#1

Hi,

While synchronising AD objects from UCS AD Connector is not synchronising few objects and below error is seen in the connector.log file

I have setup UCS AD connection service in “Synchronization of account data between an AD domain and a UCS domain” mode.

04.01.2017 16:13:06,780 LDAP (WARNING): sync to ucs was not successfull, save rejected 04.01.2017 16:13:06,780 LDAP (WARNING): object was: CN=test,OU=388,OU=Managed Users,OU=Users,OU=sss,DC=ddd,DC=aaa,DC=hhh,DC=uk 04.01.2017 16:13:06,797 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=tayll98,ou=388,ou=managed users,ou=users,ou=sdhis,dc=ddd,dc=aaa,dc=hhh,dc=uk 04.01.2017 16:13:07,461 LDAP (ERROR ): failed in post_con_modify_functions 04.01.2017 16:13:07,462 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1326, in sync_to_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 381, in password_sync res = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn'])) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 166, in get_password_from_ad connector.open_drs_connection() File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 850, in open_drs_connection self.drs, self.drsuapi_handle, bind_supported_extensions = drs_utils.drsuapi_connect(self.ad_ldap_host, lp, repl_creds) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) drsException: drsException: DRS connection to DC01.ddd.aaa.hhh.uk failed: (-1073741715, 'Logon failure')

Also I have made some code changes to skip DNS check when UCS AD connector tries to connect with AD Domain controller.
Please see this post for details https://help.univention.com/t/windows-vertrauensstellung/118/1
Can someone please throw some light on this ?

Regards,
Nitin


#2

Also getting different errors for different objects.I am getting below error for few objects

04.01.2017 17:12:17,255 LDAP (WARNING): sync to ucs was not successfull, save rejected 04.01.2017 17:12:17,255 LDAP (WARNING): object was: CN=test111,OU=388,OU=Managed Users,OU=Users,OU=sdhis,DC=ddd,DC=aaa,DC=hhh,DC=uk 04.01.2017 17:12:17,256 LDAP (WARNING): sqlite: unable to open database file 04.01.2017 17:12:17,257 LDAP (WARNING): sqlite: unable to open database file 04.01.2017 17:12:17,263 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=darlc98,ou=388,ou=managed users,ou=users,ou=sdhis,dc=ddd,dc=aaa,dc=hhh,dc=uk 04.01.2017 17:12:17,737 LDAP (ERROR ): Unknown Exception during sync_to_ucs 04.01.2017 17:12:17,737 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 305, in create return self._create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 722, in _create al.extend(self._ldap_modlist()) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1987, in _ldap_modlist newPWHistory = self.__getPWHistory(univention.admin.password.crypt(self['password']), pwhistory, pwhlen) File "/usr/lib/pymodules/python2.7/univention/admin/password.py", line 54, in crypt IOError: [Errno 24] Too many open files: '/dev/urandom'

Regards,
nitin


#3

Hi All,

A quick update even though these errors appears in the connector log files these users are still synchronised in UCS.

All rejections appears as AD rejected and not UCS rejected.What does that mean?

Any idea why is this so?

Regards,
Nitin


#4

Hm, the first error seems rather self-explantatory:

drsException: drsException: DRS connection to DC01.ddd.aaa.hhh.uk failed: (-1073741715, 'Logon failure')

The DRS connection does not happen. Since the DRS replication relies on DNS as well, it may be, that your problem from the first thread resurfaced.

IOError: [Errno 24] Too many open files: '/dev/urandom'

Is everything okay with the server? An IOError at the sync with:

04.01.2017 17:12:17,256 LDAP (WARNING): sqlite: unable to open database file 04.01.2017 17:12:17,257 LDAP (WARNING): sqlite: unable to open database file

seems not normal to me. Is that constently present or only at high-load times?