[System diagnostic] User "krbtgt": S4 Connector & Check well known SIDs

Hello UCS-Community,

Probably I have a problem with the user ‘KRBTGT’. In the system diagnosis the following was indicated to me:

Found 1 UCS rejects and 0 S4 rejects. See Univention Support Database - How to deal with s4-connector rejects for more information.
UCS rejected: UCS DN: uid=krbtgt,cn=users,dc=euroident,dc=intranet, S4 DN: cn=krbtgt,cn=users,DC=euroident,DC=intranet, Filename: /var/lib/univention-connector/s4/1489690202.650298
No user or group with SID S-1-5-21-2585403930-902124730-639339100-502 found, expected 'KRBTGT'.

The currently installed release version is 4.3-1 errata112. How can I solve this problem?



please take a look at the log file /var/log/univention/connector-s4.log and post an example of the error message(s) produced while it’s trying to sync the krbtgt object. It looks like it was removed either in the Samba 4 LDAP or in the OpenLDAP.

Please also post the output of the following two commands:

univention-ldapsearch uid=krbtgt
univention-s4search cn=krbtgt

Kind regards,

File /var/log/univention/connector-s4.log

14.06.2018 12:26:37,34 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1489690202.650298
14.06.2018 12:26:37,42 LDAP        (PROCESS): sync from ucs: [          user] [    delete] cn=krbtgt,cn=users,DC=euroident,DC=intranet
14.06.2018 12:26:37,61 LDAP        (WARNING): sync failed, saved as rejected
14.06.2018 12:26:37,62 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 898, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2754, in sync_from_ucs
    self.delete_in_s4(object, property_type)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2783, in delete_in_s4
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 333, in delete_s
    return self.delete_ext_s(dn,None,None)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 326, in delete_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
OTHER: {'info': 'error in module samldb: Other during LDB_DELETE (80)', 'desc': 'Other (e.g., implementation specific) error'}
root@c3po:/home/Administrator# univention-ldapsearch uid=krbtgt
# extended LDIF
# LDAPv3
# base <dc=euroident,dc=intranet> (default) with scope subtree
# filter: uid=krbtgt
# requesting: ALL

# search result
search: 3
result: 0 Success

# numResponses: 1
root@c3po:/home/Administrator# univention-s4search cn=krbtgt
# record 1
dn: CN=krbtgt,CN=Users,DC=euroident,DC=intranet
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
instanceType: 4
whenCreated: 20170316172700.0Z
uSNCreated: 3549
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID: da224bf3-39fd-4e5e-9749-a8986d81b86f
userAccountControl: 514
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-2585403930-902124730-639339100-502
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=euroident,DC=intranet
isCriticalSystemObject: TRUE
displayName: none
sn: none
whenChanged: 20170316172932.0Z
userPrincipalName: krbtgt@EUROIDENT.INTRANET
pwdLastSet: 131341588200000000
uSNChanged: 3819
distinguishedName: CN=krbtgt,CN=Users,DC=euroident,DC=intranet

# Referral
ref: ldap://euroident.intranet/CN=Configuration,DC=euroident,DC=intranet

# Referral
ref: ldap://euroident.intranet/DC=DomainDnsZones,DC=euroident,DC=intranet

# Referral
ref: ldap://euroident.intranet/DC=ForestDnsZones,DC=euroident,DC=intranet

# returned 4 records
# 1 entries
# 3 referrals


alright, it’s been deleted on the UCS/OpenLDAP side, for whatever reason. This is an account that must exist, therefore Samba is refusing to remove it.

You can try to sync the object from the Samba 4 LDAP to the OpenLDAP again. In order to do so, first remove the conflict, then trigger the re-sync:

/usr/share/univention-s4-connector/remove_ucs_rejected.py uid=krbtgt,cn=users,dc=euroident,dc=intranet
/usr/share/univention-s4-connector/resync_object_from_s4.py cn=krbtgt,cn=users,DC=euroident,DC=intranet

Then follow the aforementioned log file. The resync can take up to a minute to start. If the connector-s4.log shows a successful sync from Samba 4 to UCS for that object, you can re-run the system diagnostic.

Kind regards,

Hey Moritz,

thank you for your quick and competent help. It works now.

Best regards,
Frank Schmid

You’re quite welcome. Glad I could help.