Fixing UNIVENTION_S4CONNECTOR errors for cn=Console Logon,cn=Builtin
Fixing UCS S4 Connector rejects for CN=Console Logon,CN=Builtin entries via ignorelist filter without having to delete entries.
Recently I got a nagios (yes that's still a thing) alert with this error:
S4CONNECTOR WARNING: Found 2 reject(s)! Please check output of univention-s4connector-list-rejected.Ok, so looking at the rejected list with univention-s4connector-list-rejected showed me these rejects
UCS rejected
1: UCS DN: cn=Console Logon,cn=Builtin,dc=example,dc=at
S4 DN: cn=console logon,cn=builtin,DC=example,DC=at
Filename: /var/lib/univention-connector/s4/1563128807.380239
S4 rejected
1: S4 DN: CN=Console Logon,CN=Builtin,DC=example,DC=at
UCS DN: cn=console logon,cn=builtin,dc=example,dc=atThis is odd ass it seems to be something internal and nothing created by admins so why the reject?
After a bit of reading through the Univention forum I found the solution for this, you need to add the "Console Logon" to the S4 mapping ignorelist, here's how to to it.
This is based on these two forum posts on the UCS forum:
- Nicht synchronisierte S4 Connector Objekte (german)
- HowTo: S4-Connector Rejects –> DN: cn=Console Logon (german)
Set ignorelist via web interface
Log in to your UCS admin, go to System -> Univention Configuration Registry (aka UCR)
Filter for S4 and Ignorelist
then edit the entry and append the value Console Logon to it.
Save it and restart the service /etc/init.d/univention-s4-connector restart to fix the issue.
Set ignorelist via CLI
You can also set the value via CLI if you prefer but be careful to not remove the existing values.
First look at the existing values
ucr get connector/s4/mapping/group/ignorelist
Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,SelfThen set update the setting including the new value
ucr set connector/s4/mapping/group/ignorelist="Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self,Console Logon"