How-to: Handle s4-connector rejects

How-to: Handle s4-connector rejects

What are rejects?

Every change in openldap or samba is transferred to the other system by the s4-connector and kept in sync.

By changes we mean, for example, changing a first name, last name or phone number.

s4-connector rejects occur when such changes cannot be synchronized for various reasons.

How to deal with rejects?

You can use the following command to have a look at the current S4-Connector replication status:

root@example:~# univention-s4connector-list-rejected

UCS rejected


S4 rejected


There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.


	last synced USN: 4223
root@example:~# 
  • UCS rejected refers to object modifications that have been detected in UCS/OpenLDAP and could not be synchronized to the Samba/AD directory service.
  • S4 rejected on the other hand refers to object modifications that have been detected in Samba/AD and could not be synchronized to the UCS/OpenLDAP directory service.

If you see rejected objects in the output it is recommended to have a look at the relevant log files to determine the reason for the reject which in this case is /var/log/univention/connector-s4.log

In most cases you will find a corresponding traceback which you can hand over to your supporter if in doubt.
If the shown reason is not obvious (or not accurate) it could be suggestive to compare the rejected object in Samba 4 and LDAP. You can use the following commands:

root@dc1:~# univention-ldapsearch -b "objectdn"
root@dc1:~# univention-s4search -b "objectdn"

for example:

# User
univention-ldapsearch -b "uid=administrator,cn=users,dc=domain,dc=de"
univention-s4search -b "cn=administrator,cn=users,dc=domain,dc=de"

# DNS
univention-ldapsearch -b "relativeDomainName=_ldap_tcp,zoneName=domain.de,cn=dns,dc=domain,dc=de"
univention-s4search -b "dc=_ldap._tcp.DomainDnsZones,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de" --cross-ncs

If the objects are equal and you are sure about this, the reject perhaps is already resolved. This can happen if discrepancies are resolved apart from the connector. In these cases the rejects can be removed. This could also be the case if you removed unwanted objects with ldbdel for example.

Remove rejects

Rejects are saved in a sqlite database. Therefore you have to remove the rejects in the database.

Remove S4 reject:

root@master:~# /usr/share/univention-s4-connector/remove_s4_rejected.py CN=Administrator,CN=Users,DC=example,DC=ucs

Remove UCS/LDAP reject:

root@master:~# /usr/share/univention-s4-connector/remove_ucs_rejected.py uid=Administrator,cn=users,dc=example,dc=ucs

Trigger resync

You can also try to sync changes from one directory service to the other - for example trigger a resync from one Samba/AD object to OpenLDAP.

S4 resync:

root@master:~# /usr/share/univention-s4-connector/resync_object_from_s4.py --filter cn=Administrator
resync triggered for CN=Administrator,CN=Users,DC=example,DC=ucs
Estimated sync in 50 seconds.

UCS resync:

root@master:~# /usr/share/univention-s4-connector/resync_object_from_ucs.py --filter uid=Administrator
resync triggered for uid=Administrator,cn=users,dc=example,dc=ucs

What can I do if this article didn’t help?

In case you can not resolve the rejects in this way you can check this article or open a ticket at our support (enterprise subscription needed)

4 Likes
Problem: Remove S4 Connector Rejects Which Does Not Exist in LDAP
S4 Connector rejects
Again: univention-s4connector-list-rejected
S4-Connector Probleme
S4 not synced objects
UCS s4connector list rejected
Critical: Check kerberos authenticated DNS update (on DC Master)
Issue in s4 connector
CN=Domain Computers in s4 connectior rejects
[UCS 4.3] S4 Connector rejects
Warning: S4 Connector rejects
Univention Domain join failed after upgrade from UCS 4.8. to 5.0
Warning: S4 Connector reject
New accounts can't log into samba server
Univention-s4-connector
Warning S4 reject
After restore many S4 Connector rejects
Systemdiagnostic -> S4 Connector Object not syn
Upgrading to 4.3 blocked
DNS problem, after upgrade
Unable to Replicate to Slave DC's or Join a New Server
Q&A Does UCS Support AD Object and Attribute Protection?
How to sync krbtgt from S4 to LDAP/UCS?
Warning: S4 Connector rejects
Samba sync stopped
Problem: S4connector shows rejects with memoryError
Error in system diagnostics after each UCS update
Not synchronized S4 Connector objects
Update to 4.3 breaks on 98univention-samba4-saml-kerberos.inst
Problem: lockingdb.sqlite file is over 10 GB in size
AD > UCS sync issues
Problem: Kennwortänderung schlägt fehl
Kerberos not working?
Samba 4 Troubleshooting
Sync user from classic LDAP oneway to Univention UCS LDAP/SAMBA
Name user s-1-5-21-4207580657-3862206303-1239993745 And Lost of files permision
Some error messages come again and again
Unable to add computers due to failures during conversion of Backup to Primary
Migrate from UCS 4 to Microsoft AD 2019
S4rejects again - unsure how to remove - tried SDB suggestion
Mastodon