Univention Bugzilla – Bug 44032
10univention-ldap-server.inst does univention-ldapsearch without correct credentials
Last modified: 2020-07-03 20:52:02 CEST
10univention-ldap-server.inst contains S4_DCS="$(univention-ldapsearch "(&(objectclass=univentionDomainController)(univentionService=Samba 4))" cn | sed -n 's/^cn: \(.*\)/\1/p')" which is not using the correct credentials to talk to the LDAP server, like every other command does, e.g.: /usr/share/univention-admin-tools/univention-dnsedit "$@" --ignore-exists \ This leads to the error message: "No such file or directory" in: Configure /usr/lib/univention-install/10univention-ldap-server.inst 2017-03-22 16:07:04.383094416+01:00 (in joinscript_init) /etc/machine.secret: No such file or directory Adding SRV record "ldap tcp 0 100 7389 ucs-5995.orga.intranet." to zone orga.intranet... done Adding ZONE record "root@orga.intranet. 1 28800 10800 604800 108001 ucs-5995.orga.intranet." to zone 10.200.12... Object created: cn=ucs-5995,cn=dc,cn=computers,dc=orga,dc=intranet and probably breaks the "if"-condition
svn r72057 changed "univention-ldapsearch -x" to "univention-ldapsearch" but this is not the cause, right?
(In reply to Florian Best from comment #1) > svn r72057 changed "univention-ldapsearch -x" to "univention-ldapsearch" but > this is not the cause, right? no, it is that it is not using the correct credentials to talk to the LDAP server, like every other command does, e.g.: […] "$@" […]
What about those then?: $ grep univention-ldapsearch $(find -name '*.inst') | grep -v -e '$@' -e '-y' ./base/univention-heimdal/15univention-heimdal-kdc.inst:samba4dcs=$(univention-ldapsearch -LLL "(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn | sed -ne 's|^cn: ||p') ./mail/univention-mail-cyrus-murder/81univention-mail-cyrus-murder.inst: murders=$(univention-ldapsearch univentionService="Cyrus Murder" uid | grep ^uid:| awk {'print $2'}) ./management/univention-appcenter/30univention-appcenter.inst: univention-ldapsearch -LLL -o ldif-wrap=no -b cn=Subschema -s base attributeTypes | grep -Fq "NAME 'univentionAppID'" ./nagios/univention-nagios-ad-connector/31univention-nagios-ad-connector.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then ./nagios/univention-nagios-virtualization/31univention-nagios-libvirtd-kvm.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then ./nagios/univention-nagios-virtualization/31univention-nagios-libvirtd-xen.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then ./nagios/univention-nagios-virtualization/31univention-nagios-uvmmd.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then ./nagios/univention-nagios-s4-connector/31univention-nagios-s4-connector.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then ./nagios/univention-nagios-samba/31univention-nagios-samba.inst:if ! univention-ldapsearch -LLL -s base -b "cn=nagios,$ldap_base" dn >/dev/null 2>&1 ; then ./services/univention-dansguardian/79univention-dansguardian.inst: if ! univention-ldapsearch -LLL -s base -b "cn=UNIVENTION_DANSGUARDIAN,cn=nagios,$ldap_base" dn 2>/dev/null >/dev/null ; then ./services/univention-dansguardian/79univention-dansguardian.inst: if [ "$(univention-ldapsearch -LLL -b "$ldap_hostdn" univentionNagiosEnabled | sed -ne 's/univentionNagiosEnabled: //p')" = "1" ] ; then ./services/univention-dhcp/25univention-dhcp.inst:if [ 2 -ne "$(univention-ldapsearch -LLL -b 'cn=Subschema' -s base objectClasses | ldapsearch-wrapper | egrep -c "objectClasses: \( [0-9.]+ NAME '(dhcpTSigKey|dhcpFailOverPeer)'")" ] ./services/univention-dhcp/25univention-dhcp.inst: count="$(univention-ldapsearch -LLL -b "$ldap_base" "(objectClass=univentionDhcpSubnet)" dn | grep -c ^dn)" ./services/univention-dhcp/25univention-dhcp.inst: data="$(univention-ldapsearch -LLL -o ldif-wrap=no -s base -b "$dn")" || continue ./services/univention-dhcp/25univention-dhcp.inst: if ! univention-ldapsearch -LLL -b "$SERVICE" "(&(objectClass=univentionDhcpSubnet)(cn=$network))" dn | grep ^dn ./services/univention-pkgdb/50univention-pkgdb.inst:if [ -z "$(univention-ldapsearch -LLL relativeDomainName=_pkgdb._tcp relativeDomainName)" ]; then ./services/univention-printserver/79univention-printserver.inst:done < <(univention-ldapsearch -LLL "(&(univentionPrinterUseClientDriver=*)(univentionPrinterSpoolHost=$(hostname -f)))" dn | ldapsearch-wrapper | sed -n 's/dn: //p') ./services/univention-printserver/79univention-printserver.inst: if ! univention-ldapsearch -s base -b "cn=UNIVENTION_CUPS,cn=nagios,$ldap_base" dn 2>/dev/null >/dev/null ; then ./services/univention-printserver/79univention-printserver.inst: if [ "$(univention-ldapsearch -b "$ldap_hostdn" univentionNagiosEnabled | sed -ne 's/univentionNagiosEnabled: //p')" = "1" ] ; then ./services/univention-samba4/96univention-samba4.inst: IPs=$(univention-ldapsearch "(&(relativeDomainname=$hostname)(zoneName=$domainname))" aRecord aAAARecord \ ./services/univention-samba4/96univention-samba4.inst: s4connector_dc_candidates=$(univention-ldapsearch "(&(univentionService=S4 Connector)(objectClass=univentionDomainController))" cn | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') ./services/univention-samba4/96univention-samba4.inst: if univention-ldapsearch -LLL univentionservice=UCS@school dn | grep -q ^dn; then ./services/univention-samba4/96univention-samba4.inst: group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')" ./services/univention-samba4/96univention-samba4.inst: group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name)(!(univentionGroupType=-2147483643)))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')" ./services/univention-samba4/96univention-samba4.inst: if univention-ldapsearch sambaSID='S-1-5-9' cn | ldapsearch-wrapper | grep -q '^cn:'; then ./services/univention-squid-kerberos/98univention-squid-samba4.inst:if ! univention-ldapsearch -LLL "(univentionService=S4 Connector)" dn | grep -q ^dn:; then
The machine.secret is created some lines below. That's why this fails but the ones from below in comment #3 doesn't. univention-ldap (13.0.6-1): r78255 | Bug #44032: add missing "$@" for univention-ldapsearch in joinscript
Added a changelog entry in the OpenLDAP section: changelog-4.2-0.xml: r78258 | Changelog Bug #44032
univention-ldapsearch doesn't support the arguments from "$@"! Revert everything: Reset TM as this is also the case in UCS 4.1-4. changelog-4.2-0.xml: r78262 | Revert "Changelog Bug #44032" univention-ldap (13.0.6-2): r78263 | Revert "Bug #44032: add missing "$@" for univention-ldapsearch in joinscript"
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.