Univention Bugzilla – Bug 47193
Join with limited Administrator does not work
Last modified: 2020-08-24 10:40:44 CEST
Customer created an additional administrator for join purposes. This account is (solely) a member of the DomainAdministrator group, no further groups. This account can join any Windows machines to the UCS domain without any issues. Customer tried to join an Ubuntu computer with the new script running with the privileges of this additional administrator. Join script did not throw any error, but in the end nothing had changed on the Ubuntu computer (getent passwd does not show any LDAP-users and so on). Which additional groups do we need for successfull join?
According to <http://docs.software-univention.de/manual-4.3.html#domain-ldap:Subsequent_domain_joins_with_univention-join> it should be the group "Domain Admins". But this is not sufficient: at least for UCS systems you also must be a member of group "DC Backup Hosts" as "univention-join" does a "ssh" login on the DC Master to run "udm" there; but the credentials are not passed and thus the "udm users/user list" running as that normal user cannot connect the LDAP server there and fails: > ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd phahn@ma43.phahn.qa /usr/sbin/udm users/user list --filter uid=phahn --logfile /dev/null > ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd phahn@ma43.phahn.qa ldapsearch -x -LLL -H ldapi:/// '\'\''(&(uid=phahn)(objectClass=person))\'\''' dn > ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd phahn@ma43.phahn.qa ldapsearch -x -LLL '\'\''(&(uid=phahn)(objectClass=person))\'\''' dn Reproducer: lb=$(ucr get ldap/base) g1=$(udm groups/group list --filter name='Domain Admins'|sed -ne 's/^DN: //p;T;q') g2=$(udm groups/group list --filter name='DC Backup Hosts'|sed -ne 's/^DN: //p;T;q') udm users/user create \ --position "cn=users,$lb" \ --set lastname=Hahn \ --set username=phahn \ --set password=univention \ --append groups="$g1" bash -x univention-join -dcaccount phahn -dcpwd <(echo univention) # fails @ other host udm users/user modify \ --dn "uid=phahn,cn=users,$lb" \ --append groups="$g2" bash -x univention-join -dcaccount phahn -dcpwd <(echo univention) # succeeds @ other host
We should adjust the manual.
https://git.knut.univention.de/univention/ucs/commit/2b38aa02f9009d214cce1dd71b1c1b2e7d1460b7 [4.3-1 2b38aa02f9] A join user must be member of DC Backup Hosts a well (Bug #47193)
OK: 2b38aa02f9 REOPEN: missing German translation in domain-ldap-de.xml:132
(In reply to Philipp Hahn from comment #4) > OK: 2b38aa02f9 > REOPEN: missing German translation in domain-ldap-de.xml:132 You are right, sorry. Fixed here: [4.3-1 22c910b3f1] A join user must be member of DC Backup Hosts a well - Added German translation (Bug #47193)
OK: 22c910b3f1 OK: <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/view/All/job/HandbookUCS/lastBuild/>
PUBLISHED