Bug 49521 – 99ucs-school-umc-printermoderation.inst fails using Machine Account

Bug 49521 - 99ucs-school-umc-printermoderation.inst fails using Machine Account


Summary:	99ucs-school-umc-printermoderation.inst fails using Machine Account

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	Join - Hook
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-05-21 15:42 CEST by Nico Stöckigt
Modified:	2022-02-28 13:14 CET (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:	Yes
Ticket number:	2019051621000861, 2020093021000412, 2022022521000306
Bug group (optional):
Max CVSS v3 score:

Attachments
using Administrator credentials instead of machine credentials (908 bytes, patch) 2019-06-04 12:24 CEST, Nico Stöckigt	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico Stöckigt

2019-05-21 15:42:43 CEST

It looks to be better to use the Administrator account to set the driver via rpc and only use the machine account as fallback.

In the customer environment (4.4-0 e109) the machine account fails with 'result was WERR_ACCESS_DENIED', the Administrator account worked.

Comment 1 Nico Stöckigt

2019-05-21 15:45:52 CEST

A Workaround might be

============================================================
# rpcclint -U Administrator -c 'setdriver PDFDrucker "MS Publisher Color Printer"' $(hostname)
Enter DOMAIN\Administrator's password:
Successfully set PDFDrucker to driver MS Publisher Color Printer.
# ucr set ucsschool/printermoderation/windows/driver/assign=false
# univention-run-join-scripts
# ucr unset ucsschool/printermoderation/windows/driver/assign
============================================================

Comment 2 Nico Stöckigt

2019-06-04 12:10:36 CEST

this happens again in the customers environment.

Comment 3 Nico Stöckigt

2019-06-04 12:24:20 CEST

Created attachment 10052 [details]
using Administrator credentials instead of machine credentials

This might fix the issue in a hurry.

Comment 4 Sönke Schwardt-Krummrich

2019-06-04 13:00:43 CEST

(In reply to Nico Stöckigt from comment #3)
> Created attachment 10052 [details]
> using Administrator credentials instead of machine credentials
> 
> This might fix the issue in a hurry.

This only works on non-DC-Master systems (→ no credentials are passed to join script). This is why the use of the machine account had been implemented in the first place, to make it work on all system roles.

Comment 5 Nico Stöckigt

2019-06-04 13:11:55 CEST

(In reply to Sönke Schwardt-Krummrich from comment #4)
> (In reply to Nico Stöckigt from comment #3)
> > Created attachment 10052 [details]
> > using Administrator credentials instead of machine credentials
> > 
> > This might fix the issue in a hurry.
> 
> This only works on non-DC-Master systems (→ no credentials are passed to
> join script). This is why the use of the machine account had been
> implemented in the first place, to make it work on all system roles.

But why doesn't the machine account work? It's in 'Print Operators' but receives a 'WERROR_ACCESS_DENIED'.

Comment 6 Arvid Requate

2019-06-11 22:00:25 CEST

I don't know about the details of this bug, but

* "Print Operators" in UCS is a bit special. In OpenLDAP it's called "Printer-Admins" (see Bug 42675)
* Memberservers behave in a special way, because lookups via winbind are redirected to the DCs and the idmapping behaves differently (see e.g. Bug 26712)
* "Printer-Admins" used to have the SePrintOperatorPrivilege, maybe not any longer with Samba4? (see e.g. historic Bug 22246 for a case like that)

Also, I'm not sure that the machine account should be allowed to do this.


> But why doesn't the machine account work? It's in 'Print Operators' but receives a 'WERROR_ACCESS_DENIED'.

That would need some research.

Comment 7 Ingo Steuwer

2020-04-17 14:22:31 CEST

Is this still an issue?

The Bug has been reported only once 11 months ago - did it happen again?

I'll recduce "Who will be affected" in the meanwhile.

Comment 8 Dirk Schnick

2020-09-30 14:42:24 CEST

Customer reported actual occurrence; so a clear yes to your question Ingo.
You can find closer details in the second attached ticket. 
Happened on a fresh UCS4.4-5 UCS@school installation. So vote to do the deeper research Arvid mentioned.