Univention Bugzilla – Bug 37971
Delay auth/sshd/ restrictions after server role is final
Last modified: 2015-04-08 12:36:02 CEST
/var/lib/dpkg/info/univention-pam.postinst: > if is_domain_controller; then > univention-config-registry set \ > auth/sshd/restrict?"yes" \ > "auth/sshd/group/Domain Admins?yes" \ > auth/sshd/group/Computers?"yes" \ > "auth/sshd/group/DC Slave Hosts?yes" \ > "auth/sshd/group/DC Backup Hosts?yes" \ > auth/sshd/group/Administrators?"yes" \ > auth/sshd/user/root?"yes" > fi The code block is not executed in appliance mode, as the UCRV "server/role" is unset. After provisioning the postinst script is not re-executed leaving sshd open. univention-pam could ship the following file: $ cat /usr/lib/univention-system-setup/scripts/90_postjoin/30univention-pam #!/bin/sh exec dpkg-reconfigure univention-pam
(In reply to Philipp Hahn from comment #0) > $ cat /usr/lib/univention-system-setup/scripts/90_postjoin/30univention-pam > #!/bin/sh > exec dpkg-reconfigure univention-pam The UCR variable should be set in the join script (11univention-pam.inst).
r59500 | Bug #37971 PAM: Delay auth/sshd/ restrictions until role is known Package: univention-pam Version: 8.0.3-2.259.201503301502 Branch: ucs_4.0-0 Scope: errata4.0-1 r59502 | Bug #37971 PAM: Delay auth/sshd/ restrictions until role is known YAML 2015-03-30-univention-pam.yaml Should fix the following issues: <http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/lastCompletedBuild/testReport/01_base/96rename_domain_admins/test/> <http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/01_base/96rename_domain_admins/test/>
OK: Moved from postinst to joinscript OK: Fixes the mentioned tests OK: As discussed, do not increase joinscript version number OK: Yaml -> Verified
<http://errata.univention.de/ucs/4.0/146.html>