Univention Bugzilla – Bug 38057
umc.sh umc_init() expects groups to be in cn=groups,$ldap_base
Last modified: 2019-06-04 14:21:56 CEST
umc_init () { ... # link default admin policy to the group "Domain Admins" group_admins="${groups_default_domainadmins:-Domain Admins}" udm groups/group modify $BIND_ARGS --ignore_exists --dn "cn=$group_admins,cn=groups,$ldap_base" \ --policy-reference="cn=default-umc-all,cn=UMC,cn=policies,$ldap_base" || exit $? ... # link default user policy to the group "Domain Users" group_users="${groups_default_domainusers:-Domain Users}" udm groups/group modify $BIND_ARGS --ignore_exists --dn "cn=$group_users,cn=groups,$ldap_base" \ --policy-reference="cn=default-umc-users,cn=UMC,cn=policies,$ldap_base" || exit $? } This does not work if the groups have been moved or created in different places (ad takeover).
Janis, have you observed problems on running systems due to that restriction?
(In reply to Alexander Kläser from comment #1) > Janis, have you observed problems on running systems due to that restriction? Depends on the definition of "problems". I was investigating why those policies where not attached again. The customer would probably not have noticed this but of cause it introduces different behaviour on many "ad takeover" systems which is problematic for the overall traceability.
Bug is still relevant for UCS 4.2 Customer report: default groups have been moved from cn=groups to ou=groups, afterwards the installation of the G Suite connector app failed: RUNNING 35univention-management-console-module-googleapps.inst 2017-05-08 14:20:28.395023327+02:00 (in joinscript_init) Object exists: cn=UMC,cn=univention,dc=eu,dc=idealo,dc=com Object exists: cn=UMC,cn=policies,dc=eu,dc=idealo,dc=com Object exists: cn=operations,cn=UMC,cn=univention,dc=eu,dc=idealo,dc=com Object exists: cn=default-umc-all,cn=UMC,cn=policies,dc=eu,dc=idealo,dc=com E: object not found EXITCODE=3
Successful build Package: univention-lib Version: 7.0.0-17A~4.3.0.201811291208 Branch: ucs_4.3-0 Scope: errata4.3-2 User: jbremer 2f0bb57656 Bug #38057: Advisory 41766cbbb7 Bug #38057: Merge branch 'jbremer/bug38057' into 4.3-2 a9a36b93f8 Bug #38057: Version bump c928eacfe1 Bug #38057: umc_init does not assume cn=groups anymore umc_init does not assume cn=groups anymore. It now gets the dns by using udm groups/group list
Successful build Package: univention-lib Version: 7.0.0-18A~4.3.0.201811291620 Branch: ucs_4.3-0 Scope: errata4.3-2 User: jbremer daee7b18ba Bug #38057: Advisory 08014c0f3d Bug #38057: Merge branch 'jbremer/bug38057' into 4.3-2 b54c80f1a8 Bug #38057: Code cleanup and version bump 5760a12b8c Bug #38057: Fixed quoting
Verified: * Code review * Running umc_init on an updated system works * Advisory I've added a bit more explanation to the advisory wording (f8e8617214)
<http://errata.software-univention.de/ucs/4.3/357.html>