Bug 47193 - Join with limited Administrator does not work
Join with limited Administrator does not work
Product: UCS manual
Classification: Unclassified
Component: Domain services / LDAP
Other Linux
: P5 normal (vote)
: UCS 4.3-1
Assigned To: Stefan Gohmann
Philipp Hahn
Depends on:
Blocks: 51833 49303
  Show dependency treegraph
Reported: 2018-06-14 14:54 CEST by Christian Völker
Modified: 2020-08-24 10:40 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018061421001425
Bug group (optional):
Max CVSS v3 score:
voelker: Patch_Available-


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2018-06-14 14:54:30 CEST
Customer created an additional administrator for join purposes.

This account is (solely) a member of the DomainAdministrator group, no further groups.

This account can join any Windows machines to the UCS domain without any issues.

Customer tried to join an Ubuntu computer with the new script running with the privileges of this additional administrator.

Join script did not throw any error, but in the end nothing had changed on the Ubuntu computer (getent passwd does not show any LDAP-users and so on).

Which additional groups do we need for successfull join?
Comment 1 Philipp Hahn univentionstaff 2018-06-14 15:46:43 CEST
According to <http://docs.software-univention.de/manual-4.3.html#domain-ldap:Subsequent_domain_joins_with_univention-join> it should be the group "Domain Admins".

But this is not sufficient: at least for UCS systems you also must be a member of group "DC Backup Hosts" as "univention-join" does a "ssh" login on the DC Master to run "udm" there; but the credentials are not passed and thus the "udm users/user list" running as that normal user cannot connect the LDAP server there and fails:

> ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd phahn@ma43.phahn.qa /usr/sbin/udm users/user list --filter uid=phahn --logfile /dev/null
> ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd phahn@ma43.phahn.qa ldapsearch -x -LLL -H ldapi:/// '\'\''(&(uid=phahn)(objectClass=person))\'\''' dn
> ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd phahn@ma43.phahn.qa ldapsearch -x -LLL '\'\''(&(uid=phahn)(objectClass=person))\'\''' dn


lb=$(ucr get ldap/base)
g1=$(udm groups/group list --filter name='Domain Admins'|sed -ne 's/^DN: //p;T;q')
g2=$(udm groups/group list --filter name='DC Backup Hosts'|sed -ne 's/^DN: //p;T;q')
udm users/user create \
 --position "cn=users,$lb" \
 --set lastname=Hahn \
 --set username=phahn \
 --set password=univention \
 --append groups="$g1"

bash -x univention-join -dcaccount phahn -dcpwd <(echo univention) # fails @ other host

udm users/user modify \
 --dn "uid=phahn,cn=users,$lb" \
 --append groups="$g2"

bash -x univention-join -dcaccount phahn -dcpwd <(echo univention) # succeeds @ other host
Comment 2 Stefan Gohmann univentionstaff 2018-06-18 07:34:08 CEST
We should adjust the manual.
Comment 3 Stefan Gohmann univentionstaff 2018-06-26 19:55:54 CEST

[4.3-1 2b38aa02f9] A join user must be member of DC Backup Hosts a well (Bug #47193)
Comment 4 Philipp Hahn univentionstaff 2018-06-28 16:03:43 CEST
OK: 2b38aa02f9
REOPEN: missing German translation in domain-ldap-de.xml:132
Comment 5 Stefan Gohmann univentionstaff 2018-08-22 10:39:13 CEST
(In reply to Philipp Hahn from comment #4)
> OK: 2b38aa02f9
> REOPEN: missing German translation in domain-ldap-de.xml:132

You are right, sorry.

Fixed here:

[4.3-1 22c910b3f1] A join user must be member of DC Backup Hosts a well - Added German translation (Bug #47193)
Comment 7 Philipp Hahn univentionstaff 2018-09-04 14:20:46 CEST