Univention Bugzilla – Bug 47193
Join with limited Administrator does not work
Last modified: 2020-08-24 10:40:44 CEST
Customer created an additional administrator for join purposes.
This account is (solely) a member of the DomainAdministrator group, no further groups.
This account can join any Windows machines to the UCS domain without any issues.
Customer tried to join an Ubuntu computer with the new script running with the privileges of this additional administrator.
Join script did not throw any error, but in the end nothing had changed on the Ubuntu computer (getent passwd does not show any LDAP-users and so on).
Which additional groups do we need for successfull join?
According to <http://docs.software-univention.de/manual-4.3.html#domain-ldap:Subsequent_domain_joins_with_univention-join> it should be the group "Domain Admins".
But this is not sufficient: at least for UCS systems you also must be a member of group "DC Backup Hosts" as "univention-join" does a "ssh" login on the DC Master to run "udm" there; but the credentials are not passed and thus the "udm users/user list" running as that normal user cannot connect the LDAP server there and fails:
> ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd email@example.com /usr/sbin/udm users/user list --filter uid=phahn --logfile /dev/null
> ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd firstname.lastname@example.org ldapsearch -x -LLL -H ldapi:/// '\'\''(&(uid=phahn)(objectClass=person))\'\''' dn
> ++ univention-ssh /tmp/tmp.Sf3hSyFDpE/dcpwd email@example.com ldapsearch -x -LLL '\'\''(&(uid=phahn)(objectClass=person))\'\''' dn
lb=$(ucr get ldap/base)
g1=$(udm groups/group list --filter name='Domain Admins'|sed -ne 's/^DN: //p;T;q')
g2=$(udm groups/group list --filter name='DC Backup Hosts'|sed -ne 's/^DN: //p;T;q')
udm users/user create \
--position "cn=users,$lb" \
--set lastname=Hahn \
--set username=phahn \
--set password=univention \
bash -x univention-join -dcaccount phahn -dcpwd <(echo univention) # fails @ other host
udm users/user modify \
--dn "uid=phahn,cn=users,$lb" \
bash -x univention-join -dcaccount phahn -dcpwd <(echo univention) # succeeds @ other host
We should adjust the manual.
[4.3-1 2b38aa02f9] A join user must be member of DC Backup Hosts a well (Bug #47193)
REOPEN: missing German translation in domain-ldap-de.xml:132
(In reply to Philipp Hahn from comment #4)
> OK: 2b38aa02f9
> REOPEN: missing German translation in domain-ldap-de.xml:132
You are right, sorry.
[4.3-1 22c910b3f1] A join user must be member of DC Backup Hosts a well - Added German translation (Bug #47193)