Bug 49592 – umc.sh umc_init() does not use join credentials anymore

Bug 49592 - umc.sh umc_init() does not use join credentials anymore


Summary:	umc.sh umc_init() does not use join credentials anymore

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	univention-lib
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-1-errata
Assigned To:	Florian Best
QA Contact:	Jürn Brodersen

URL:
Keywords:

Depends on:	38057
Blocks:
	Show dependency tree / graph

Reported:	2019-06-04 14:21 CEST by Florian Best
Modified:	2019-08-07 15:44 CEST (History)
CC List:	9 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019041521000775
Bug group (optional):
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2019-06-04 14:21:56 CEST

The changes made in Bug #38057 uses udm without passing "$@". Therefore the machine account is used.

"umc_udm" has to be used instead!

+++ This bug was initially created as a clone of Bug #38057 +++

umc_init () {
        ...
        # link default admin policy to the group "Domain Admins" 
        group_admins="${groups_default_domainadmins:-Domain Admins}"                                                               
        udm groups/group modify $BIND_ARGS --ignore_exists --dn "cn=$group_admins,cn=groups,$ldap_base" \                          
                --policy-reference="cn=default-umc-all,cn=UMC,cn=policies,$ldap_base" || exit $?                                   
        
        ...                                                               
        # link default user policy to the group "Domain Users"
        group_users="${groups_default_domainusers:-Domain Users}"                                                                  
        udm groups/group modify $BIND_ARGS --ignore_exists --dn "cn=$group_users,cn=groups,$ldap_base" \                           
                --policy-reference="cn=default-umc-users,cn=UMC,cn=policies,$ldap_base" || exit $? 
}



This does not work if the groups have been moved or created in different places (ad takeover).

Comment 1 Florian Best

2019-06-04 14:23:46 CEST

Patch in git branch fbest/49592-umc-udm-init.

Comment 2 Florian Best

2019-07-31 15:09:39 CEST

The join credentials are used again. Instead of accessing UCR variables directly use the univention-lib to get the name of the custom group.

univention-lib (8.0.1-25)
4f8490271cff | Bug #49592: Use "$@" in umc_init

univention-lib.yaml
4f8490271cff | Bug #49592: Use "$@" in umc_init

Comment 3 Jürn Brodersen

2019-08-02 11:30:07 CEST

What I tested:
Force 35univention-management-console-module-top on master -> OK
Force 35univention-management-console-module-top on slave -> OK
Force 35univention-management-console-module-top on slave with wrong /etc/machine.secret -> OK
Rejoin slave -> OK

[4.4-1 00ed2200de] Bug #49592: yaml

yaml -> OK

-> verified

Comment 4 Erik Damrose

2019-08-07 15:44:31 CEST

<http://errata.software-univention.de/ucs/4.4/212.html>