First Last Prev Next    This bug is not in your last search results.
Bug 51582 - S4-Connector sync to ucs: reject if msWMIFilter is added - permission denied
S4-Connector sync to ucs: reject if msWMIFilter is added - permission denied
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: LDAP
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on: 41725
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-26 09:40 CEST by Christina Scheinig
Modified: 2020-07-16 17:27 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020062421000591
Bug group (optional): Regression
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2020-06-26 09:40:41 CEST 
In a ucs@school slave a customer has this kind of reject. Looks similar to the "cn=dns" (Bug 50769)

21.06.2020 06:25:26.427 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN={0BDCF135-8B98-4BED-B41D-DEFFA4DB8843},CN=SOM,CN=WMIPolicy,CN=System,DC=school,DC=intranet
21.06.2020 06:25:26.432 LDAP        (PROCESS): sync to ucs:   [   msWMIFilter] [       add] u'CN={0BDCF135-8B98-4BED-B41D-DEFFA4DB8843},CN=SOM,CN=WMIPolicy,CN=System,dc=school,dc=intranet'
21.06.20 06:25:26.777  ADMIN       ( ERROR   ) : Creating 'cn={0BDCF135-8B98-4BED-B41D-DEFFA4DB8843},CN=SOM,CN=WMIPolicy,CN=System,dc=school,dc=intranet' failed: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

21.06.2020 06:25:26.777 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
21.06.2020 06:25:26.778 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1537, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1278, in add_in_ucs
    res = ucs_object.create(serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1298, in _create
    six.reraise(exc[0], exc[1], exc[2])
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add
    raise univention.admin.uexceptions.permissionDenied
permissionDenied


I will check if the object already is added in openLdap.
Comment 1 Christina Scheinig univentionstaff 2020-07-16 16:37:07 CEST 
 univention-s4connector-list-rejected 

UCS rejected


S4 rejected

    1:    S4 DN: CN={0BDCF135-8B98-4BED-B41D-DEFFA4DB8843},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    2:    S4 DN: CN={C81B0957-A9DC-437F-B3DB-1FEED973D6AB},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    3:    S4 DN: CN=Machine,CN={54A2EB56-099C-4D9E-B669-4C22901CF16C},CN=Policies,CN=System,DC=anonym,DC=ized
         UCS DN: cn=machine,cn={54a2eb56-099c-4d9e-b669-4c22901cf16c},cn=policies,cn=system,dc=anonym,dc=ized
    4:    S4 DN: CN={7087F806-634E-4A87-BAEF-FEFAAE02F204},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    5:    S4 DN: CN={7087F806-634E-4A87-BAEF-FEFAAE02F204},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    6:    S4 DN: CN={C81B0957-A9DC-437F-B3DB-1FEED973D6AB},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    7:    S4 DN: CN={91AA301E-88AF-4397-B13D-0C29812016B9},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>
    8:    S4 DN: CN={91AA301E-88AF-4397-B13D-0C29812016B9},CN=SOM,CN=WMIPolicy,CN=System,DC=anonym,DC=ized
         UCS DN: <not found>

        last synced USN: 581283
Comment 2 Christina Scheinig univentionstaff 2020-07-16 16:41:20 CEST 
This rejects occur on a  school slave, the master does not have samba4 installed.

How can these rejects with CN=WMIPolicy,CN=System be solved? A workaround would be nice.
Comment 3 Arvid Requate univentionstaff 2020-07-16 17:12:06 CEST 
From

 https://github.com/univention/ucs-school/commit/601d02790

I guess the U@S DC Slave doesn't have the permission to write to the sub-container:
 
 CN=SOM,CN=WMIPolicy,CN=System,DC=school,DC=intranet
First Last Prev Next    This bug is not in your last search results.