Univention Bugzilla – Bug 53566
ldapError: Insufficient access during join of windows client
Last modified: 2022-03-23 10:02:23 CET
Created attachment 10775 [details] Screenshot When trying to join a Windows 10 client, which doesn't have an object yet in LDAP an exception is raised in the selective-udm module. The join doesn't succeed then, Windows doesn't show any information except for a message to ask the Administrator for help. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 344, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 247, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response return function(self, request) File "/usr/lib/python2.7/dist-packages/ucsschool/lib/school_umc_ldap_connection.py", line 155, in wrapper_func return func(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/selective-udm/__init__.py", line 96, in create_windows_computer self._check_usersid_join_permissions(ldap_user_read, request.options.get("usersid")) File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/selective-udm/__init__.py", line 63, in _check_usersid_join_permissions result = lo.searchDn(ldap.filter.filter_format("sambaSID=%s", [usersid])) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 725, in searchDn raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Insufficient access Doesn't work with python2 and python3. Workaround is: diff --git univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py index 6f44ce522..c87abc978 100644 --- univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py +++ univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py @@ -93,7 +93,7 @@ class Instance(SchoolBaseModule): # Set new position ldap_position.setDn(search_base.computers) - self._check_usersid_join_permissions(ldap_user_read, request.options.get("usersid")) + #self._check_usersid_join_permissions(ldap_user_read, request.options.get("usersid")) # TODO: univention.admin.modules.init() # Create the computer account I think I never saw this exception for a search request: 63 result = lo.searchDn(ldap.filter.filter_format("sambaSID=%s", [usersid])) lo is a "ldap_user_read" connection (in this case just the machine account connection to localhost). Can we also cause that Windows shows a custom error message about the failing join?
Reproducer: /usr/sbin/ucs-school-create_windows_computer -s $(hostname -f) -P "$(cat /etc/machine.secret)" -U "$(hostname)$" selectiveudm/create_windows_computer -o name=foo -o usersid=S-1-5-21-4245438275-4092417259-1110414620-5048 In the logs I see: MODULE ( WARN ) : Using deprecated LDAP_Connection.search_base parameter. whoami_s() gives me an empty string search_base = 'l=school,l=dev', ldap_scope = 2, ldap_filter='sambaSID=S-1-5-21-4245438275-4092417259-1110414620-5048', attr=['dn'], whoami_s=''
set_bind_function(self.bind_user_connection) was never called because during the python 3 migration the super().init() call was missing. Fixed in: univention-management-console-module-selective-udm (9.0.2) 7bbe6facc9dc | fixup! Bug #52628: migrate univention-management-console-module-selective- udm to Python 3 *** This bug has been marked as a duplicate of bug 52601 ***
*** This bug has been marked as a duplicate of bug 52628 ***
OK