First Last Prev Next    This bug is not in your last search results.
Bug 53566 - ldapError: Insufficient access during join of windows client
ldapError: Insufficient access during join of windows client
Status: CLOSED DUPLICATE of bug 52628
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 5.0
Other Linux
: P5 normal (vote)
: UCS@school 5.0 v1
Assigned To: Florian Best
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-12 18:19 CEST by Florian Best
Modified: 2022-03-23 10:02 CET (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Screenshot (144.09 KB, image/png)
2021-07-12 18:19 CEST, Florian Best 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2021-07-12 18:19:42 CEST 
Created attachment 10775 [details]
Screenshot

When trying to join a Windows 10 client, which doesn't have an object yet in LDAP an exception is raised in the selective-udm module.
The join doesn't succeed then, Windows doesn't show any information except for a message to ask the Administrator for help.

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 344, in __error_handling
    six.reraise(etype, exc, etraceback)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 247, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response
    return function(self, request)
  File "/usr/lib/python2.7/dist-packages/ucsschool/lib/school_umc_ldap_connection.py", line 155, in wrapper_func
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/selective-udm/__init__.py", line 96, in create_windows_computer
    self._check_usersid_join_permissions(ldap_user_read, request.options.get("usersid"))
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/selective-udm/__init__.py", line 63, in _check_usersid_join_permissions
    result = lo.searchDn(ldap.filter.filter_format("sambaSID=%s", [usersid]))
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 725, in searchDn
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access


Doesn't work with python2 and python3.

Workaround is:

diff --git univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py
index 6f44ce522..c87abc978 100644
--- univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py
+++ univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py
@@ -93,7 +93,7 @@ class Instance(SchoolBaseModule):
         # Set new position
         ldap_position.setDn(search_base.computers)
 
-        self._check_usersid_join_permissions(ldap_user_read, request.options.get("usersid"))
+        #self._check_usersid_join_permissions(ldap_user_read, request.options.get("usersid"))
 
         # TODO: univention.admin.modules.init()
         # Create the computer account

I think I never saw this exception for a search request:

   63         result = lo.searchDn(ldap.filter.filter_format("sambaSID=%s", [usersid]))

lo is a "ldap_user_read" connection (in this case just the machine account connection to localhost).

Can we also cause that Windows shows a custom error message about the failing join?
Comment 2 Florian Best univentionstaff 2021-07-12 18:52:59 CEST 
Reproducer:

/usr/sbin/ucs-school-create_windows_computer -s $(hostname -f) -P "$(cat /etc/machine.secret)" -U "$(hostname)$" selectiveudm/create_windows_computer -o name=foo -o usersid=S-1-5-21-4245438275-4092417259-1110414620-5048

In the logs I see:
MODULE      ( WARN    ) : Using deprecated LDAP_Connection.search_base parameter.

whoami_s() gives me an empty string

search_base = 'l=school,l=dev', ldap_scope = 2, ldap_filter='sambaSID=S-1-5-21-4245438275-4092417259-1110414620-5048', attr=['dn'], whoami_s=''
Comment 3 Florian Best univentionstaff 2021-07-12 19:07:10 CEST 
set_bind_function(self.bind_user_connection) was never called because during the python 3 migration the super().init() call was missing.

Fixed in:
univention-management-console-module-selective-udm (9.0.2)
7bbe6facc9dc | fixup! Bug #52628: migrate univention-management-console-module-selective- udm to Python 3

*** This bug has been marked as a duplicate of bug 52601 ***
Comment 4 Florian Best univentionstaff 2021-08-03 07:51:27 CEST 

*** This bug has been marked as a duplicate of bug 52628 ***
Comment 5 Felix Botner univentionstaff 2021-08-05 17:28:28 CEST 
OK
First Last Prev Next    This bug is not in your last search results.