Univention Bugzilla – Bug 54515
univention-run-diagnostic-checks cannot run with machine account
Last modified: 2023-04-21 14:02:24 CEST
For support cases (and cron jobs) it would be nice if univention-run-diagnostic-checks could be run with just the machine account: root@master60:~# /usr/bin/univention-run-diagnostic-checks \ --username "$(hostname)$" \ --bindpwdfile /etc/machine.secret -t 44_well_known_sid_check.py Traceback (most recent call last): File "/usr/bin/univention-run-diagnostic-checks", line 144, in <module> sys.exit(CLIClient.main()) File "/usr/bin/univention-run-diagnostic-checks", line 80, in main plugins = [plugin['id'] for plugin in client.umc_command('diagnostic/query').result] File "/usr/lib/python2.7/dist-packages/univention/lib/umc.py", line 444, in umc_command return self.request('POST', 'command/%s' % (path,), data, headers) File "/usr/lib/python2.7/dist-packages/univention/lib/umc.py", line 524, in request return self.send(request) File "/usr/lib/python2.7/dist-packages/univention/lib/umc.py", line 553, in send raise HTTPError(request, response, self.hostname) univention.lib.umc.Forbidden: 403 on master60.ucs447pt1.dev (command/diagnostic/query): {u'status': 403, u'message': u'Verboten', u'traceback': None, u'location': u'https://master60.ucs447pt1.dev/univention/command'}
Great idea, this would really be simple to implement. We should also set the default of --username and --bindpwdfile to the machine account values. This would also fix that --list works without specifying a user.
*** Bug 54276 has been marked as a duplicate of this bug. ***
As this requires a new joinscript execution to assign the UMC policies we won't fix this in an erratum but instead to the next patchlevel release UCS 5.0-2.
https://git.knut.univention.de/univention/ucs/-/merge_requests/302
(In reply to Maximilian Janßen from comment #4) > https://git.knut.univention.de/univention/ucs/-/merge_requests/302 The branch has been merged. It appends the UMC operation set diagnostic-all to the UMC policy for default-slave-umc and default-backup-umc. By default, when no credentials are given the machine account is used by univention-run-diagnostic-checks. univention-management-console-module-diagnostic (6.0.1-2) e1ef16ac1038 | Bug #54515: univention-run-diagnostic-checks cannot run with machine account changelog-5.0-2.xml e1ef16ac1038 | Bug #54515: univention-run-diagnostic-checks cannot run with machine account
OK: univention-run-diagnostic-checks is executed by default as machine account OK: passing credentials manually still works: univention-run-diagnostic-checks --username Administrator --bindpwdfile <(echo univention) OK: changelog entry
UCS 5.0-2 has been released. https://docs.software-univention.de/release-notes-5.0-2-en.html If this error occurs again, please clone this bug.