Univention Bugzilla – Full Text Bug Listing |
Summary: | Delay auth/sshd/ restrictions after server role is final | ||
---|---|---|---|
Product: | UCS | Reporter: | Philipp Hahn <hahn> |
Component: | PAM | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.0-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 37509 |
(In reply to Philipp Hahn from comment #0) > $ cat /usr/lib/univention-system-setup/scripts/90_postjoin/30univention-pam > #!/bin/sh > exec dpkg-reconfigure univention-pam The UCR variable should be set in the join script (11univention-pam.inst). r59500 | Bug #37971 PAM: Delay auth/sshd/ restrictions until role is known Package: univention-pam Version: 8.0.3-2.259.201503301502 Branch: ucs_4.0-0 Scope: errata4.0-1 r59502 | Bug #37971 PAM: Delay auth/sshd/ restrictions until role is known YAML 2015-03-30-univention-pam.yaml Should fix the following issues: <http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/lastCompletedBuild/testReport/01_base/96rename_domain_admins/test/> <http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/01_base/96rename_domain_admins/test/> OK: Moved from postinst to joinscript OK: Fixes the mentioned tests OK: As discussed, do not increase joinscript version number OK: Yaml -> Verified |
/var/lib/dpkg/info/univention-pam.postinst: > if is_domain_controller; then > univention-config-registry set \ > auth/sshd/restrict?"yes" \ > "auth/sshd/group/Domain Admins?yes" \ > auth/sshd/group/Computers?"yes" \ > "auth/sshd/group/DC Slave Hosts?yes" \ > "auth/sshd/group/DC Backup Hosts?yes" \ > auth/sshd/group/Administrators?"yes" \ > auth/sshd/user/root?"yes" > fi The code block is not executed in appliance mode, as the UCRV "server/role" is unset. After provisioning the postinst script is not re-executed leaving sshd open. univention-pam could ship the following file: $ cat /usr/lib/univention-system-setup/scripts/90_postjoin/30univention-pam #!/bin/sh exec dpkg-reconfigure univention-pam