Bug 49592

Summary: umc.sh umc_init() does not use join credentials anymore
Product: UCS Reporter: Florian Best <best>
Component: univention-libAssignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P5 CC: best, bremer, brodersen, damrose, gohmann, klaeser, meybohm, requate, steuwer
Version: UCS 4.3Flags: best: Patch_Available+
Target Milestone: UCS 4.4-1-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2019041521000775 Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 38057    
Bug Blocks:    

Description Florian Best univentionstaff 2019-06-04 14:21:56 CEST 
The changes made in Bug #38057 uses udm without passing "$@". Therefore the machine account is used.

"umc_udm" has to be used instead!

+++ This bug was initially created as a clone of Bug #38057 +++

umc_init () {
        ...
        # link default admin policy to the group "Domain Admins" 
        group_admins="${groups_default_domainadmins:-Domain Admins}"                                                               
        udm groups/group modify $BIND_ARGS --ignore_exists --dn "cn=$group_admins,cn=groups,$ldap_base" \                          
                --policy-reference="cn=default-umc-all,cn=UMC,cn=policies,$ldap_base" || exit $?                                   
        
        ...                                                               
        # link default user policy to the group "Domain Users"
        group_users="${groups_default_domainusers:-Domain Users}"                                                                  
        udm groups/group modify $BIND_ARGS --ignore_exists --dn "cn=$group_users,cn=groups,$ldap_base" \                           
                --policy-reference="cn=default-umc-users,cn=UMC,cn=policies,$ldap_base" || exit $? 
}



This does not work if the groups have been moved or created in different places (ad takeover).
Comment 1 Florian Best univentionstaff 2019-06-04 14:23:46 CEST 
Patch in git branch fbest/49592-umc-udm-init.
Comment 2 Florian Best univentionstaff 2019-07-31 15:09:39 CEST 
The join credentials are used again. Instead of accessing UCR variables directly use the univention-lib to get the name of the custom group.

univention-lib (8.0.1-25)
4f8490271cff | Bug #49592: Use "$@" in umc_init

univention-lib.yaml
4f8490271cff | Bug #49592: Use "$@" in umc_init
Comment 3 Jürn Brodersen univentionstaff 2019-08-02 11:30:07 CEST 
What I tested:
Force 35univention-management-console-module-top on master -> OK
Force 35univention-management-console-module-top on slave -> OK
Force 35univention-management-console-module-top on slave with wrong /etc/machine.secret -> OK
Rejoin slave -> OK

[4.4-1 00ed2200de] Bug #49592: yaml

yaml -> OK

-> verified
Comment 4 Erik Damrose univentionstaff 2019-08-07 15:44:31 CEST 
<http://errata.software-univention.de/ucs/4.4/212.html>