Univention Bugzilla – Bug 34197
No module available for Administrator after running samba join scripts
Last modified: 2015-05-28 06:05:35 CEST
Created attachment 5804 [details] join.log It seems that after running the latest Samba4 join scripts, the user Administrator has no modules available: "There is no module available for the authenticated user Administrator." It seems that the primaryGroup is removed as groups property: root@master50:~# udm users/user list --filter uid=Administrator | grep -i group groups: cn=Domain Users,cn=groups,dc=errata,dc=qa groups: cn=DC Backup Hosts,cn=groups,dc=errata,dc=qa groups: cn=Schema Admins,cn=groups,dc=errata,dc=qa groups: cn=Administrators,cn=Builtin,dc=errata,dc=qa groups: cn=Group Policy Creator Owners,cn=groups,dc=errata,dc=qa groups: cn=Enterprise Admins,cn=groups,dc=errata,dc=qa primaryGroup: cn=Domain Admins,cn=groups,dc=errata,dc=qa After adding the group to the groups property, everything is back normal: > eval "$(ucr shell)" > udm users/user modify --dn "uid=Administrator,cn=users,$ldap_base" --append groups="cn=Domain Admins,cn=groups,$ldap_base" I attach the join log.
Please have a look at this issue. Maybe it is a duplicate of Bug #33621.
I can't reproduce this. After running/re-running univention-s4-connector multiple times the Administrator is still member of "Domain Admins" (and primaryGroup is still "Domain Admins")
Hi, Please reopen the issue. I've got the same error "There is no module available for the authenticated user Administrator" after a plain installation of UCS 3.2 on a recent VMware vSphere system using the UCS_3.2-1-amd64.iso The problem seems to revolve around the 97univention-s4-connector. I've re-executed the script and found the following issues: [...] Configure 10univention-ldap-server.inst /etc/machine.secret: No such file or directory Adding SRV record "ldap tcp 0 100 7389 ucs.project-open.net." to zone project-open.net... done Adding ZONE record "root@project-open.net. 1 28800 10800 604800 108001 ucs.project-open.net." to zone 192.168.1... Object created: cn=ucs,cn=dc,cn=computers,dc=project-open,dc=net Traceback (most recent call last): File "<stdin>", line 13, in <module> IOError: [Errno 2] No such file or directory: '/etc/machine.secret' Cheers! Frank
Thanks, could you upload a support info archive file? http://sdb.univention.de/1182 (English version) http://sdb.univention.de/1174 (German version)
upload_qgPuTW.bz2
Created attachment 5892 [details] s4 connector log Attached the s4 connector log with debug level 4. The change must have been taken place between April 30 (everything was working) and Mai 6 (problem re-occurred). Over the long weekend there have no been changes done. We re-executed the s4 connector join script on April 30. Although no direct problems occurred directly its execution, the problem continues to exists and it seems to be delayed. I the only thing I spotted was a traceback: > 04.05.2014 06:25:52,99 LDAP (WARNING): Traceback (most recent call last): > File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 811, in get_ucs_object > ucs_object = univention.admin.objects.get(module, co='', lo=self.lo, position='', dn=searchdn) # does not fail if object doesn't exist > File "/usr/lib/pymodules/python2.6/univention/admin/objects.py", line 75, in get > return module.object( co, lo, position, dn, superordinate = superordinate, attributes = attributes ) > File "/usr/lib/pymodules/python2.6/univention/admin/handlers/container/dc.py", line 194, in __init__ > univention.admin.handlers.simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes = attributes ) > File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 517, in __init__ > base.__init__(self, co, lo, position, dn, superordinate ) > File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 97, in __init__ > self.position.setDn(dn) > File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 151, in setDn > raise univention.admin.uexceptions.noObject, _("DN not found: %s.") % dn > noObject: DN not found: DC=errata,dc=qa.
(In reply to Alexander Kläser from comment #6) > Created attachment 5892 [details] > s4 connector log I forgot to mention that I removed the following lines from the log: > 04.05.2014 06:24:04,760 LDAP (INFO ): Search S4 with filter: (uSNChanged>=3890) … as they would occur constantly.
I can reproduce it in the following way: /etc/init.d/univention-s4-connector stop sqlite3 /etc/univention/connector/s4internal.sqlite sqlite> delete from 'DN Mapping Con'; sqlite> delete from 'DN Mapping UCS'; /etc/init.d/univention-s4-connector start ldbedit -H /var/lib/samba/private/sam.ldb cn=Domain\ Admins # change description. The problem is the following part while domain admins is synced. The mapping of cn=Administrator to uid=Administrator fails: 27.04.2014 06:25:32,844 LDAP (INFO ): _ignore_object: Do not ignore CN=Administrator,CN=Users,DC=errata,DC=qa 27.04.2014 06:25:32,845 LDAP (INFO ): _object_mapping: map with key group and type con 27.04.2014 06:25:32,845 LDAP (INFO ): _dn_type con 27.04.2014 06:25:32,845 LDAP (INFO ): samaccount_dn_mapping: check newdn for key dn: 27.04.2014 06:25:32,846 LDAP (INFO ): samaccount_dn_mapping: not premapped (in first instance) 27.04.2014 06:25:32,846 LDAP (INFO ): samaccount_dn_mapping: got an S4-Object 27.04.2014 06:25:32,846 LDAP (INFO ): samaccount_dn_mapping: samaccountname not in mapping-table 27.04.2014 06:25:32,846 LDAP (INFO ): samaccount_dn_mapping: samaccountname is:Administrator 27.04.2014 06:25:32,847 LDAP (INFO ): samaccount_dn_mapping: newdn for key dn: 27.04.2014 06:25:32,847 LDAP (INFO ): samaccount_dn_mapping: olddn: CN=Administrator,CN=Users,DC=errata,DC=qa 27.04.2014 06:25:32,847 LDAP (INFO ): samaccount_dn_mapping: newdn: cn=Administrator,CN=Users,DC=errata,DC=qa 27.04.2014 06:25:32,847 LDAP (INFO ): samaccount_dn_mapping: check newdn for key olddn: 27.04.2014 06:25:32,847 LDAP (INFO ): sid_to_ucs_mapping 27.04.2014 06:25:32,848 LDAP (INFO ): group_members_sync_to_ucs: mapped s4 member to ucs DN cn=Administrator,cn=users,dc=errata,dc=qa 27.04.2014 06:25:32,848 LDAP (INFO ): Failed to find cn=Administrator,cn=users,dc=errata,dc=qa via self.lo.get 27.04.2014 06:25:32,850 LDAP (INFO ): _ignore_object: Do not ignore cn=Domain Admins,cn=groups,dc=errata,dc=qa 27.04.2014 06:25:32,850 LDAP (INFO ): _object_mapping: map with key user and type ucs
Hi Guys, Is there any recommendation on how to work around or get the system going? I'm trying to work together with Nico Gulden on integrating ]project-open[ (http://www.project-open.com/) with UCS, and I'd need a running LDAP system in order to test syncing user accounts etc. Cheers! Frank
This bug will be moved to 3.2-2-errata.
(In reply to Stefan Gohmann from comment #10) > This bug will be moved to 3.2-2-errata. Ah sorry, wrong bug.
(In reply to Frank Bergmann from comment #9) > Hi Guys, > > > Is there any recommendation on how to work around or get the system going? > > I'm trying to work together with Nico Gulden on integrating ]project-open[ > (http://www.project-open.com/) with UCS, and I'd need a running LDAP system > in order to test syncing user accounts etc. Yes, try this command as root: udm groups/group modify \ --dn "cn=Domain Admins,cn=groups,$(ucr get ldap/base)" \ --set users="uid=Administrator,cn=users,$(ucr get ldap/base)"
Fixed: r49852 YAML: r49853
Hi Stefan, Thanks for the fix, I've executed the command, I got an "Object modified: [...]". After that I have entered as root and executed the "UCS 3-2-1-errata" update. After that I can now access the Web interface as user "Administrator". Thanks! Frank
Verified: * Code review * Test of comment 8 * Advisory Ok, built version still subject to change for Bug #34410
http://errata.univention.de/ucs/3.2/107.html
(In reply to Stefan Gohmann from comment #13) > Fixed: r49852 > YAML: r49853 Tried your command line. It came back with 'No modification'. Still can't get the console. Thanks. cole
(In reply to cole ragland from comment #17) > (In reply to Stefan Gohmann from comment #13) > > Fixed: r49852 > > YAML: r49853 > Tried your command line. It came back with 'No modification'. Still can't > get the console. Thanks. > > cole Hi, we need a little bit more information about your problem and your system. Maybe you can describe your problem in our forum? http://forum.univention.de/