Upgrade to UCS 4.4-2 of an memberserver: permissionDenied

SirTux · September 24, 2019, 6:15pm

Hi,

this release seems to be a little bit buggy. I’ve observed this messages in the log:

Checking for package updates:                          Removing localhost from LDAP object
Removing localhost from LDAP object
Removing localhost from LDAP object
Removing localhost from LDAP object
Removing localhost from LDAP object
Removing localhost from LDAP object
Removing localhost from LDAP object
Registering UCR for samba-memberserver
Marking samba-memberserver=4.7 as installed
Adding localhost to LDAP object

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 86, in main
    self._register_app_for_apps(apps, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 414, in _register_app_for_apps
    updates.update(self._register_app(app, args, lo, pos, delay=True))
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 436, in _register_app
    ldap_object.add_localhost()
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/udm.py", line 245, in add_localhost
    self._udm_obj.modify()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1327, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 897, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
Traceback (most recent call last):
  File "/usr/bin/univention-app", line 91, in <module>
    main()
  File "/usr/bin/univention-app", line 78, in main
    ret = args.func(args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 86, in main
    self._register_app_for_apps(apps, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 414, in _register_app_for_apps
    updates.update(self._register_app(app, args, lo, pos, delay=True))
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/register.py", line 436, in _register_app
    ldap_object.add_localhost()
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/udm.py", line 245, in add_localhost
    self._udm_obj.modify()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1327, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 897, in modify
    raise univention.admin.uexceptions.permissionDenied
univention.admin.uexceptions.permissionDenied
 none
Checking for app updates:                               none
Checking for release updates:                           none

Best,
SirTux

EDIT: The app samba-memberserver isn’t shown in the AppCenter now.

SirTux · September 24, 2019, 9:06pm

Seems that this issue occurs only if the upgrade is not started via UMC.

damrose · September 25, 2019, 8:19am

Can you clarify if the update failed, or is that traceback printed in the updater.log but the update finished? If it finished, do you currently experience issues on that memberserver?

SirTux · September 25, 2019, 12:36pm

The updates finished but the app samba-memberserver wasn’t marked as installed afterwards. I get the same traceback if I run

univention-app register samba-memberserver

dwiesent · September 26, 2019, 1:48pm

Hi,

can you give the DN of said memberserver? Is it in cn=memberserver,cn=computers,$ldap_base?

SirTux · September 26, 2019, 2:02pm

No it’s in a container in cn=memberserver,cn=computers,$ldap_base. So the DN is cn=hostname,cn=subcontainer,cn=memberserver,cn=computers,$ldap_base.

dwiesent · September 26, 2019, 3:02pm

Yes. This is a bug in UCS (and has little to do with 4.4-2 specifically).

In fact, I wonder how you were able to install these Apps in the first place. You may have moved the memberserver at some point? Or you installed these Apps not via the App Center but with univention-install (only works for Apps like samba-memberserver).

Here is the bug: https://forge.univention.org/bugzilla/show_bug.cgi?id=46303

It is an issue with our ACLs.

SirTux · September 26, 2019, 4:21pm

Ok that makes sense. Yes, if I remember correctly I’ve moved the server object after installing Samba.

By the way, I’m not an expert in LDAP ACLs, but that shouldn’t be difficult to fix, should be?