Feature #2492

Move admin user in LDAP DB

Added by Davide Principi over 7 years ago. Updated over 7 years ago.

Status:CLOSEDStart date:12/17/2013
Priority:NormalDue date:12/19/2013
Assignee:-% Done:

100%

Category:nethserver-directory
Target version:v6.5-beta3
Resolution: NEEDINFO:No

Description

We must move admin into LDAP.

Pros:
  • An administrative account is present in almost every application and can be straightforwardly mapped to admin
  • Better NethService 8.x / SME server backward compatibility, easier to migrate etc..
Cons:
  • admin is not effectively present after installation. It comes with nethserver-directory.
  • server-manager must be running with different credentials, some filesystem permissions issues must be solved
  • To access the server-manager an alias mechanism is needed.

upgrade-65b3.sh Magnifier - Final 6.5 beta3 upgrade script (1.13 KB) Davide Principi, 02/05/2014 04:56 PM


Related issues

Related to NethServer 6 - Feature #2551: Move httpd-admin web server logs CLOSED 01/02/2014 01/02/2014
Related to NethServer 6 - Enhancement #2536: Restore httpd-admin symlink CLOSED 01/02/2014 01/02/2014
Related to NethServer 6 - Enhancement #2499: Override mail system /etc/aliases CLOSED 01/03/2014 01/03/2014
Related to NethServer 6 - Enhancement #2573: Ibay contents inherit default owner CLOSED 01/10/2014 01/10/2014
Related to NethServer 6 - Enhancement #2582: Base: remove bootstrap-console CLOSED
Related to NethServer 6 - Enhancement #2291: NUT: add option to enable mail notification CLOSED
Related to NethServer 6 - Enhancement #2294: IPSec: honor VPNClientAccess property CLOSED
Related to NethServer 6 - Enhancement #2647: Send backup notification to root CLOSED
Related to NethServer 6 - Bug #2675: Backup Notification to System administrator fails by default CLOSED
Related to NethServer 6 - Bug #2733: Domain Administrators rights not enforced by workstations CLOSED
Related to NethServer 6 - Feature #3026: Differentiate root and admin users CLOSED
Duplicated by NethServer 6 - Enhancement #1911: Ejabberd: create jabberadmins user on nethserver-ejabberd... CLOSED

Associated revisions

Revision 61174a87
Added by Davide Principi over 7 years ago

Run httpd-admin and smwingsd in "adm" group. Refs #2492

httpd-admin is run as srvmgr system user, which is member of the "adm"
group.

Any user in "adm" group will be granted unlimited access to "db",
"config" and other administrative commands.

Revision e09325fc
Added by Davide Principi over 7 years ago

Moved /etc/sudoers template fragment to nethserver-base. Refs #2492

Revision 9b2daa63
Added by Davide Principi over 7 years ago

Fix permissions on *-update event. Refs #2492

Cleanup and fix permissions on files under
/var/cache/nethserver-httpd-admin/ directory.

Revision aa1b0f1c
Added by Davide Principi over 7 years ago

Group ownership controlled by setgid bit. Refs #2492

Removed chown() calls from esmith DB libraries. Don't touch file
permissions, use defaults from filesystem: write access to root only,
read access to "adm" group members.

DB files are created through sudo calls and inherit default root umask
0022.

Revision 91744fee
Added by Davide Principi over 7 years ago

Fallback to root login if "admin" account is not available. Refs #2492

If admin passwd entry is missing, check "root" login password.

This hack gives the impression that admin user is available even if
nethserver-directory is not installed.

Revision 9397cfa0
Added by Davide Principi over 7 years ago

Fix admin's mailbox migration. Refs #2492

The admin user is now in accounts DB.

Revision d8015251
Added by Davide Principi over 7 years ago

Imported libuser setup from nethserver-base. Refs #2492

Revision ce8e11f1
Added by Davide Principi over 7 years ago

esmith::util (setUnixSystemPassword): check if admin account exists. Refs #2492

Also, honour AdminIsNotRoot key value (Refs #2277).

Revision d93da756
Added by Davide Principi over 7 years ago

admin account is now in LDAP. Refs #2492

It does not need special treatment anymore.

Revision 1afd63bc
Added by Davide Principi over 7 years ago

Import mail from root mailbox to admin. Refs #2492

Revision b669b034
Added by Davide Principi over 7 years ago

Deliver root's mail to admin. Refs #2492 #2499

Revision 39d110da
Added by Davide Principi over 7 years ago

Initialize admin account in LDAP. Refs #2492

If admin account already exists, preserve its password and uid number,
otherwise root password is imported.

The nsstest account is created with uid >= 501, to leave id 500 free
for admin.

Revision 6a7e9a4d
Added by Davide Principi over 7 years ago

nethserver-directory-user-modify: skip lusermod command if cn is empty. Refs #2492

Revision 85839456
Added by Davide Principi over 7 years ago

Group/User UI modules: honour Removable prop. Refs #2492

The platform validator was not invoked in delete case, because the key
parameter is not submitted, but derived from the request URL path.

Revision e4974ad4
Added by Davide Principi over 7 years ago

Additional sudo commands for adm group. Refs #2492

Revision 094ca92e
Added by Davide Principi over 7 years ago

Migrate admin home directory. Refs #2492 #1655

Revision 6b0e3707
Added by Davide Principi over 7 years ago

Removed special case for admin. Refs #2492

Admin is record is of type user.

Revision 561a129c
Added by Davide Principi over 7 years ago

Change group memberUid attribute in LDAP directly. Refs #2492

Don't use libuser lgroupmod binary to manipulate group members. It
fails silently for empty members list.

Revision 1e51453c
Added by Davide Principi over 7 years ago

Removed "shared" group. Refs #2492

Use builtin "locals" group, managed by nethserver-directory.

Revision 9b2bc0bc
Added by Davide Principi over 7 years ago

admin is default member of domadmins group. Refs #2492

Revision 1b8d9075
Added by Davide Principi over 7 years ago

Create the default faxmaster group through create-default-accounts action. Refs #2492

Revision 1f35bab2
Added by Davide Principi over 7 years ago

"shared" group replaced by "locals". Refs #2492

Revision ab9a44d3
Added by Davide Principi over 7 years ago

Create the predefined "locals" group. Refs #2492

The "locals" group always contains users defined into the local accounts database.

Revision d69829d6
Added by Davide Principi over 7 years ago

Check if group exists before signalling group-modify event. Refs #2492

Revision 0be47b0b
Added by Davide Principi over 7 years ago

Initialize ibays from default DB records at the end of yum transaction. Refs #2492

We temporarily rely on "runlevel-adjust" event, but a more specifc
event should be defined.

Revision 4fc31495
Added by Davide Principi over 7 years ago

Initialize admin and other default accounts after all *-update events. Refs #2492

Revision 01b2300a
Added by Davide Principi over 7 years ago

Initialize admin and create default accounts at the end of yum transaction. Refs #2492

We temporarily rely on "runlevel-adjust" event, but a more specifc
event should be defined.

Revision ae301b78
Added by Davide Principi over 7 years ago

nethserver-mail-update-admin action: signal user-modify admin event. Refs #2492

This action comes into play when mail-server is installed after
nethserver-directory: the admin account exists and needs to be
updated. It checks the LDAP accountStatus attribute.

Revision 7757599e
Added by Davide Principi over 7 years ago

Set local mail address if none is defined. Refs #2492

The "mail" LDAP attribute is used by SOGo to set up user account: the
blank value was not accepted.

Revision 5fd48cfb
Added by Davide Principi over 7 years ago

admin system user no longer created by RPM %pre script. Refs #2492

Revision 2bae8935
Added by Davide Principi over 7 years ago

Imported /etc/sudoers template fragments from nethserver-httpd-admin. Refs #2492

The NETHSERVER_ADM command alias defines the list of administrative
commands that can be run by the "adm" group members.

Revision 68a2cc13
Added by Davide Principi over 7 years ago

Grant unlimited access to root and admin on server-manager modules. Refs #2492

Members of the adm group have also unlimited access.

Revision 7fdc4cd0
Added by Davide Principi over 7 years ago

UserProfile UI module: access to root key in configuration DB. Refs #2492

If the admin user is not defined in accounts DB, fall back to root
profile record in configuration DB.

Revision 61e0b9f8
Added by Davide Principi over 7 years ago

nethserver-base-mail-aliases action. Refs #2492

The admin alias has been removed. Now mail is stored to local root
mailbox.

Forward messages for root to an external mail address. Keep a local
copy, if requested.

Revision d920ce3c
Added by Davide Principi over 7 years ago

Moved libuser setup to nethserver-directory. Refs #2492

libuser commands are not used by nethserver-base.

Revision 2b27c662
Added by Davide Principi over 7 years ago

Added bash aliases for adm group commands executed by sudo. Refs #2492

Revision bc7bb28c
Added by Davide Principi over 7 years ago

Change ownership of session files from numerical uid. Refs #2492

This covers the scenario where the admin user passwd entry has been
removed manually.

Revision 7a2ea1cd
Added by Davide Principi over 7 years ago

Fixed default local mail address setting. Refs #2492

Removed nethserver-mail-ldap-sync: to update all "mail" attributes in
LDAP when a domain record changes, use the
nethserver-mail-account-update action.

Revision 022cd39f
Added by Davide Principi over 7 years ago

Map "shared" group to "locals" during ibay migration. Refs #2492

Revision 6a7d6544
Added by Davide Principi over 7 years ago

SharedFolder UI module: "Authenticated users" label renamed "Local users". Refs #2492

The "authenticated" term can be misleading with Samba ADS role, for instance.

Revision 92de0359
Added by Davide Principi over 7 years ago

Update admin user, adding samba attributes. Refs #2492

The samba SAM attributes are initialized by
nethserver-samba-user-create action.

Added default domadmins group description.

Revision 1d01b49f
Added by Davide Principi over 7 years ago

Migration: replace "shared" group with "locals" when restoring Posix ACLs. Refs #2492

Revision bb33a9cc
Added by Davide Principi over 7 years ago

Initialize admin's mailbox after account has been set up. Refs #2492

Fixed default MailForwardKeepMessageCopy prop name.

Revision d29d5315
Added by Davide Principi over 7 years ago

Synchronize admin/root passwords. Refs #2492

If AdminIsNotRoot is disabled, admin and root passwords are the same.

Refactored the bash script, removing reduntant nested IFs.

Revision 9c9232bb
Added by Giacomo Sanchietti over 7 years ago

templates, nethserver-openvpn-genclient: use srvmgr user and adm group. Refs #2492

Revision 93cf9f11
Added by Giacomo Sanchietti over 7 years ago

spec, pki-vpn-gencert, pki-vpn-renew: use srvmgr user and adm group. Refs #2492

Revision d23c2a1b
Added by Davide Principi over 7 years ago

Send UPS/nut messages to root account. Refs #2492

Revision a0d46a1e
Added by Davide Principi over 7 years ago

Create l2tpusers after admin account initialization. Refs #2294 #2492

History

#1 Updated by Davide Principi over 7 years ago

  • Due date set to 12/19/2013
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 12/17/2013
  • % Done changed from 20 to 30
  • Estimated time set to 16.00

#2 Updated by Davide Principi over 7 years ago

Test case notes

  1. Migration of admin's home directory both in empty and non-empty cases.
  2. Group membership workflow: create/modify/delete with a member list of any length
  3. Email delivery to root. root mailbox moved to admin when installed nethserver-mail-server. Email delivery to admin.
  4. Check domain join when PDC (nethserver-samba). admin samba user should have granted SeMachineAccountPrivilege, that allow managing domain computer accounts.
  5. admin user is default member of jabberadmins group nethserver-ejabberd
  6. admin user is default member of faxmaster group nethserver-hylafax
  7. IMAP admin login, SOGo admin login
  8. server manager allows logging in as admin, even if nethserver-directory is not installed, providing the root's password. AdminIsNotRoot key must be honoured.

Release notes

When this issue is CLOSED, add the following release notes

nethserver-base

Before upgrade:

  1. Stop httpd-admin (if still running as admin) then remove the admin account, if it's present in passwd:
        # service httpd-admin stop; killall httpd-admin; stop httpd-admin
        # grep -q admin /etc/passwd && userdel admin
    
  2. Fix DB permissions:
        # chown -v root:adm /var/lib/nethserver/db/*
    
  3. Move admin key in configuration DB to root:
        # sed -i 's/^admin=/root=/' /var/lib/nethserver/db/configuration
    
  4. Clean up /etc/aliases:
        # sed -r -i '/^(# NethServer|root:|admin:)/ d' /etc/aliases
    

nethserver-directory

After upgrade:

  1. Refresh group members:
        # /etc/e-smith/events/actions/group-modify-unix ev
    
  2. Initialize locals group:
        # local_users=(`grep -F '=user|' /var/lib/nethserver/db/accounts | cut -d = -f 1`); lgroupmod -M "`echo ${local_users[*]} | tr ' ' ','`" locals
    

nethserver-ibays

  • Before upgrade, remove shared group:
        # luserdel shared
    
  • After upgrade change ownership to locals:
        # for IBAY in `grep -F '|OwningGroup|shared' /var/lib/nethserver/db/accounts  | cut -d = -f 1`; do db accounts setprop $IBAY OwningGroup locals; chgrp -Rv locals /var/lib/nethserver/ibay/$IBAY; done
    

nethserver-openvpn

  • After upgrade change ownership of configuration files:
    # find /var/lib/nethserver/certs/ -group admin -exec chgrp adm '{}' \;
    # find /etc/openvpn/ -group admin -exec chgrp adm '{}' \;
    # find /var/lib/nethserver/certs/ -user admin -exec chown srvmgr '{}' \;
    # find /etc/openvpn/ -user admin -exec chown srvmgr '{}' \;
    

#3 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#4 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-lib-1.4.0-3.0gitce8e11f1.ns6.noarch.rpm
nethserver-base-1.5.0-11.0git12b07501.ns6.noarch.rpm
nethserver-directory-1.3.0-12.0git01b2300a.ns6.noarch.rpm
nethserver-nethgui-1.3.0-5.0gitb985d576.ns6.noarch.rpm
nethserver-mail-server-1.5.0-8.0git7757599e.ns6.noarch.rpm
nethserver-mail-server-1.5.0-9.0git7a2ea1cd.ns6.noarch.rpm
nethserver-samba-1.4.0-3.0git4fc31495.ns6.noarch.rpm
nethserver-ejabberd-1.0.2-3.0git6fec4e8d.ns6.noarch.rpm
nethserver-hylafax-1.0.3-2.0git1b8d9075.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-10.0gitbc7bb28c.ns6.noarch.rpm
nethserver-ibays-2.0.1-3.0git0be47b0b.ns6.noarch.rpm
nethserver-ibays-2.0.1-6.0git6a7d6544.ns6.noarch.rpm
nethserver-ibays-2.0.1-7.0git1d01b49f.ns6.noarch.rpm

#5 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee set to Giacomo Sanchietti

#6 Updated by Giacomo Sanchietti over 7 years ago

Testing upgraded machine

Test case 1
Home directory correctly created: /var/lib/nethserver/home/admin
Note: migration from NethService/SME not testd

Test case 2
The admin users is in LDAP, users and groups are correctly created:

root@test yum.repos.d]# ldapsearch -Y EXTERNAL uid=admin
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=directory,dc=nh> (default) with scope subtree
# filter: uid=admin
# requesting: ALL
#

# admin, People, directory.nh
dn: uid=admin,ou=People,dc=directory,dc=nh
uid: admin
shadowMin: 0
shadowWarning: 7
shadowExpire: -1
shadowInactive: -1
gecos: admin
shadowLastChange: 16085
shadowFlag: -1
uidNumber: 500
gidNumber: 500
homeDirectory: /var/lib/nethserver/home/admin
loginShell: /bin/bash
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
telephoneNumber: 555-5555
o: XYZ Corporation
ou: Main
l: Ottawa
street: 123 Main Street
cn: System Administrator
givenName: System
sn: Administrator
shadowMax: 180
userPassword:: e0NSWVBUfSQ2JHhqVE5tVEtZJEY2S29RejBrQ3JHdzVIYUtlUS5QYlY1NnUxS2F
 NakRvaUhBZXJ4ckJOMWM3NFo1bzZqSWYuYi5ZZ0VvTUQ1Si40N3phckdQVnVGalcvaWNKREhMamEv

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@test ~]# ldapsearch -Y EXTERNAL cn=test
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=directory,dc=nh> (default) with scope subtree
# filter: cn=test
# requesting: ALL
#

# test, Groups, directory.nh
dn: cn=test,ou=Groups,dc=directory,dc=nh
cn: test
gidNumber: 5001
objectClass: posixGroup
memberUid: giacomo

# test, People, directory.nh
dn: uid=test,ou=People,dc=directory,dc=nh
uid: test
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
homeDirectory: /home/test
shadowInactive: -1
userPassword:: e0NSWVBUfSEh
shadowLastChange: 16085
shadowFlag: -1
uidNumber: 5001
gidNumber: 5001
loginShell: /bin/false
sn: test
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: test
gecos: aa

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Test case 3
Mails are correctly delivered to admin user:

Jan 15 16:11:42 test dovecot: lmtp(30158): Connect from local
Jan 15 16:11:43 test dovecot: lmtp(30158, admin): UtJcOC6l1lLOdQAA6nEqjg: sieve: msgid=<20140115151142.D2136346E@test.test.loc>: stored mail into mailbox 'INBOX'
Jan 15 16:11:43 test postfix/lmtp[30157]: D2136346E: to=<admin@test.test.loc>, orig_to=<root@test.test.loc>, relay=test.test.loc[/var/run/dovecot/lmtp], delay=0.14, delays=0/0.04/0.04/0.06, dsn=2.0.0, status=sent (250 2.0.0 <admin@test.test.loc> UtJcOC6l1lLOdQAA6nEqjg Saved)
Jan 15 16:11:43 test dovecot: lmtp(30158): Disconnect from local: Client quit (in reset)
Jan 15 16:11:43 test postfix/qmgr[27420]: D2136346E: removed
Jan 15 16:12:22 test postfix/pickup[27419]: DEFE9346F: uid=0 from=<root>
Jan 15 16:12:22 test postfix/cleanup[30151]: DEFE9346F: message-id=<20140115151222.DEFE9346F@test.test.loc>
Jan 15 16:12:22 test postfix/qmgr[27420]: DEFE9346F: from=<root@test.test.loc>, size=420, nrcpt=1 (queue active)
Jan 15 16:12:22 test dovecot: lmtp(30158): Connect from local
Jan 15 16:12:22 test dovecot: lmtp(30158, admin): VtJcOC6l1lLOdQAA6nEqjg: sieve: msgid=<20140115151222.DEFE9346F@test.test.loc>: stored mail into mailbox 'INBOX'
Jan 15 16:12:22 test dovecot: lmtp(30158): Disconnect from local: Client quit (in reset)
Jan 15 16:12:22 test postfix/lmtp[30157]: DEFE9346F: to=<admin@test.test.loc>, orig_to=<admin>, relay=test.test.loc[/var/run/dovecot/lmtp], delay=0.06, delays=0.05/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <admin@test.test.loc> VtJcOC6l1lLOdQAA6nEqjg Saved)
Jan 15 16:12:22 test postfix/qmgr[27420]: DEFE9346F: removed
Jan 15 16:12:39 test dovecot: master: Warning: Killed with signal 15 (by pid=31959 uid=0 code=kill)
Jan 15 16:12:40 test dovecot: master: Dovecot v2.1.16 starting up (core dumps disabled)
Jan 15 16:12:49 test postfix/pickup[27419]: C1FCE3471: uid=0 from=<root>
Jan 15 16:12:49 test postfix/cleanup[30151]: C1FCE3471: message-id=<20140115151249.C1FCE3471@test.test.loc>
Jan 15 16:12:49 test postfix/qmgr[27420]: C1FCE3471: from=<root@test.test.loc>, size=419, nrcpt=1 (queue active)
Jan 15 16:12:49 test dovecot: lmtp(32163): Connect from local
Jan 15 16:12:49 test postfix/lmtp[30157]: C1FCE3471: to=<admin@test.test.loc>, orig_to=<root>, relay=test.test.loc[/var/run/dovecot/lmtp], delay=0.15, delays=0.1/0/0.01/0.04, dsn=2.0.0, status=sent (250 2.0.0 <admin@test.test.loc> S3F6MHGl1lKjfQAA6nEqjg Saved)
Jan 15 16:12:49 test dovecot: lmtp(32163, admin): S3F6MHGl1lKjfQAA6nEqjg: sieve: msgid=<20140115151249.C1FCE3471@test.test.loc>: stored mail into mailbox 'INBOX'
Jan 15 16:12:49 test dovecot: lmtp(32163): Disconnect from local: Client quit (in reset)
Jan 15 16:12:49 test postfix/qmgr[27420]: C1FCE3471: removed

Test case 4
Tested with WindowsXP client, it works.
Note: Samba access for admin user must be explicitly set, also admin user password must be set.

Test case 5 and 6

[root@test yum.repos.d]# getent group faxmaster
faxmaster:*:504:admin
[root@test yum.repos.d]# getent group jabberadmins
jabberadmins:*:503:admin
[root@test yum.repos.d]# getent group locals
locals:*:502:admin

Test case 7
The admin user can access SOGo and IMAP.
NOTE: on SOGo UI, the label for mail root directory is "0" instead of admin@domain (on the left of the screen). This is caused by the blank mail field inside LDAP user.

Test case 8
Access to WEB UI is always granted to root and admin users. AdminIsNotRoot is honored.

#7 Updated by Davide Principi over 7 years ago

Giacomo Sanchietti wrote:

Test case 7
The admin user can access SOGo and IMAP.
NOTE: on SOGo UI, the label for mail root directory is "0" instead of admin@domain (on the left of the screen). This is caused by the blank mail field inside LDAP

Fixed.

In nethserver-testing:
nethserver-mail-server-1.5.0-9.0git7a2ea1cd.ns6.noarch.rpm

Marking this note as VERIFIED - Giacomo

#8 Updated by Giacomo Sanchietti over 7 years ago

Testing freshly installed machine

Test case 1
Home directory correctly created: /var/lib/nethserver/home/admin
Also tested migration from NethService/SME.

Test case 2
Group create/modify/delete OK.

Test case 3
Mail is not moved from root to admin user.

[root@localhost ~]# cat /var/spool/mail/root 
From root@localhost.localdomain  Wed Jan 15 18:25:33 2014
Return-Path: <root@localhost.localdomain>
X-Original-To: root
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
    id 574ED3F43E; Wed, 15 Jan 2014 18:25:33 +0100 (CET)
Date: Wed, 15 Jan 2014 18:25:33 +0100
To: root@localhost.localdomain
Subject: hi
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20140115172533.574ED3F43E@localhost.localdomain>
From: root@localhost.localdomain (root)

hi

[root@localhost ~]# cat /var/spool/mail/admin 

FAILED

Test case 4
Tested with WindowsXP client, it works.
Note: Samba access for admin user must be explicitly set, also admin user password must be set.

Test case 5 and 6
Groups are correct:

[root@localhost ~]# getent group faxmaster
faxmaster:*:503:admin
[root@localhost ~]# getent group jabberadmins
jabberadmins:*:504:admin
[root@localhost ~]# getent group locals
locals:*:502:admin,u1

[root@localhost ~]# ldapsearch -Y EXTERNAL uid=admin
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=directory,dc=nh> (default) with scope subtree
# filter: uid=admin
# requesting: ALL
#

# admin, People, directory.nh
dn: uid=admin,ou=People,dc=directory,dc=nh
uid: admin
shadowMin: 0
shadowWarning: 7
shadowExpire: -1
shadowInactive: -1
gecos: admin
shadowLastChange: 16085
shadowFlag: -1
uidNumber: 500
gidNumber: 500
homeDirectory: /var/lib/nethserver/home/admin
loginShell: /bin/bash
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: qmailUser
telephoneNumber: 555-5555
o: XYZ Corporation
ou: Main
l: Ottawa
street: 123 Main Street
cn: System Administrator
givenName: System
sn: Administrator
mail: admin@localhost.localdomain
accountStatus: active
shadowMax: 180
userPassword:: e0NSWVBUfSQ2JGZZSGVjSUFOYy5QRW9WaE0kbzUyTjI0d0NqTTFXQUlJTGxVUlJ
 VcXJVUmlkL01GbnAvN0tIcVJOSmhjdGpPVDZSd2hRMEt3dmJkU3FZLlA0Z0RRdUcuUFUxWWFHNW1W
 UGtIL296WDA=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Test case 7
Admin user can access SOGo and IMAP server. See also previous note.

Test case 8
Access to WEB UI is always granted to root and admin users. AdminIsNotRoot is honored.
NOTE: AdminIsNotRoot is honored only with this flow admin -> root

#9 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 20
Some other notes:
  • the admin user is not automatically enabled to Samba service
  • the domadmins group lacks of a description
  • when changing the root password from web UI, the admin password is not changed

Marking as NOT verified for the error on test case 3 in the previous note.

#10 Updated by Davide Principi over 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#11 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#12 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-samba-1.4.0-6.0git92de0359.ns6.noarch.rpm
nethserver-base-1.5.0-13.0gitd29d5315.ns6.noarch.rpm
nethserver-mail-server-1.5.0-10.0gitbb33a9cc.ns6.noarch.rpm
nethserver-ibays-2.0.1-7.0git1d01b49f.ns6.noarch.rpm

#13 Updated by Davide Principi over 7 years ago

  • File run2492.sh added

The attachment:run2492.sh upgrade-65b3.sh shellscript executes the upgrade checking user and package existence.

You can run it on a remote machine:

    # ssh root@davidep3 'bash -s' < upgrade-65b3.sh

Note: add a sleep after line 10, to be sure httpd-admin is stopped. Otherwise userdel may fail.

#14 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 70 to 90

Test case 3

Before nethserver-mail-server install:

[root@localhost ~]# cat /var/spool/mail/root 
From root@localhost.localdomain  Thu Jan 16 10:55:46 2014
Return-Path: <root@localhost.localdomain>
X-Original-To: root
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
    id 5386640AC7; Thu, 16 Jan 2014 10:55:46 +0100 (CET)
Date: Thu, 16 Jan 2014 10:55:46 +0100
To: root@localhost.localdomain
Subject: test1
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20140116095546.5386640AC7@localhost.localdomain>
From: root@localhost.localdomain (root)

hi

After install:

[root@localhost ~]# cat /var/spool/mail/root 
[root@localhost ~]# ll /var/lib/nethserver/vmail/admin/Maildir/
cur/                          dovecot.index.log             dovecot-uidvalidity           subscriptions                 
dovecot-acl-list              dovecot.mailbox.log           dovecot-uidvalidity.52d7ad6b  tmp/                          
dovecot.index.cache           dovecot-uidlist               new/                          
[root@localhost ~]# ll /var/lib/nethserver/vmail/admin/Maildir/new/92726a89d24357fe7dd24ae126781790 
-rw-------. 1 vmail vmail 540 Jan 16 10:55 /var/lib/nethserver/vmail/admin/Maildir/new/92726a89d24357fe7dd24ae126781790
[root@localhost ~]# cat /var/lib/nethserver/vmail/admin/Maildir/new/92726a89d24357fe7dd24ae126781790 
Return-Path: <root@localhost.localdomain>
X-Original-To: root
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
    id 5386640AC7; Thu, 16 Jan 2014 10:55:46 +0100 (CET)
Date: Thu, 16 Jan 2014 10:55:46 +0100
To: root@localhost.localdomain
Subject: test1
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20140116095546.5386640AC7@localhost.localdomain>
From: root@localhost.localdomain (root)

hi

Other notes:
  • the admin user is automatically enabled to Samba service OK
  • domadmins group has "Domain Admins" description OK
  • admin/root password change works in both directions OK

Marking as VERIFIED

#15 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee deleted (Giacomo Sanchietti)

#16 Updated by Davide Principi over 7 years ago

  • File deleted (run2492.sh)

#17 Updated by Davide Principi over 7 years ago

#18 Updated by Davide Principi over 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Released in nethserver/6.5/base repository.

#19 Updated by Davide Principi over 6 years ago

  • Related to Feature #3026: Differentiate root and admin users added

Also available in: Atom PDF