Error setting administration rights for a user

[kuimpje@…]

trying to enable administrator rights for a created user

Error

Unknown error at EBox::UsersAndGroups::addUserToGroup modify/add: memberUid: value #0 already exists

Trace

Unknown error at EBox::UsersAndGroups::addUserToGroup modify/add: memberUid: value #0 already exists at /usr/share/perl5/EBox/Ldap.pm line 701
	EBox::Ldap::_errorOnLdap('Net::LDAP::Modify=HASH(0x7f361107dc08)', 'HASH(0x7f360fd86350)') called at /usr/share/perl5/EBox/Ldap.pm line 363
	EBox::Ldap::modify('EBox::Ldap=HASH(0x7f3610e650b0)', 'cn=Domain Admins,ou=Groups,dc=zentyal', 'HASH(0x7f360fd86350)') called at /usr/share/perl5/EBox/UsersAndGroups.pm line 2059
	EBox::UsersAndGroups::addUserToGroup('EBox::UsersAndGroups=HASH(0x7f360ffa8ac0)', 'admin', 'Domain Admins') called at /usr/share/perl5/EBox/Samba.pm line 953
	EBox::Samba::setAdminUser('EBox::Samba=HASH(0x7f360fef4c38)', 'admin', 'yes') called at /usr/share/perl5/EBox/CGI/Samba/ActiveSharing.pm line 78
	EBox::CGI::Samba::ActiveSharing::_user('EBox::CGI::Samba::ActiveSharing=HASH(0x7f3610f25dc8)') called at /usr/share/perl5/EBox/CGI/Samba/ActiveSharing.pm line 85
	EBox::CGI::Samba::ActiveSharing::_process('EBox::CGI::Samba::ActiveSharing=HASH(0x7f3610f25dc8)') called at /usr/share/perl5/EBox/CGI/Base.pm line 275
	EBox::CGI::Base::run('EBox::CGI::Samba::ActiveSharing=HASH(0x7f3610f25dc8)') called at /usr/share/perl5/EBox/CGI/Run.pm line 129
	EBox::CGI::Run::run('EBox::CGI::Run', 'Samba/ActiveSharing', 'EBox') called at /usr/share/zentyal/cgi/ebox.cgi line 34
	ModPerl::ROOT::ModPerl::Registry::usr_share_zentyal_cgi_ebox_2ecgi::handler('Apache2::RequestRec=SCALAR(0x7f3610e653c8)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
	eval {...} called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
	ModPerl::RegistryCooker::run('ModPerl::Registry=HASH(0x7f3610ed1328)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 170
	ModPerl::RegistryCooker::default_handler('ModPerl::Registry=HASH(0x7f3610ed1328)') called at /usr/lib/perl5/ModPerl/Registry.pm line 31
	ModPerl::Registry::handler('ModPerl::Registry', 'Apache2::RequestRec=SCALAR(0x7f3610e653c8)') called at -e line 0
	eval {...} called at -e line 0

[anonymous]

zentyal.log

[jamor@…]

Hello Kuimpje,

to set the rights the user is added to a user's groups and the error message basically says that the user already is in the group. Could you look whether the rights had already been granted?.

In case the rights aren't granted, could you told me if you have previously restored a backup or done a migration from version 2.0 to 2.2?. Or any operation with ldap/users which could have affected users or groups?.

Regards,

Javier

[kuimpje@…]

hi,

it's quite a time ago when i had that problem, but let me try to recall...

i can't really remember what i did to set admin rights for a user. i _think_ it was removing the particular user and adding him directly in the domain admins group without editing the user afterwards.

and no, i did not upgrade and i didn't also do anything ldap/users related which could have affected users or groups.

regards, dado

[jamor@…]

See also 33707 for the same error

[jamor@…]

I mean #3707

[jamor@…]

it was removing the particular user and adding him directly in the domain admins group without editing the user afterwards. 

How you added the user directly to the domain admins group?. This group should not be shown in the interface. In fact when setting administration rights for a user, the user is added to this group. (this explains your error message)

[jamor@…]

I have made the addUserToGroup method more resilient so this change should fix your errors (git branch jag/addAndDelUserIdempotent )

If you want to hotfix your server you could follow this steps:

1) Download the new UsersAndGroups?.pm from  http://git.zentyal.org/zentyal.git/blob_plain/334e567cfc073f12b409b94fa4c680c9a7fb0be9:/main/users/src/EBox/UsersAndGroups.pm

2) Use it to replace /usr/share/perl5/EBox/UsersAndGroups.pm

3) Restart web interface with 'sudo /etc/init.d/zentyal apache restart'

4) Retry the operation

By the way, I continue to be interested in know how you added the user directly to the group!.

Regards,

Javier

[kuimpje@…]

hi,

ok, i remembered wrong, setting admin rights while adding a user is actually not possible. as you mentioned.

i just have logged into my zentyal machine to try to reproduce the error.

add a user with group "domain admins" edit the user activate "administration rights" and click "change".

there it comes:

Unknown error at EBox::UsersAndGroups::addUserToGroup modify/add: memberUid: value #0 already exists

how i figured out a workaround:

add the user with no group selected edit the user and change administration rights and voilá, the user gets admin rights and is also beeing added automatically to the domain admins group.

i guess my "workaround" is the official procedure for adding a domain admin?

in my opinion this is very misleading. i would prefer that adding the user to the domain admins group would allow administration rights automatically. even without showing the administration rights checkbox in the user's properties. why would you need that if the user is member of domain admins already. but that's just my opinion.

i'll try your patch and see what that does. thanks for the effort.

by the way, please fix the reply-to address in the mailing list to avoid the need of visiting this website when replying to comments. thanks