Attachment #2585 for bug #19430




#!/bin/bash
#
# Univention Join
#  joins a server to an univention domain


export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"

declare -a ADMINOPTIONS
LOGFILE="/var/log/univention/server-join.log"
if [ "$USER" != "root" ]; then
	if [ "$HOME" ]; then
		LOGFILE="$HOME/.univention-server-join.log"
	else
		USERTMP="$(mktemp -d)"
		LOGFILE="$USERTMP/.univention-server-join.log"
	fi
	ADMINOPTIONS+=(--logfile "$LOGFILE")
fi

display_help() {



log() {
	if [ "$1" = 1 ]; then
		shift
		echo "$@"				>>"$LOGFILE"
		echo "$@"

do
	case "$1" in
		"-role")
			ROLE="${2:?missing role}"
			shift 2
			shift
			;;
		"-hostname")
			HOSTNAME="${2:?missing host name}"
			shift 2
			shift
			;;
		"-domainname")
			DOMAINNAME="${2:?missing domain name}"
			shift 2
			shift
			;;
		"-ip")
			IP="${2:?missing IP address}"
			shift 2
			shift
			;;
		"-certs")
			CERTS="${2:?missing certificate}"
			shift 2
			shift
			;;
		"-mac")
			MAC="${2:?missing ethernec MAC address}"
			shift 2
			shift
			;;
		"-bindaccount")
			BINDACCOUNT="${2:?missing account name for bind}"
			shift 2
			shift
			;;
		"-bindpwfile")
			BINDPWFILE="${2:?missing password file for bind}"
			shift 2
			shift
			;;
		"-position")
			POSITION="${2:?missing LDAP position}"
			shift 2
			shift
			;;
		"--version")
			display_version


# extend options for univention-admin
if [ "$BINDACCOUNT" ]; then
	BINDDN="$(ldapsearch -x "(&(uid=$BINDACCOUNT)(objectclass=posixAccount))" dn | ldapsearch-wrapper | sed -ne '^s|dn: ||p')"
	log 0 "found BINDDN: $BINDDN" >>$LOGFILE
	if [ -z "$BINDDN" ]; then
		log 1 "failed to get binddn for $BINDACCOUNT"
		exit 1
	fi
fi

if [ "$BINDDN" ]; then
	ADMINOPTIONS+=(--binddn "$BINDDN")
fi
if [ "$BINDPWFILE" ]; then
	ADMINOPTIONS+=(--bindpw "$(<"$BINDPWFILE")")
fi


eval "$(univention-config-registry shell)"
if [ -z "$ROLE" ]; then
	log 1 "E: 	-role is missing"
	display_help


display_header
create_entry () {
	local desc="${1?:missing description}"
	local module="${2?:missing computer module}"
	local position="${3?:missing LDAP position}"
	local primaryGroup="$4"
	local group="$5"
	log 0 "Join $desc"

	old_dn="$(univention-admin "$module" list --filter name="$HOSTNAME" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne "s|.*DN: ||p")"
	if [ $? = 1 ]; then
		log 1 "E: failed search $desc [$old_dn]"
		exit 1
	fi

	declare -a args
	if [ -z "$old_dn" ]; then
		log 0 "	Create new $desc "

		if [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/managedclient" ]; then
			args+=(--set mac="$MAC" --set dhcpEntryZone="$dhcpEntry")
		elif [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/mobileclient" ]; then
			args+=(--set mac="$MAC" --set dhcpEntryZone="$dhcpEntry")
		elif [ -n "$MAC" ]; then
			args+=(--set mac="$MAC")
		fi

		if [ -n "$IP" ]; then
			args+=(--set ip="$IP")
			if [ -n "$forwardZone" ]; then
				args+=(--set dnsEntryZoneForward="$forwardZone")
				if [ -n "$reverseZone" ]; then
					args+=(--set dnsEntryZoneReverse="$reverseZone")
				fi
			fi
		fi

		rc="$(univention-admin "$module" create --position "$position"\
			--set name="$HOSTNAME" \
			--set domain="$DOMAINNAME" \
			--set password="$computerPassword" --set unixhome=/dev/null --set shell=/bin/sh --set primaryGroup="$primaryGroup" "${args[@]}" "${ADMINOPTIONS[@]}")"
		if [ $? -ne 0 ]; then
			log 1 "E: failed to create $desc (1) [$rc]"
			exit 1
		fi

		if [ -z "$rc" ]; then
			log 1 "E: failed to create $desc: no result"
			exit 1
		fi

		ldap_dn="$(echo $rc | sed -ne 's|Object created: ||p')"
		if [ -z "$ldap_dn" ]; then
			log 1 "E: failed to create $desc (2) [$rc]"
			exit 1
		fi

		echo "ldap_dn=\"$ldap_dn\""

		if [ -n "$group" ]; then
			rc="$(univention-admin groups/group modify --dn="$group" --append users="$ldap_dn" "${ADMINOPTIONS[@]}")"
		fi
	else
		log 0 "Modify $desc [$old_dn]"

		if [ -n "$MAC" ]; then
			args+=(--set mac="$MAC")
		fi
		if [ -n "$IP" ]; then
			args+=(--set ip="$IP")
		fi
		rc="$(univention-admin "$module" modify --dn "$old_dn" --set password="$computerPassword" --set domain="$DOMAINNAME" "${args[@]}" "${ADMINOPTIONS[@]}")"

		if [ $? -ne 0 ]; then
			log 1 "E: failed to modify $desc $old_dn [$rc]"
		fi

		echo "ldap_dn=\"$old_dn\" "

	fi


}

if [ -n "$IP" ]; then
	subnet="$(univention-ipcalc --ip "$IP" --netmask "$interfaces_eth0_netmask" --output network --calcdns)"
	log 0 "	Calculated subnet = $subnet"

	forwardZone="$(univention-admin dns/forward_zone list --filter zone="$DOMAINNAME" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne 's/DN: //gp')"
	reverseZone="$(univention-admin dns/reverse_zone list --filter subnet="$subnet" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne 's/DN: //gp')"
	dhcpEntry="$(univention-admin dhcp/service list --filter name="$DOMAINNAME" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne 's/DN: //gp')"

	log 0 "	forwardZone $forwardZone "
	log 0 "	reverseZone $reverseZone "
fi

computerPassword="$(makepasswd --chars=8)"

if [ "$ROLE" = "domaincontroller_master" ]; then
	if [ -n "$POSITION" ]; then

	else
		create_entry "DC Backup" "computers/domaincontroller_backup" "cn=dc,cn=computers,$ldap_base" "cn=DC Backup Hosts,cn=groups,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"
	fi
	kadmin -l add --random-key --use-defaults "ldap/$HOSTNAME.$DOMAINNAME"
elif [ "$ROLE" = "domaincontroller_slave" ]; then
	if [ -n "$POSITION" ]; then
		create_entry "DC Slave" "computers/domaincontroller_slave" "$POSITION" "cn=DC Slave Hosts,cn=groups,$ldap_base"
	else
		create_entry "DC Slave" "computers/domaincontroller_slave" "cn=dc,cn=computers,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"
	fi
	kadmin -l add --random-key --use-defaults "ldap/$HOSTNAME.$DOMAINNAME"
elif [ "$ROLE" = "memberserver" ]; then
	if [ -n "$POSITION" ]; then
		create_entry "Member Server" "computers/memberserver" "$POSITION" "cn=Computers,cn=groups,$ldap_base"

Lines 7-13 Link Here

(-)debian/control (-1 / +4 lines)
7		7
8	Package: univention-join	8	Package: univention-join
9	Architecture: all	9	Architecture: all
10	Depends: univention-config-registry, univention-ssh, ldap-utils, sysutils	10	Depends: univention-config-registry,
		11	univention-ssh (>= 2.0.1),
		12	ldap-utils,
		13	sysutils
11	Description: UCS - join domains	14	Description: UCS - join domains
12	This packages allows for the joining of UCS computers to a	15	This packages allows for the joining of UCS computers to a
13	UCS domain.	16	UCS domain.




univention-join (3.0.3-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Fix spelling (Bug #9861)
  * Fix error test (Bug #16214)
  * Improve check for join status (Bug #19361,#13495,#13497,#18120)

 -- Philipp Hahn <hahn@univention.de>  Thu, 12 Aug 2010 19:38:02 +0200

univention-join (3.0.3-1) unstable; urgency=low

  * For join scripts is an admin account required on DC Backups





export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"

eval "$(univention-config-registry shell)"

display_help() {
	display_header

	echo "**************************************************************************"
	echo "* Message:  $@"
	echo "**************************************************************************"
	if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
		rm -f $DCPWD
	fi
	exit 1
}

USERTMP="$(mktemp -d)"
DCPWD="$USERTMP/dcpwd"
trap "rm -rf '$USERTMP'" EXIT

while [ $# -gt 0 ]
do
	case "$1" in
		"-dcaccount")
			DCACCOUNT="${2:?missing DC master account}"
			shift 2
			shift
			;;
		"-dcpwd")
			dcpwd="${2:?missing DC password file}"
			cp "$dcpwd" "$DCPWD"
			shift 2
			;;
		"--version")
			display_version

		echo -n "Enter DC Master Account : "
		read DCACCOUNT
	fi
	if [ ! -f "$DCPWD" ]; then
		echo -n "Enter DC Master Password: "
		read -s password
		echo -n "$password" >>"$DCPWD"
		echo "$password" >>$DCPWD
		REMOVE_PWD_FILE="1"
		echo ""
		echo ""
	fi

	echo -n "Search LDAP binddn "
	binddn=""
	for i in $(ldapsearch -x -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | sed -ne 's|dn: ||p'); do
		if [ -n "$binddn" ]; then
			failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
		fi

	if [ -z "$binddn" ]; then
		failed_message "binddn for user $DCACCOUNT not found"
	else
		if ! ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
		then
			failed_message "Invalid credentials"
		fi
	fi

echo "univention-run-join-scripts started"  >>/var/log/univention/join.log 2>&1
date >>/var/log/univention/join.log 2>&1
echo >>/var/log/univention/join.log 2>&1
if test -d "/usr/lib/univention-install"
then
	for i in /usr/lib/univention-install/*.inst; do
		echo -n "Running ${i##*/}"
		echo "RUNNING ${i##*/} " >>/var/log/univention/join.log

		if ! joinscript_extern_init "$i"; then
			echo -e "\033[60Gskipped (invalid joinscript)"

		fi

		if [ ! "$server_role" = "domaincontroller_master" ] ; then
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
		else
			"$i" >>/var/log/univention/join.log 2>&1
		fi
		RET=$?
		echo "EXITCODE=$RET" >>/var/log/univention/join.log 2>&1

	done
fi

if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
	rm -f $DCPWD
fi

echo >>/var/log/univention/join.log 2>&1
date >>/var/log/univention/join.log 2>&1
echo "univention-run-join-scripts finished"  >>/var/log/univention/join.log 2>&1




#!/bin/bash
#
# Univention Join
#  helper script: checks the join status of the local system


log_error ()
{
	local message="Error: $@"
	echo $message
	echo $message >>"$LOG_FILE"
	exit 1
}
log_warn ()
{
	local message="Warning: $@"
	echo $message
	echo $message >>"$LOG_FILE"
}

echo "Start $0 at $(date)" >>"$LOG_FILE"
eval "$(univention-config-registry shell)"

if [ ! -e /etc/machine.secret ]; then
	log_error "/etc/machine.secret not found"
fi

if ! ldapsearch -x -h "$ldap_master" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
	log_error "ldapsearch -x failed"
fi


if ! ldapsearch -x -ZZ -h "$ldap_master" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
	log_error "ldapsearch -x -ZZ failed"
fi


	log_error "The system isn't joined yet"
fi

if ! ldapsearch -x -ZZ -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
	log_error "localhost ldapsearch failed"
fi

for i in /usr/lib/univention-install/*.inst
do
	unset VERSION
	eval "$(grep -h ^VERSION= "$i")"
	n="${i##*/[0-9][0-9]}"
	n="${n%.inst}"
	if ! grep -Fxq "$n v${VERSION} successful" /usr/lib/univention-install/.index.txt
	then
		log_warn "'$n' is not configured."
		MISSING=1
	fi
done

if [ -n "$MISSING" ]
then
	log_error "Not all install files configured"
fi

echo "Joined successful"
echo "Joined successfully" >>"$LOG_FILE"

exit 0




#!/bin/bash
#
# Univention Join
#  joins a system into a UCS domain


export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"

eval "$(univention-config-registry shell)"

TYPE=
REMOVE_PWD_FILE=""

USERTMP="$(mktemp -d)"
DCPWD="$USERTMP/dcpwd"
trap "rm -rf '$USERTMP'" EXIT

display_help() {
	display_header
	cat <<-EOL

	echo "univention-join @%@package_version@%@"
}


failed_message () {
	echo ""
	echo ""

	echo "**************************************************************************"
	echo "* Message:  $@"
	echo "**************************************************************************"
	if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
		rm -f $DCPWD
	fi
	exit 1
}

download_host_certificate () {
	echo -n "Download host certificate "
	local HOSTPWD="/etc/machine.secret"
	local HOSTACCOUNT="$hostname\$"
	univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
	univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1
	while [ ! -d "/etc/univention/ssl/$hostname" ] &&  [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; do
		echo -n "."
		sleep 20
		univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
		univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1
	done

	echo -e "\033[60Gdone"

check_ldap_tls_connection () {
	echo -n "Check TLS connection "

	if ! ldapsearch -x -ZZ -s base -h "$DCNAME" dn >/dev/null
	if  [ $? != 0 ]; then
 		failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."
	fi


do
	case "$1" in
		"-dcname")
			DCNAME="${2:?missing DC master FQDN}"
			shift 2
			shift
			;;
		"-dcaccount")
			DCACCOUNT="${2:?missing DC master account}"
			shift 2
			shift
			;;
		"-dcpwd")
			dcpwd="${2:?missing DC password file}"
			cp "$dcpwd" "$DCPWD"
			shift 2
			;;
		"-ldapbase")
			LDAPBASE="${2:?missing LDAP base}"
			shift 2
			shift
			;;
		"-realm")
			REALM="${2:?missing Kerberos real}"
			shift 2
			shift
			;;
		"-type")
			TYPE="${2:?missing computer role}"
			shift 2
			shift
			;;
		"--version")
			display_version

fi

if [ -z "$DCACCOUNT" ]; then
	echo -n "Enter DC Master Account : "
	read DCACCOUNT
fi
if [ ! -f "$DCPWD" ]; then
	echo -n "Enter DC Master Password: "
	read -s password
	echo -n "$password" >"$DCPWD"
	echo "$password" >>$DCPWD
	REMOVE_PWD_FILE="1"
	echo ""
	echo ""
fi

declare -a args

if [ "$DCACCOUNT" != "root" ]; then
	args+=(-bindaccount "$DCACCOUNT" -bindpwfile "/dev/stdin")
fi

if [ -z "$server_role" ]; then

		echo "try: -type"
		display_help
	else
		server_role="$TYPE"
	fi
fi


	server_role="client"
fi

mac_addr="$(LC_ALL=C /sbin/ifconfig eth0 | sed -ne "s|.*HWaddr ||p")"
if [ -n "$mac_addr" ]; then
	args+=(-mac "$mac_addr")
fi


if [ -z "$DCNAME" ]; then
	echo -n "Search DC Master: "
	if [ "$interfaces_eth0_type" = "dhcp" ]; then
		DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
		if [ -n "$DCNAME" ]; then
			echo -e "\033[60Gdone"
		fi
	else
		for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do
			if [ -z "$i" ]; then continue; fi
			DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
			if [ -n "$DCNAME" ]; then
				echo -e "\033[60Gdone"
				echo "domain $domainname" >/etc/resolv.conf


echo -n "Check DC Master: "

if ! ping -c 1 "$DCNAME" >/dev/null 2>&1
then
if [ $? != 0 ]; then
	failed_message "ping to $DCNAME failed"
fi

if ! univention-ssh "$DCPWD" "$DCACCOUNT"@"$DCNAME" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check
then
	failed_message "ssh-login for $DCACCOUNT@$DCNAME failed. Maybe you entered a wrong password."
fi



if [ -z "$LDAPBASE" ]; then
	echo -n "Search ldap/base"
	ldap_base=$(ldapsearch -x -h "$DCNAME" -b "" -s base 'objectclass=*' NamingContexts -LLL | ldapsearch-wrapper | sed -ne 's|namingContexts: ||p')
else
	ldap_base="$LDAPBASE"
fi


echo -n "Search LDAP binddn "
binddn=""
for i in $(ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | sed -ne 's|^dn: ||p'); do
	if [ -n "$binddn" ]; then
		failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
	fi

if [ -z "$binddn" ]; then
	failed_message "binddn for user $DCACCOUNT not found"
else
	if ! ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
	if [ $? != 0 ]; then
		failed_message "Invalid credentials"
	fi
fi

if [ "$server_role" != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then
	failed_message "binddn for user $DCACCOUNT not found"
fi

if [ -x /usr/bin/rdate ]; then
	echo -n "Sync time "
	/usr/bin/rdate "$DCNAME" >/dev/null 2>&1
	echo -e "\033[60Gdone"
fi

if [ -n "$ldap_position" ]; then
	args+=(-position "$ldap_position")
fi

if [ -n "$server_role" ]; then
	if [ -n "$interfaces_eth0_address" ]; then
		args+=(-ip "$interfaces_eth0_address")
	fi
	echo -n "Join Computer Account: "
	univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/share/univention-join/univention-server-join -role "$server_role" -hostname "$hostname" -domainname "$domainname" "${args[@]}" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>/var/log/univention/join.log
	res_message="$(grep uexception "$USERTMP/log" | sed -e 's|.*univention.admin.uexceptions.||'g)"
	univention-ssh $DCPWD $DCACCOUNT@$DCNAME "rm $DCPWD" >>/var/log/univention/join.log 2>&1
	res_message=`echo $res | grep uexception | sed -e 's|.*univention.admin.uexceptions.||'g`
	if [ -z "$res_message" ]; then
		echo -e "\033[60Gdone"
	fi

	failed_message "No server role defined"
fi

if [ -s "$USERTMP/log" ]; then
	echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log

	#try to get password
	pwd="$(sed -ne 's|.*KerberosPasswd="||;s|".*||gp' <"$USERTMP/log")"


	if [ -n "$pwd" ]; then

		if [ -e /etc/machine.secret ]; then
			cat /etc/machine.secret >>/etc/machine.secret.SAVE
		fi

		fromdos /etc/machine.secret
		chmod 600 /etc/machine.secret
		if [ -e /etc/machine.secret.SAVE ]; then
			chmod 600 /etc/machine.secret.SAVE
		fi
	else
		if [ -n "$res_message" ]; then
			failed_message "$res_message"
		else
			failed_message "$(<"$USERTMP/log")"
		fi
	fi

	ldap_dn="$(sed -ne 's|.*ldap_dn="||;s|".*||p' <"$USERTMP/log")"
	if [ -n "$ldap_dn" ]; then
		univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1
	else

fi

if [ -e "/usr/lib/univention-install/.index.txt" ]; then
	mkdir -p /var/univention-join/
	rm -rf /var/univention-join/status
	rm /usr/lib/univention-install/.index.txt
	touch /var/univention-join/status
fi

if [ ! -e "/usr/lib/univention-install/.index.txt" ]; then
	mkdir -p /var/univention-join/
	touch /var/univention-join/status
	ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt
fi


if [ -e "/etc/univention/ssl" ]; then
	mv /etc/univention/ssl "/etc/univention/ssl_$(date +"%y%m%d%H%M")"
	mkdir /etc/univention/ssl
fi

# Stop Notifier
notifier_pid="$(pidof univention-directory-notifier)"
if [ -n "$notifier_pid" -a -e /etc/runit/univention/univention-directory-notifier ]; then
	echo -n "Stopping univention-directory-notifier daemon: "
	/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1
	while ! sv status univention-directory-notifier | grep -q "^down"
	do
		sleep 1
		/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1
		echo -n "."
	done
	echo " done"
fi

# Stop Listener
listener_pid="$(pidof univention-directory-listener)"
if [ -e /etc/runit/univention/univention-directory-listener ]; then
	echo -n "Stopping univention-directory-listener daemon: "
	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1
	while ! sv status univention-directory-listener | grep -q "^down"
	do
		sleep 1
		/etc/init.d/univention-directory-listener stop >/dev/null 2>&1
		echo -n "."
	done
	echo " done"
fi
rm -Rf /var/lib/univention-directory-listener/*

set_kerberos_realm () {
	local DCPWD="${1:?missing DC password file}"
	local DCACCOUNT="${2:?missing DC master account}"
	local DCNAME="${3:?missing DC master FQDN}"
	local realm="$4"
	realm="$4"
	if [ -z "$realm" ]; then
		realm=$(univention-ssh "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/sbin/univention-config-registry get kerberos/realm) >>/var/log/univention/join.log 2>&1
		if [ $? != 0 -o -z "$realm" ]; then
			echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>"
			exit 1

	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi

	echo -n "Sync ldap.secret: "
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap.secret" ]; then
		failed_message "/etc/ldap.secret not found"
	fi
	echo -e "\033[60Gdone"

	echo -n "Sync ldap-backup.secret: "
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap-backup.secret" ]; then
		failed_message "/etc/ldap-backup.secret not found"
	fi
	echo -e "\033[60Gdone"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \
		ldap/server/ip="$interfaces_eth0_address" \
		ldap/master="$DCNAME" \
		ldap/server/type=slave \
		>>/var/log/univention/join.log 2>&1


	echo -n "Sync SSL directory: "
	univention-ssh-rsync "$DCPWD" -az "$DCACCOUNT@$DCNAME:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"

	check_ldap_tls_connection

	download_host_certificate

	if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then
		echo "failed to get host certificate"
		failed_message "failed to get host certificate"
	fi

	echo -n "Sync SSL settings: "
	univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" univention-config-registry search --key --non-empty --brief ^ssl/ | sed -e 's/: /=/' | xargs -d '\n' univention-config-registry set


	echo -e "\033[60Gdone"

	echo -n "Restart LDAP Server: "


	#TODO: implement a real sync
	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"


	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	eval "$(univention-config-registry shell)"

	mkdir -p /var/lib/univention-ldap/notify/


	echo -n "0" >/var/lib/univention-ldap/schema/id/id
	chown listener /var/lib/univention-ldap/schema/id/id

	if test -d "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi

			if [ "${i##*/}" = "03univention-directory-listener.inst" ]; then
				if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then
					failed_message "FAILED: failed.ldif exists."
				fi
				univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1
				if [ ! -e /tmp/transaction ]; then
					failed_message " FAILED: failed to copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again."
				fi

				read id < /var/lib/univention-directory-listener/notifier_id
				awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction
				rm /tmp/transaction
				echo "">/var/lib/univention-ldap/replog/replog
			fi


	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi

	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >/var/log/univention/join.log 2>&1

	echo -e "\033[60Gdone"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \
		ldap/server/ip="$interfaces_eth0_address" \
		ldap/master="$DCNAME" \
		ldap/server/type=slave \
		>>/var/log/univention/join.log 2>&1

	mkdir -p /etc/univention/ssl/ucsCA
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	check_ldap_tls_connection

	download_host_certificate

	if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then
		failed_message "failed to get host certificate"
	fi


	echo -e "\033[60Gdone"

	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"

	mkdir -p /var/lib/univention-ldap/notify/

	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	echo -n "0" >/var/lib/univention-ldap/schema/id/id


	if test -e "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi
			if [ "${i##*/}" = "03univention-directory-listener.inst" ]; then
				if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then
					failed_message "FAILED: failed.ldif exists."
				fi
				if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then
					univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1
					read id < /var/lib/univention-directory-listener/notifier_id
					awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction
					rm /tmp/transaction
					echo "">/var/lib/univention-ldap/replog/replog
				fi


elif [ "$server_role" = "memberserver" ]; then
	mkdir -p /etc/univention/ssl/ucsCA
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	check_ldap_tls_connection

	download_host_certificate

	univention-config-registry set ldap/master="$DCNAME" >>/var/log/univention/join.log 2>&1
	grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	touch /var/univention-join/joined


	if test -e "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				echo "FAILED: ${i##*/}"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi


	mkdir -p /etc/univention/ssl/ucsCA

	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	check_ldap_tls_connection

	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name="$DCNAME" \
		ldap/master="$DCNAME" \
		kerberos/adminserver="$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	touch /var/univention-join/joined
	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined

	univention-config-registry set nsswitch/ldap=yes >>/var/log/univention/join.log 2>&1
	eval "$(univention-config-registry shell)"

	if test -e "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				echo "FAILED: ${i##*/}"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi

	/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1
fi

if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
	rm -f $DCPWD
fi

if [ "$interfaces_eth0_type" != "dhcp" ]; then
	univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1
fi

Return to bug 19430

Lines 1-4 Link Here

(-)check_join_status.sh (-17 / +28 lines)
1	#!/bin/sh	1	#!/bin/bash
2	#	2	#
3	# Univention Join	3	# Univention Join
4	# helper script: checks the join status of the local system	4	# helper script: checks the join status of the local system
Lines 34-66 Link Here
34		34
35	log_error ()	35	log_error ()
36	{	36	{
37	local message="Error: $1"	37	local message="Error: $@"
38	echo $message	38	echo $message
39	echo $message >> $LOG_FILE	39	echo $message >>"$LOG_FILE"
40	exit 1	40	exit 1
41	}	41	}
42	log_warn ()	42	log_warn ()
43	{	43	{
44	local message="Warning: $1"	44	local message="Warning: $@"
45	echo $message	45	echo $message
46	echo $message >> $LOG_FILE	46	echo $message >>"$LOG_FILE"
47	}	47	}
48		48
49	echo "Start $0 at $(date)" >>$LOG_FILE	49	echo "Start $0 at $(date)" >>"$LOG_FILE"
50	eval `univention-config-registry shell`	50	eval "$(univention-config-registry shell)"
51		51
52	if [ ! -e /etc/machine.secret ]; then	52	if [ ! -e /etc/machine.secret ]; then
53	log_error "/etc/machine.secret not found"	53	log_error "/etc/machine.secret not found"
54	fi	54	fi
55		55
56	ldapsearch -x -h "$ldap_master" -D "$ldap_hostdn" -w `cat /etc/machine.secret` -b $ldap_base -s base >>$LOG_FILE 2>&1	56	if ! ldapsearch -x -h "$ldap_master" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
57	if [ $? != 0 ]; then	57	then
58	log_error "ldapsearch -x failed"	58	log_error "ldapsearch -x failed"
59	fi	59	fi
60		60
61		61
62	ldapsearch -x -ZZ -h "$ldap_master" -D "$ldap_hostdn" -w `cat /etc/machine.secret` -b $ldap_base -s base >>$LOG_FILE 2>&1	62	if ! ldapsearch -x -ZZ -h "$ldap_master" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
63	if [ $? != 0 ]; then	63	then
64	log_error "ldapsearch -x -ZZ failed"	64	log_error "ldapsearch -x -ZZ failed"
65	fi	65	fi
66		66
Lines 68-86 Link Here
68	log_error "The system isn't joined yet"	68	log_error "The system isn't joined yet"
69	fi	69	fi
70		70
71	ldapsearch -x -ZZ -D "$ldap_hostdn" -w `cat /etc/machine.secret` -b $ldap_base -s base >>$LOG_FILE 2>&1	71	if ! ldapsearch -x -ZZ -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
72	if [ $? != 0 ]; then	72	then
73	log_error "localhost ldapsearch failed"	73	log_error "localhost ldapsearch failed"
74	fi	74	fi
75		75
76	inst_files=`ls -l /usr/lib/univention-install/*.inst \| wc -l`	76	for i in /usr/lib/univention-install/*.inst
77	configured=`wc -l /usr/lib/univention-install/.index.txt \| awk '{print $1}'`	77	do
		78	unset VERSION
		79	eval "$(grep -h ^VERSION= "$i")"
		80	n="${i##*/[0-9][0-9]}"
		81	n="${n%.inst}"
		82	if ! grep -Fxq "$n v${VERSION} successful" /usr/lib/univention-install/.index.txt
		83	then
		84	log_warn "'$n' is not configured."
		85	MISSING=1
		86	fi
		87	done
78		88
79	if [ $configured -lt $inst_files ]; then	89	if [ -n "$MISSING" ]
		90	then
80	log_error "Not all install files configured"	91	log_error "Not all install files configured"
81	fi	92	fi
82		93
83	echo "Joined successful"	94	echo "Joined successful"
84	echo "Joined successfully" >> $LOG_FILE	95	echo "Joined successfully" >>"$LOG_FILE"
85		96
86	exit 0	97	exit 0

Lines 1-4 Link Here

(-)univention-server-join (-88 / +77 lines)
1	#!/bin/sh	1	#!/bin/bash
2	#	2	#
3	# Univention Join	3	# Univention Join
4	# joins a server to an univention domain	4	# joins a server to an univention domain
Lines 32-47 Link Here
32		32
33	export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"	33	export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"
34		34
35	ADMINOPTIONS=""	35	declare -a ADMINOPTIONS
36	LOGFILE="/var/log/univention/server-join.log"	36	LOGFILE="/var/log/univention/server-join.log"
37	if [ "$USER" != "root" ]; then	37	if [ "$USER" != "root" ]; then
38	if [ "$HOME" ]; then	38	if [ "$HOME" ]; then
39	LOGFILE="$HOME/.univention-server-join.log"	39	LOGFILE="$HOME/.univention-server-join.log"
40	else	40	else
41	USERTMP=`mktemp -d`	41	USERTMP="$(mktemp -d)"
42	LOGFILE="$USERTMP/.univention-server-join.log"	42	LOGFILE="$USERTMP/.univention-server-join.log"
43	fi	43	fi
44	ADMINOPTIONS="$ADMINOPTIONS --logfile $LOGFILE"	44	ADMINOPTIONS+=(--logfile "$LOGFILE")
45	fi	45	fi
46		46
47	display_help() {	47	display_help() {
Lines 87-93 Link Here
87		87
88		88
89	log() {	89	log() {
90	if [ $1 = 1 ]; then	90	if [ "$1" = 1 ]; then
91	shift	91	shift
92	echo "$@" >>"$LOGFILE"	92	echo "$@" >>"$LOGFILE"
93	echo "$@"	93	echo "$@"
Lines 108-156 Link Here
108	do	108	do
109	case "$1" in	109	case "$1" in
110	"-role")	110	"-role")
111	shift	111	ROLE="${2:?missing role}"
112	ROLE=$1	112	shift 2
113	shift
114	;;	113	;;
115	"-hostname")	114	"-hostname")
116	shift	115	HOSTNAME="${2:?missing host name}"
117	HOSTNAME=$1	116	shift 2
118	shift
119	;;	117	;;
120	"-domainname")	118	"-domainname")
121	shift	119	DOMAINNAME="${2:?missing domain name}"
122	DOMAINNAME=$1	120	shift 2
123	shift
124	;;	121	;;
125	"-ip")	122	"-ip")
126	shift	123	IP="${2:?missing IP address}"
127	IP=$1	124	shift 2
128	shift
129	;;	125	;;
130	"-certs")	126	"-certs")
131	shift	127	CERTS="${2:?missing certificate}"
132	CERTS="$1"	128	shift 2
133	shift
134	;;	129	;;
135	"-mac")	130	"-mac")
136	shift	131	MAC="${2:?missing ethernec MAC address}"
137	MAC="$1"	132	shift 2
138	shift
139	;;	133	;;
140	"-bindaccount")	134	"-bindaccount")
141	shift	135	BINDACCOUNT="${2:?missing account name for bind}"
142	BINDACCOUNT="$1"	136	shift 2
143	shift
144	;;	137	;;
145	"-bindpwfile")	138	"-bindpwfile")
146	shift	139	BINDPWFILE="${2:?missing password file for bind}"
147	BINDPWFILE="$1"	140	shift 2
148	shift
149	;;	141	;;
150	"-position")	142	"-position")
151	shift	143	POSITION="${2:?missing LDAP position}"
152	POSITION="$1"	144	shift 2
153	shift
154	;;	145	;;
155	"--version")	146	"--version")
156	display_version	147	display_version
Lines 165-187 Link Here
165		156
166	# extend options for univention-admin	157	# extend options for univention-admin
167	if [ "$BINDACCOUNT" ]; then	158	if [ "$BINDACCOUNT" ]; then
168	BINDDN=`ldapsearch -x "(&(uid=$BINDACCOUNT)(objectclass=posixAccount))" dn \| ldapsearch-wrapper \| grep ^dn \| sed -e 's\|dn: \|\|'`	159	BINDDN="$(ldapsearch -x "(&(uid=$BINDACCOUNT)(objectclass=posixAccount))" dn \| ldapsearch-wrapper \| sed -ne '^s\|dn: \|\|p')"
169	log 0 "found BINDDN: $BINDDN" >>$LOGFILE	160	log 0 "found BINDDN: $BINDDN" >>$LOGFILE
170	if [ -z "$BINDDN" ]; then	161	if [ -z "$BINDDN" ]; then
171	log 1 "failed to get binddn for $BINDACCOUNT"	162	log 1 "failed to get binddn for $BINDACCOUNT"
172	exit 1	163	exit 1
173	fi	164	fi
174	fi	165	fi
175		166
176	if [ "$BINDDN" ]; then	167	if [ "$BINDDN" ]; then
177	ADMINOPTIONS="$ADMINOPTIONS --binddn $BINDDN"	168	ADMINOPTIONS+=(--binddn "$BINDDN")
178	fi	169	fi
179	if [ "$BINDPWFILE" ]; then	170	if [ "$BINDPWFILE" ]; then
180	ADMINOPTIONS="$ADMINOPTIONS --bindpw `cat $BINDPWFILE`"	171	ADMINOPTIONS+=(--bindpw "$(<"$BINDPWFILE")")
181	fi	172	fi
182		173
183		174
184	eval `univention-config-registry shell`	175	eval "$(univention-config-registry shell)"
185	if [ -z "$ROLE" ]; then	176	if [ -z "$ROLE" ]; then
186	log 1 "E: -role is missing"	177	log 1 "E: -role is missing"
187	display_help	178	display_help
Lines 197-296 Link Here
197		188
198	display_header	189	display_header
199	create_entry () {	190	create_entry () {
200	# $1 desc	191	local desc="${1?:missing description}"
201	# $2 module	192	local module="${2?:missing computer module}"
202	# $3 position	193	local position="${3?:missing LDAP position}"
203	# $4 primaryGroup	194	local primaryGroup="$4"
204	# $5 group	195	local group="$5"
205	log 0 "Join $1"	196	log 0 "Join $desc"
206		197
207	old_dn=`univention-admin $2 list --filter name=$HOSTNAME $ADMINOPTIONS \| ldapsearch-wrapper \| grep "DN: " \| sed -e "s\|.*DN: \|\|"`	198	old_dn="$(univention-admin "$module" list --filter name="$HOSTNAME" "${ADMINOPTIONS[@]}" \| ldapsearch-wrapper \| sed -ne "s\|.*DN: \|\|p")"
208	if [ $? = 1 ]; then	199	if [ $? = 1 ]; then
209	log 1 "E: failed search $1 [$old_dn]"	200	log 1 "E: failed search $desc [$old_dn]"
210	exit 1	201	exit 1
211	fi	202	fi
212		203
		204	declare -a args
213	if [ -z "$old_dn" ]; then	205	if [ -z "$old_dn" ]; then
214	log 0 " Create new $1 "	206	log 0 " Create new $desc "
215		207
216	if [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/managedclient" ]; then	208	if [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/managedclient" ]; then
217	mac_cmd="--set mac=$MAC --set dhcpEntryZone=$dhcpEntry"	209	args+=(--set mac="$MAC" --set dhcpEntryZone="$dhcpEntry")
218	elif [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/mobileclient" ]; then	210	elif [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/mobileclient" ]; then
219	mac_cmd="--set mac=$MAC --set dhcpEntryZone=$dhcpEntry"	211	args+=(--set mac="$MAC" --set dhcpEntryZone="$dhcpEntry")
220	elif [ -n "$MAC" ]; then	212	elif [ -n "$MAC" ]; then
221	mac_cmd="--set mac=$MAC"	213	args+=(--set mac="$MAC")
222	fi	214	fi
223		215
224	if [ -n "$IP" ]; then	216	if [ -n "$IP" ]; then
225	ip_cmd="--set ip=$IP"	217	args+=(--set ip="$IP")
226	if [ -n "$forwardZone" ]; then	218	if [ -n "$forwardZone" ]; then
227	ip_cmd="$ip_cmd --set dnsEntryZoneForward=$forwardZone "	219	args+=(--set dnsEntryZoneForward="$forwardZone")
228	if [ -n "$reverseZone" ]; then	220	if [ -n "$reverseZone" ]; then
229	ip_cmd="$ip_cmd --set dnsEntryZoneReverse=$reverseZone "	221	args+=(--set dnsEntryZoneReverse="$reverseZone")
230	fi	222	fi
231	fi	223	fi
232	fi	224	fi
233		225
234	rc=`univention-admin $2 create --position "$3"\	226	rc="$(univention-admin "$module" create --position "$position"\
235	--set name=$HOSTNAME $ip_cmd \	227	--set name="$HOSTNAME" \
236	--set domain=$DOMAINNAME \	228	--set domain="$DOMAINNAME" \
237	--set password=$computerPassword --set unixhome=/dev/null --set shell=/bin/sh --set primaryGroup="$4" $mac_cmd $ADMINOPTIONS`	229	--set password="$computerPassword" --set unixhome=/dev/null --set shell=/bin/sh --set primaryGroup="$primaryGroup" "${args[@]}" "${ADMINOPTIONS[@]}")"
238	if [ $? = 1 ]; then	230	if [ $? -ne 0 ]; then
239	log 1 "E: failed to create $1 (1) [$rc]"	231	log 1 "E: failed to create $desc (1) [$rc]"
240	exit 1	232	exit 1
241	fi	233	fi
242		234
243	if [ -z "$rc" ]; then	235	if [ -z "$rc" ]; then
244	log 1 "E: failed to create $1: no result"	236	log 1 "E: failed to create $desc: no result"
245	exit 1	237	exit 1
246	fi	238	fi
247		239
248	ldap_dn=`echo $rc \| grep "Object created:" \| sed -e 's\|Object created: \|\|'`	240	ldap_dn="$(echo $rc \| sed -ne 's\|Object created: \|\|p')"
249	if [ -z "$ldap_dn" ]; then	241	if [ -z "$ldap_dn" ]; then
250	log 1 "E: failed to create $1 (2) [$rc]"	242	log 1 "E: failed to create $desc (2) [$rc]"
251	exit 1	243	exit 1
252	fi	244	fi
253		245
254	echo "ldap_dn=\"$ldap_dn\""	246	echo "ldap_dn=\"$ldap_dn\""
255		247
256	if [ -n "$5" ]; then	248	if [ -n "$group" ]; then
257	rc=`univention-admin groups/group modify --dn="$5" --append users="$ldap_dn" $ADMINOPTIONS`	249	rc="$(univention-admin groups/group modify --dn="$group" --append users="$ldap_dn" "${ADMINOPTIONS[@]}")"
258	fi	250	fi
259	else	251	else
260	log 0 "Modify $1 [$old_dn]"	252	log 0 "Modify $desc [$old_dn]"
261		253
262	if [ -n "$MAC" ]; then	254	if [ -n "$MAC" ]; then
263	mac_cmd="--set mac=$MAC"	255	args+=(--set mac="$MAC")
264	fi	256	fi
265	if [ -n "$IP" ]; then	257	if [ -n "$IP" ]; then
266	ip_cmd="--set ip=$IP"	258	args+=(--set ip="$IP")
267	fi	259	fi
268	rc=`univention-admin $2 modify --dn "$old_dn" --set password=$computerPassword --set domain=$DOMAINNAME $mac_cmd $ip_cmd $ADMINOPTIONS`	260	rc="$(univention-admin "$module" modify --dn "$old_dn" --set password="$computerPassword" --set domain="$DOMAINNAME" "${args[@]}" "${ADMINOPTIONS[@]}")"
269		261
270	if [ $? = 1 ]; then	262	if [ $? -ne 0 ]; then
271	log 1 "E: failed to modify $1 $old_dn [$rc]"	263	log 1 "E: failed to modify $desc $old_dn [$rc]"
272	fi	264	fi
273		265
274	echo "ldap_dn=\"$old_dn\" "	266	echo "ldap_dn=\"$old_dn\" "
275
276	fi	267	fi
277
278
279	}	268	}
280		269
281	if [ -n "$IP" ]; then	270	if [ -n "$IP" ]; then
282	subnet=`univention-ipcalc --ip $IP --netmask $interfaces_eth0_netmask --output network --calcdns`	271	subnet="$(univention-ipcalc --ip "$IP" --netmask "$interfaces_eth0_netmask" --output network --calcdns)"
283	log 0 " Calculated subnet = $subnet"	272	log 0 " Calculated subnet = $subnet"
284		273
285	forwardZone=`univention-admin dns/forward_zone list --filter zone=$DOMAINNAME $ADMINOPTIONS \| ldapsearch-wrapper \| grep DN \| sed -e 's/DN: //g'`	274	forwardZone="$(univention-admin dns/forward_zone list --filter zone="$DOMAINNAME" "${ADMINOPTIONS[@]}" \| ldapsearch-wrapper \| sed -ne 's/DN: //gp')"
286	reverseZone=`univention-admin dns/reverse_zone list --filter subnet=$subnet $ADMINOPTIONS \| ldapsearch-wrapper \| grep DN \| sed -e 's/DN: //g'`	275	reverseZone="$(univention-admin dns/reverse_zone list --filter subnet="$subnet" "${ADMINOPTIONS[@]}" \| ldapsearch-wrapper \| sed -ne 's/DN: //gp')"
287	dhcpEntry=`univention-admin dhcp/service list --filter name=$DOMAINNAME $ADMINOPTIONS \| ldapsearch-wrapper \| grep DN \| sed -e 's/DN: //g'`	276	dhcpEntry="$(univention-admin dhcp/service list --filter name="$DOMAINNAME" "${ADMINOPTIONS[@]}" \| ldapsearch-wrapper \| sed -ne 's/DN: //gp')"
288		277
289	log 0 " forwardZone $forwardZone "	278	log 0 " forwardZone $forwardZone "
290	log 0 " reverseZone $reverseZone "	279	log 0 " reverseZone $reverseZone "
291	fi	280	fi
292		281
293	computerPassword=`makepasswd --chars=8`	282	computerPassword="$(makepasswd --chars=8)"
294		283
295	if [ "$ROLE" = "domaincontroller_master" ]; then	284	if [ "$ROLE" = "domaincontroller_master" ]; then
296	if [ -n "$POSITION" ]; then	285	if [ -n "$POSITION" ]; then
Lines 305-318 Link Here
305	else	294	else
306	create_entry "DC Backup" "computers/domaincontroller_backup" "cn=dc,cn=computers,$ldap_base" "cn=DC Backup Hosts,cn=groups,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"	295	create_entry "DC Backup" "computers/domaincontroller_backup" "cn=dc,cn=computers,$ldap_base" "cn=DC Backup Hosts,cn=groups,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"
307	fi	296	fi
308	kadmin -l add --random-key --use-defaults ldap/$HOSTNAME.$DOMAINNAME	297	kadmin -l add --random-key --use-defaults "ldap/$HOSTNAME.$DOMAINNAME"
309	elif [ "$ROLE" = "domaincontroller_slave" ]; then	298	elif [ "$ROLE" = "domaincontroller_slave" ]; then
310	if [ -n "$POSITION" ]; then	299	if [ -n "$POSITION" ]; then
311	create_entry "DC Slave" "computers/domaincontroller_slave" "$POSITION" "cn=DC Slave Hosts,cn=groups,$ldap_base"	300	create_entry "DC Slave" "computers/domaincontroller_slave" "$POSITION" "cn=DC Slave Hosts,cn=groups,$ldap_base"
312	else	301	else
313	create_entry "DC Slave" "computers/domaincontroller_slave" "cn=dc,cn=computers,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"	302	create_entry "DC Slave" "computers/domaincontroller_slave" "cn=dc,cn=computers,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"
314	fi	303	fi
315	kadmin -l add --random-key --use-defaults ldap/$HOSTNAME.$DOMAINNAME	304	kadmin -l add --random-key --use-defaults "ldap/$HOSTNAME.$DOMAINNAME"
316	elif [ "$ROLE" = "memberserver" ]; then	305	elif [ "$ROLE" = "memberserver" ]; then
317	if [ -n "$POSITION" ]; then	306	if [ -n "$POSITION" ]; then
318	create_entry "Member Server" "computers/memberserver" "$POSITION" "cn=Computers,cn=groups,$ldap_base"	307	create_entry "Member Server" "computers/memberserver" "$POSITION" "cn=Computers,cn=groups,$ldap_base"

Lines 1-3 Link Here

(-)debian/changelog (+9 lines)
		1	univention-join (3.0.3-1.1) unstable; urgency=low
		2
		3	* Non-maintainer upload.
		4	* Fix spelling (Bug #9861)
		5	* Fix error test (Bug #16214)
		6	* Improve check for join status (Bug #19361,#13495,#13497,#18120)
		7
		8	-- Philipp Hahn <hahn@univention.de> Thu, 12 Aug 2010 19:38:02 +0200
		9
1	univention-join (3.0.3-1) unstable; urgency=low	10	univention-join (3.0.3-1) unstable; urgency=low
2		11
3	* For join scripts is an admin account required on DC Backups	12	* For join scripts is an admin account required on DC Backups

Lines 33-39 Link Here

(-)univention-run-join-scripts (-26 / +21 lines)
33		33
34	export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"	34	export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"
35		35
36	eval `univention-config-registry shell`	36	eval "$(univention-config-registry shell)"
37		37
38	display_help() {	38	display_help() {
39	display_header	39	display_header
Lines 76-99 Link Here
76	echo "**************************************************************************"	76	echo "**************************************************************************"
77	echo "* Message: $@"	77	echo "* Message: $@"
78	echo "**************************************************************************"	78	echo "**************************************************************************"
79	if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
80	rm -f $DCPWD
81	fi
82	exit 1	79	exit 1
83	}	80	}
84		81
		82	USERTMP="$(mktemp -d)"
		83	DCPWD="$USERTMP/dcpwd"
		84	trap "rm -rf '$USERTMP'" EXIT
		85
85	while [ $# -gt 0 ]	86	while [ $# -gt 0 ]
86	do	87	do
87	case "$1" in	88	case "$1" in
88	"-dcaccount")	89	"-dcaccount")
89	shift	90	DCACCOUNT="${2:?missing DC master account}"
90	DCACCOUNT=$1	91	shift 2
91	shift
92	;;	92	;;
93	"-dcpwd")	93	"-dcpwd")
94	shift	94	dcpwd="${2:?missing DC password file}"
95	DCPWD=$1	95	cp "$dcpwd" "$DCPWD"
96	shift	96	shift 2
97	;;	97	;;
98	"--version")	98	"--version")
99	display_version	99	display_version
Lines 113-131 Link Here
113	echo -n "Enter DC Master Account : "	113	echo -n "Enter DC Master Account : "
114	read DCACCOUNT	114	read DCACCOUNT
115	fi	115	fi
116	if [ -z "$DCPWD" ]; then	116	if [ ! -f "$DCPWD" ]; then
117	echo -n "Enter DC Master Password: "	117	echo -n "Enter DC Master Password: "
118	read -s password	118	read -s password
119	DCPWD=$(mktemp)	119	echo -n "$password" >>"$DCPWD"
120	echo "$password" >>$DCPWD
121	REMOVE_PWD_FILE="1"
122	echo ""	120	echo ""
123	echo ""	121	echo ""
124	fi	122	fi
125		123
126	echo -n "Search LDAP binddn "	124	echo -n "Search LDAP binddn "
127	binddn=""	125	binddn=""
128	for i in `ldapsearch -x -LLL -b $ldap_base "(&(uid=$DCACCOUNT)(objectClass=person))" \| ldapsearch-wrapper \| grep ^dn \| sed -e 's\|dn: \|\|'`; do	126	for i in $(ldapsearch -x -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" \| ldapsearch-wrapper \| sed -ne 's\|dn: \|\|p'); do
129	if [ -n "$binddn" ]; then	127	if [ -n "$binddn" ]; then
130	failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"	128	failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
131	fi	129	fi
Lines 135-142 Link Here
135	if [ -z "$binddn" ]; then	133	if [ -z "$binddn" ]; then
136	failed_message "binddn for user $DCACCOUNT not found"	134	failed_message "binddn for user $DCACCOUNT not found"
137	else	135	else
138	ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w `cat $DCPWD` -LLL -s base >/dev/null 2>&1	136	if ! ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
139	if [ $? != 0 ]; then	137	then
140	failed_message "Invalid credentials"	138	failed_message "Invalid credentials"
141	fi	139	fi
142	fi	140	fi
Lines 146-155 Link Here
146	echo "univention-run-join-scripts started" >>/var/log/univention/join.log 2>&1	144	echo "univention-run-join-scripts started" >>/var/log/univention/join.log 2>&1
147	date >>/var/log/univention/join.log 2>&1	145	date >>/var/log/univention/join.log 2>&1
148	echo >>/var/log/univention/join.log 2>&1	146	echo >>/var/log/univention/join.log 2>&1
149	if test -e "/usr/lib/univention-install/"; then	147	if test -d "/usr/lib/univention-install"
		148	then
150	for i in /usr/lib/univention-install/*.inst; do	149	for i in /usr/lib/univention-install/*.inst; do
151	echo -n "Running `basename $i` "	150	echo -n "Running ${i##*/}"
152	echo "RUNNING `basename $i` " >>/var/log/univention/join.log	151	echo "RUNNING ${i##*/} " >>/var/log/univention/join.log
153		152
154	if ! joinscript_extern_init "$i"; then	153	if ! joinscript_extern_init "$i"; then
155	echo -e "\033[60Gskipped (invalid joinscript)"	154	echo -e "\033[60Gskipped (invalid joinscript)"
Lines 163-171 Link Here
163	fi	162	fi
164		163
165	if [ ! "$server_role" = "domaincontroller_master" ] ; then	164	if [ ! "$server_role" = "domaincontroller_master" ] ; then
166	$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1	165	"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
167	else	166	else
168	$i >>/var/log/univention/join.log 2>&1	167	"$i" >>/var/log/univention/join.log 2>&1
169	fi	168	fi
170	RET=$?	169	RET=$?
171	echo "EXITCODE=$RET" >>/var/log/univention/join.log 2>&1	170	echo "EXITCODE=$RET" >>/var/log/univention/join.log 2>&1
Lines 177-186 Link Here
177	done	176	done
178	fi	177	fi
179		178
180	if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
181	rm -f $DCPWD
182	fi
183
184	echo >>/var/log/univention/join.log 2>&1	179	echo >>/var/log/univention/join.log 2>&1
185	date >>/var/log/univention/join.log 2>&1	180	date >>/var/log/univention/join.log 2>&1
186	echo "univention-run-join-scripts finished" >>/var/log/univention/join.log 2>&1	181	echo "univention-run-join-scripts finished" >>/var/log/univention/join.log 2>&1