Attachment #5694 for bug #28562

View | Details | Raw Unified | Return to bug 28562
Collapse All | Expand All




	echo -n "Download host certificate "
	local HOSTPWD="/etc/machine.secret"
	local HOSTACCOUNT="$hostname\$"
	local i delay=20
	for ((i=0;i<300;i+=delay)) # max 5 minutes
	do
		univention-scp "$HOSTPWD" -q -r \
			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \
			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \
			/etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
		if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ]
		then
			echo -e "\033[60Gdone"
			return
		fi
		echo -n "."
		sleep $delay
	done

	echo "failed"
	failed_message "failed to get host certificate"
}


check_ldap_tls_connection () {
	echo -n "Check TLS connection "



	download_host_certificate

	if [ ! -d "/etc/univention/ssl/$hostname" ] &&  [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then
		echo "failed to get host certificate"
		failed_message "failed to get host certificate"
	fi

	echo -n "Sync SSL settings: "
	eval "$(univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/common ssl/email)"
	univention-config-registry set \


	download_host_certificate

	if [ ! -d "/etc/univention/ssl/$hostname" ] &&  [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then
		failed_message "failed to get host certificate"
	fi

	echo -n "Restart LDAP Server: "
	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"
- 
--
.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join     | 5 +++--
.../ucs-3.2-0/management/univention-join/univention-server-join      | 3 ++-
2 files changed, 5 insertions(+), 3 deletions(-)

Lines 873-880 if [ -d /etc/runit/univention-directory-listener ]; then Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-2 / +3 lines)
873	/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1	873	/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1
874	fi	874	fi
875		875
876	if [ "$interfaces_${interfaces_primary:-eth0}_type" != "dhcp" ]; then	876	varname="interfaces_${interfaces_primary:-eth0}_type"
877	univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1	877	if [ "${!varname}" != "dhcp" ]; then
		878	univention-config-registry commit /etc/resolv.conf >>"$LOGFILE" 2>&1
878	fi	879	fi
879		880
880	exit 0	881	exit 0




		subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"
	else
		# Fallback
		varname="interfaces_${interfaces_primary:-eth0}_netmask"
		subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)"
	fi
	log 0 "	Calculated subnet = $subnet"

The return status of a pipeline is the exit status of the last
command, unless the pipefail option is enabled.
--
.../ucs-3.2-0/management/univention-join/univention-server-join       | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)




	local group="$5"
	log 0 "Join $desc"

	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")"
	then
		log 1 "E: failed search $desc [$old_dn]"
		exit 1
	fi
- 
--
.../management/univention-join/univention-join     | 24 ++----
.../univention-join/univention-server-join         | 97 +++++++++-------------
2 files changed, 49 insertions(+), 72 deletions(-)




	args+=(-binddn "$binddn")
fi

for ip in $(ip addr show scope global | sed -rne '/\<scope global\>/s|.*\<inet6? ([0-9a-f.:/]+)\>.*|\1|p')
do
	args+=(-ip "$ip")
done
for iface in /sys/class/net/*
do
	[ -L "${iface}/device" ] || continue
	args+=(-mac "$(cat "${iface}/address")")
done
	fi
fi
mac_addr="$(LC_ALL=C ip link show | sed -rne 's|.*link/ether ([0-9a-fA-F:]+) brd .*|\1|p' | head -n1)"
if [ -n "$mac_addr" ]; then
	args+=(-mac "$mac_addr")
fi

# invalidate the nscd hosts cache
#  https://forge.univention.org/bugzilla/show_bug.cgi?id=30886




	fi
}

MAC=()
IP=()
BINDDN=""
BINDPWFILE=""
DOMAINNAME=""

			shift 2 || exit 2
			;;
		"-ip")
			IP+=("${2:?missing IP address}")
			shift 2 || exit 2
			;;
		"-netmask")

			shift 2 || exit 2
			;;
		"-mac")
			MAC+=("${2:?missing ethernet MAC address}")
			shift 2 || exit 2
			;;
		"-bindaccount")

	local primaryGroup="$4"
	local group="$5"
	log 0 "Join $desc"
	local mac ip

	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")"
	then

		exit 1
	fi

	declare -a args=()

	for mac in "${MAC[@]}"
	do
		args+=(--set mac="$MAC")
	done

	for ip in "${IP[@]}"
	do
		args+=(--set ip="${ip%/*}")
	done

	# DNS
	if [ -n "$IP" ]
	then
		forwardZone="$(univention-directory-manager dns/forward_zone list \
			--filter zone="$DOMAINNAME" \
			"${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')"
		log 0 "	forwardZone $forwardZone"
	fi
	for addr in "${IP[@]}"
	do
		local ip="${addr%/*}" prefix="${addr#*/}"
		: "${prefix:=NETMASK}"
		: "${prefix:=$(. /usr/share/univention-lib/base.sh && get_default_netmask)}"
		local subnet="$(univention-ipcalc6 --ip "$ip" --netmask "$prefix" --calcdns --output reverse)"
		local reverseZone="$(univention-directory-manager dns/reverse_zone list \
			--filter subnet="$subnet" \
			"${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')"
		log 0 "	reverseZone $reverseZone"
		# UDM BUG: multiple --set don't work; --apend only prints a warning for modify; ignore old entries for now
		[ -n "$reverseZone" ] && args+=(--append dnsEntryZoneReverse="$reverseZone $ip")
		[ -n "$forwardZone" ] && args+=(--append dnsEntryZoneForward="$forwardZone $ip")
	done

	if [ -z "$old_dn" ]; then
		log 0 "	Create new $desc "

		if [ -n "$IP" ]; then
			args+=(--set ip="$IP")
			# DNS
			if [ -n "$forwardZone" ]; then
				args+=(--set dnsEntryZoneForward="$forwardZone")
				if [ -n "$reverseZone" ]; then
					args+=(--set dnsEntryZoneReverse="$reverseZone")
				fi
			fi
		fi
		if [ -n "$MAC" ]; then
			args+=(--set mac="$MAC")
		fi
		# DHCP
		case "$module" in
		computers/managedclient|computers/mobileclient)
			if [ -n "$dhcpEntry" ] && [ -n "$IP" ] && [ -n "$MAC" ]; then
				args+=(--set dhcpEntryZone="$dhcpEntry $IP $MAC")
			fi
			;;
		esac

		cmd=(univention-directory-manager "$module" create \
			--position "$position" \
			--set name="$NEWHOSTNAME" \

	else
		log 0 "Modify $desc [$old_dn]"

		if [ -n "$MAC" ]; then
			args+=(--set mac="$MAC")
		fi
		if [ -n "$IP" ]; then
			args+=(--set ip="$IP")
		fi
		rc="$(univention-directory-manager "$module" modify \
			--dn "$old_dn" \
			--set password="$computerPassword" \

	fi
}

if [ -n "$IP" ]; then
	if [ -n "$NETMASK" ]; then
		subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"
	else
		# Fallback
		varname="interfaces_${interfaces_primary:-eth0}_netmask"
		subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)"
	fi
	log 0 "	Calculated subnet = $subnet"

	forwardZone="$(univention-directory-manager dns/forward_zone list \
		--filter zone="$DOMAINNAME" \
		"${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')"
	reverseZone="$(univention-directory-manager dns/reverse_zone list \
		--filter subnet="$subnet" \
		"${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')"
	dhcpEntry="$(univention-directory-manager dhcp/service list \
		--filter name="$DOMAINNAME" \
		"${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')"

	log 0 "	forwardZone $forwardZone"
	log 0 "	reverseZone $reverseZone"
	log 0 "	dhcpEntry $dhcpEntry"
fi

computerPassword="$(create_machine_password)"

case "$ROLE" in
- 
--
.../management/univention-join/univention-join     | 127 +++++++++++----------
.../univention-join/univention-run-join-scripts    |  15 ++-
2 files changed, 78 insertions(+), 64 deletions(-)




VERSION_CHECK=true
VERBOSE=false

LOGFILE="/var/log/univention/join.log"
log () {
	echo "$(LC_ALL=C date): $*" >>"$LOGFILE"
}
echo_right () {
	local text="$*"
	echo -e "\033[$((${COLUMNS:-80}-${#text}))G${text}"
}

trapOnExit() {
	rm -rf "$USERTMP"
	if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then
		if [ -n "$old_listener_debug_level" ]; then
			ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1
		fi
	fi
	log "finish $0"
}

trap trapOnExit EXIT

	  -realm <kerberos realm>:       Kerberos realm, e.g. TEST.LOCAL
	  -windom <windows domain name>: Name of the windows (samba) domain
	  -disableVersionCheck           Disable version check against _dcname_
	  -verbose                       Enable verbose logging ($LOGFILE)

	  -h | --help | -?:              Print this usage message and exit program
	  --version:                     Print version information and exit program

		univention-scp "$HOSTPWD" -q -r \
			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \
			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \
			/etc/univention/ssl/ >>"$LOGFILE" 2>&1
		if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ]
		then
			echo_right "done"
			return
		fi
		echo -n "."
		sleep $delay
	done

	echo_right "failed"
	failed_message "failed to get host certificate"
}


 		failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."
	fi

	echo_right "done"
}

run_join_scripts () {

			test -e "$i" || continue
			echo -n "Configure $(basename "$i") "
			[ -n "$SIMPLEGUI" ] && echo
			log "Configure $(basename "$i")"
			bashVerbose=""
			if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then
				bashVerbose="bash -x"
			fi
			$bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1
			if [ $? -ne 0 ]; then
				echo_right "failed"
				failed_message "FAILED: $(basename "$i")"
			else
				echo_right "done"
				delete_unjoinscript "$(basename "$i")"
			fi
			if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then

}

# log univention-join call
log "starting $0 $*"

while [ $# -gt 0 ]
do


# verbose logging for univention-join and listener
if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then
	exec 2>>"$LOGFILE"
	set -x
	if [ -n "$listener_debug_level" ]; then
		old_listener_debug_level="$listener_debug_level"
	else
		old_listener_debug_level="2"
	fi
	ucr set listener/debug/level=4 >&2
	listener_debug_level=4
fi


	echo -n "Search DC Master: "
	DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
	if [ -n "$DCNAME" ]; then
		echo_right "done"
	else
		for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do
			if [ -z "$i" ]; then continue; fi
			DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
			if [ -n "$DCNAME" ]; then
				echo_right "done"
				echo "domain $domainname" >/etc/resolv.conf
				echo "nameserver $i" >>/etc/resolv.conf
				test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1

	failed_message "ping to $DCNAME failed"
fi

if ! univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" echo ssh-check 2>>"$LOGFILE" | grep -qs ssh-check
then
	failed_message "ssh-login for ${DCACCOUNT}@${DCNAME} failed. Maybe you entered a wrong password."
fi

IFS=$OLDIFS

# check join constraints
log "running version check"

mystatus="no"
if [ -n "$master_version" -a -n "$master_patchlevel" ]; then

	if $VERSION_CHECK; then
		failed_message "$vmsg"
	else
		log "$vmsg Continuing anyway as requested with option (-disableVersionCheck)."
	fi
else
	log "OK: UCS version on ${DCNAME} is higher or equal ($vmaster) to the local version ($vmyself)."
fi

echo_right "done"

if [ -x /etc/init.d/slapd ]; then
	echo -n "Stop LDAP Server: "
	/etc/init.d/slapd stop >>"$LOGFILE" 2>&1
	echo_right "done"
fi

if [ -x /etc/init.d/samba4 ]; then
	echo -n "Stop Samba 4 Server: "
	if [ "$dns_backend" = "samba4" ]; then
		ucr set dns/backend=ldap >>"$LOGFILE" 2>&1
		/etc/init.d/bind9 restart >>"$LOGFILE" 2>&1
	fi
	/etc/init.d/samba4 stop >>"$LOGFILE" 2>&1
	echo_right "done"
fi

if [ -z "$LDAPBASE" ]; then


if [ -n "$ldap_base" ]; then
	univention-config-registry set ldap/base="$ldap_base" >/dev/null 2>&1
	echo_right "done"
else
	failed_message "Failed to determine ldap/base."
fi

if [ -x /etc/init.d/slapd ]; then
	echo -n "Start LDAP Server: "
	/etc/init.d/slapd start >>"$LOGFILE" 2>&1
	echo_right "done"
fi

echo -n "Search LDAP binddn "

if [ -z "$binddn" ]; then
	failed_message "binddn for user $DCACCOUNT not found. "
else
	echo_right "done"
fi

if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then

if [ -x /usr/bin/rdate ]; then
	echo -n "Sync time "
	/usr/bin/rdate "$DCNAME" >/dev/null 2>&1
	echo_right "done"
fi

args=()

# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely
univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \
	"$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE"
res_message="$(sed -n '/^E:/ { s/^E:\s*// p }' "$USERTMP/log")"
if [ -z "$res_message" ]; then
	echo_right "done"
fi

if [ -s "$USERTMP/log" ]
then
	echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>"$LOGFILE"

	#try to get password
	kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")"


	ldap_dn="$(sed -ne 's|^ldap_dn="\(.*\)" *|\1|p' <"$USERTMP/log")"
	if [ -n "$ldap_dn" ]; then
		univention-config-registry set ldap/hostdn="$ldap_dn" >>"$LOGFILE" 2>&1
	else
		failed_message "No LDAP Host DN returned"
	fi

	local DCNAME="$3"
	local realm="$4"
	if [ -z "$realm" ]; then
		realm="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" '/usr/sbin/univention-config-registry get kerberos/realm')" >>"$LOGFILE" 2>&1
		if [ $? != 0 -o -z "$realm" ]; then
			echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>"
			exit 1
		fi
	fi
	univention-config-registry set kerberos/realm="$realm" >>"$LOGFILE" 2>&1
}

set_windows_domain () {

	local windom="$4"

	if [ -z "$windom" ]; then
		windom="$(univention-ssh "$dcpwd" "${dcaccount}@${dcname}" '/usr/sbin/univention-config-registry get windows/domain')" >>"$LOGFILE" 2>&1
		if [ $? != 0 -o -z "$windom" ]; then
			echo "Unable to retrieve the windows/domain. Try to use option -windom <windows/domain>"
			exit 1
		fi
	fi
	univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1
}

if [ "$server_role" = "domaincontroller_backup" ]; then

	if [ ! -e "/etc/ldap.secret" ]; then
		failed_message "/etc/ldap.secret not found"
	fi
	echo_right "done"

	echo -n "Sync ldap-backup.secret: "
	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap-backup.secret" ]; then
		failed_message "/etc/ldap-backup.secret not found"
	fi
	echo_right "done"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \

		ldap/master="$DCNAME" \
		ldap/master/port?7389 \
		ldap/server/type=slave \
		>>"$LOGFILE" 2>&1

	echo -n "Sync SSL directory: "
	univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1
	echo_right "done"

	# prevent join from failing if umask is modified (Bug #21587)
	chmod 755 /etc/univention/ssl

		ssl/organizationalunit="$ssl_organizationalunit" \
		ssl/common="$ssl_common" \
		ssl/email="$ssl_email" \
		>>"$LOGFILE" 2>&1
	echo_right "done"

	echo -n "Restart LDAP Server: "
	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1
	echo_right "done"

	#TODO: implement a real sync
	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo_right "done"


	# invalidate the nscd hosts cache

		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>"$LOGFILE" 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	eval "$(univention-config-registry shell)"


	univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1

	echo_right "done"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \

		ldap/master="$DCNAME" \
		ldap/master/port?7389 \
		ldap/server/type=slave \
		>>"$LOGFILE" 2>&1

	mkdir -p /etc/univention/ssl/ucsCA
	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1


	echo -n "Restart LDAP Server: "
	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1
	echo_right "done"

	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo_right "done"

	mkdir -p /var/lib/univention-ldap/notify/


		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>"$LOGFILE" 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	echo -n "0" >/var/lib/univention-ldap/schema/id/id

		ldap/master?"$DCNAME" \
		ldap/master/port?7389 \
		kerberos/adminserver?"$DCNAME" \
		>>"$LOGFILE" 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	touch /var/univention-join/joined

		ldap/master/port?7389 \
		kerberos/adminserver="$DCNAME" \
		nsswitch/ldap=yes \
		>>"$LOGFILE" 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

fi

if [ -d /etc/runit/univention-directory-notifier ]; then
	/etc/init.d/univention-directory-notifier restart >>"$LOGFILE" 2>&1
	sleep 3
fi

if [ -d /etc/runit/univention-directory-listener ]; then
	/etc/init.d/univention-directory-listener restart >>"$LOGFILE" 2>&1
fi

varname="interfaces_${interfaces_primary:-eth0}_type"

Lines 79-84 failed_message () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts (-7 / +10 lines)
79	exit 1	79	exit 1
80	}	80	}
81		81
		82	echo_right () {
		83	local text="$*"
		84	echo -e "\033[$((${COLUMNS:-80}-${#text}))G${text}"
		85	}
		86
82	while [ $# -gt 0 ]	87	while [ $# -gt 0 ]
83	do	88	do
84	case "$1" in	89	case "$1" in
Lines 177-183 if [ ! "$server_role" = "domaincontroller_master" ] \|\| [ -n "$ASK_PASS" ] ; then Link Here
177	then	182	then
178	failed_message "Invalid credentials"	183	failed_message "Invalid credentials"
179	else	184	else
180	echo -e "\033[60Gdone"	185	echo_right "done"
181	fi	186	fi
182	fi	187	fi
183	fi	188	fi
Lines 222-233 then Link Here
222	echo "RUNNING $(basename "$i")"	227	echo "RUNNING $(basename "$i")"
223		228
224	if ! joinscript_extern_init "$i"; then	229	if ! joinscript_extern_init "$i"; then
225	echo -e "\033[60Gskipped (invalid joinscript)" >&3	230	echo_right "skipped (invalid joinscript)" >&3
226	echo "EXITCODE=invalid_joinscript"	231	echo "EXITCODE=invalid_joinscript"
227	continue	232	continue
228	fi	233	fi
229	if joinscript_check_already_executed && [ -z "$JOIN_FORCE" ]; then	234	if joinscript_check_already_executed && [ -z "$JOIN_FORCE" ]; then
230	echo -e "\033[60Gskipped (already executed)" >&3	235	echo_right "skipped (already executed)" >&3
231	echo "EXITCODE=already_executed"	236	echo "EXITCODE=already_executed"
232	continue	237	continue
233	fi	238	fi
Lines 240-248 then Link Here
240	RET=$?	245	RET=$?
241	echo "EXITCODE=$RET"	246	echo "EXITCODE=$RET"
242	if [ $RET != 0 ]; then	247	if [ $RET != 0 ]; then
243	echo -e "\033[60Gfailed (exitcode: $RET)" >&3	248	echo_right "failed (exitcode: $RET)" >&3
244	else	249	else
245	echo -e "\033[60Gdone" >&3	250	echo_right "done" >&3
246	delete_unjoinscript "$(basename "$i")"	251	delete_unjoinscript "$(basename "$i")"
247	fi	252	fi
248	done	253	done
249	-
250	--
251	.../management/univention-join/univention-join \| 26 +++++-----------------	254	.../management/univention-join/univention-join \| 26 +++++-----------------
252	1 file changed, 5 insertions(+), 21 deletions(-)	255	1 file changed, 5 insertions(+), 21 deletions(-)




fi


get_master_version () {
	local version_version version_patchlevel
	eval "$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr shell version/version version/patchlevel)"
	echo "${version_version}.${version_patchlevel}"
}
	key=${i%%: *}
	value=${i#*: }
	case "$key" in
		"version/version")
			master_version="$value"
			;;
		"version/patchlevel")
			master_patchlevel="$value"
			;;
		"version/releasename")
			master_releasename="$value"
			;;
	esac
done
IFS=$OLDIFS

# check join constraints
log "running version check"

- 
--
.../management/univention-join/univention-join     | 28 ++++++++--------------
1 file changed, 10 insertions(+), 18 deletions(-)




	failed_message "failed to get host certificate"
}

invalidate_nscd_cache () {
	# <https://forge.univention.org/bugzilla/show_bug.cgi?id=30886>
	nscd -i hosts
}


check_ldap_tls_connection () {
	echo -n "Check TLS connection "

	args+=(-mac "$(cat "${iface}/address")")
done

# invalidate the nscd hosts cache
#  https://forge.univention.org/bugzilla/show_bug.cgi?id=30886
nscd -i hosts

echo -n "Join Computer Account: "
args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")
# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely
invalidate_nscd_cache
univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \
	"$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE"

	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo_right "done"

	invalidate_nscd_cache
	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \


	mkdir -p /var/lib/univention-ldap/notify/

	invalidate_nscd_cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \

		>>/var/log/univention/join.log 2>&1
	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	invalidate_nscd_cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/server/port?7389 \

	check_ldap_tls_connection

	download_host_certificate
	invalidate_nscd_cache
	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name="$DCNAME" \
		ldap/server/port?7389 \
- 
--
.../management/univention-join/univention-join     | 60 ++++++++++------------
1 file changed, 26 insertions(+), 34 deletions(-)




	echo -n "${escaped[@]}"
}

fetch_secret () {
	local name="/etc/${1}.secret"
	backup_secret "$1"
	echo -n "Sync ${name}: "
	if univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:${name} ${name}" >>"$LOGIFLE" 2>&1 &&
		[ -s "${name}" ]
	then
		echo_right "done"
	else
		echo_right "failed"
		failed_message "${name} not found"
	fi
}
backup_secret () {
	local name="/etc/${1}.secret"
	if [ -e "${name}" ]
	then
		cat "${name}" >>"${name}.SAVE"
		chmod 0600 "${name}.SAVE"
	fi
}

download_host_certificate () {
	echo -n "Download host certificate "
	local HOSTPWD="/etc/machine.secret"

	kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")"

	if [ -n "$kpwd" ]; then
		backup_secret "machine"
			cat /etc/machine.secret >>/etc/machine.secret.SAVE
		fi

		echo -n "$kpwd" >/etc/machine.secret
		fromdos /etc/machine.secret
		chmod 600 /etc/machine.secret
		if [ -e /etc/machine.secret.SAVE ]; then
			chmod 600 /etc/machine.secret.SAVE
		fi
	else
		if [ -n "$res_message" ]; then
			failed_message "$res_message"

}

if [ "$server_role" = "domaincontroller_backup" ]; then
	fetch_secret "ldap"
	fetch_secret "ldap-backup"
	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi

	echo -n "Sync ldap.secret: "
	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap.secret" ]; then
		failed_message "/etc/ldap.secret not found"
	fi
	echo_right "done"

	echo -n "Sync ldap-backup.secret: "
	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap-backup.secret" ]; then
		failed_message "/etc/ldap-backup.secret not found"
	fi
	echo_right "done"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \
		ldap/server/ip="$IP" \

	run_join_scripts

elif [ "$server_role" = "domaincontroller_slave" ]; then
	fetch_secret "ldap-backup"
	echo -n "Sync ldap-backup.secret: "

	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi

	univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1

	echo_right "done"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \
		ldap/server/ip="$IP" \
- 
--
.../management/univention-join/univention-join     | 22 ++++------------------
1 file changed, 4 insertions(+), 18 deletions(-)

Lines 192-197 check_ldap_tls_connection () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-20 / +4 lines)
192	}	192	}
193		193
194	run_join_scripts () {	194	run_join_scripts () {
		195	eval "$(univention-config-registry shell)"
		196
		197	: > /var/univention-join/joined
		198	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined
195		199
196	LC_COLLATE="C"	200	LC_COLLATE="C"
197	if test -d "/usr/lib/univention-install/"; then	201	if test -d "/usr/lib/univention-install/"; then
Lines 694-706 if [ "$server_role" = "domaincontroller_backup" ]; then Link Here
694	>>"$LOGFILE" 2>&1	698	>>"$LOGFILE" 2>&1
695	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"	699	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
696	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"	700	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
697	eval "$(univention-config-registry shell)"
698
699	mkdir -p /var/lib/univention-ldap/notify/	701	mkdir -p /var/lib/univention-ldap/notify/
700		702
701	touch /var/univention-join/joined
702	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined
703
704	echo -n "0" >/var/lib/univention-ldap/schema/id/id	703	echo -n "0" >/var/lib/univention-ldap/schema/id/id
705	chown listener /var/lib/univention-ldap/schema/id/id	704	chown listener /var/lib/univention-ldap/schema/id/id
706		705
Lines 752-761 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
752	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"	751	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
753	echo -n "0" >/var/lib/univention-ldap/schema/id/id	752	echo -n "0" >/var/lib/univention-ldap/schema/id/id
754	chown listener /var/lib/univention-ldap/schema/id/id	753	chown listener /var/lib/univention-ldap/schema/id/id
755
756	touch /var/univention-join/joined
757	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined
758
759	run_join_scripts	754	run_join_scripts
760		755
761	elif [ "$server_role" = "memberserver" ]; then	756	elif [ "$server_role" = "memberserver" ]; then
Lines 790-798 elif [ "$server_role" = "memberserver" ]; then Link Here
790	>>"$LOGFILE" 2>&1	785	>>"$LOGFILE" 2>&1
791	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"	786	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
792	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"	787	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
793	touch /var/univention-join/joined
794	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined
795
796	run_join_scripts	788	run_join_scripts
797		789
798	else	790	else
Lines 826-837 else Link Here
826	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"	818	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
827	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"	819	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
828	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf \|\| echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf	820	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf \|\| echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf
829
830	touch /var/univention-join/joined
831	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined
832
833	eval "$(univention-config-registry shell)"
834
835	run_join_scripts	821	run_join_scripts
836	fi	822	fi
837		823
838	-
839	--
840	.../ucs-3.2-0/management/univention-join/univention-join \| 16 +++++++---------	824	.../ucs-3.2-0/management/univention-join/univention-join \| 16 +++++++---------
841	1 file changed, 7 insertions(+), 9 deletions(-)	825	1 file changed, 7 insertions(+), 9 deletions(-)

Lines 177-182 invalidate_nscd_cache () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-11 / +7 lines)
177	nscd -i hosts	177	nscd -i hosts
178	}	178	}
179		179
		180	reset_listener_schema () {
		181	mkdir -p /var/lib/univention-ldap/notify/
		182	echo -n "0" >/var/lib/univention-ldap/schema/id/id
		183	chown listener /var/lib/univention-ldap/schema/id/id
		184	}
180		185
181	check_ldap_tls_connection () {	186	check_ldap_tls_connection () {
182	echo -n "Check TLS connection "	187	echo -n "Check TLS connection "
Lines 698-708 if [ "$server_role" = "domaincontroller_backup" ]; then Link Here
698	>>"$LOGFILE" 2>&1	703	>>"$LOGFILE" 2>&1
699	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"	704	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
700	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"	705	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
701	mkdir -p /var/lib/univention-ldap/notify/	706	reset_listener_schema
702
703	echo -n "0" >/var/lib/univention-ldap/schema/id/id
704	chown listener /var/lib/univention-ldap/schema/id/id
705
706	run_join_scripts	707	run_join_scripts
707		708
708	elif [ "$server_role" = "domaincontroller_slave" ]; then	709	elif [ "$server_role" = "domaincontroller_slave" ]; then
Lines 739-746 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
739	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1	740	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
740	echo_right "done"	741	echo_right "done"
741		742
742	mkdir -p /var/lib/univention-ldap/notify/
743
744	invalidate_nscd_cache	743	invalidate_nscd_cache
745	univention-config-registry set \	744	univention-config-registry set \
746	ldap/server/name?"$DCNAME" \	745	ldap/server/name?"$DCNAME" \
Lines 749-756 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
749	>>"$LOGFILE" 2>&1	748	>>"$LOGFILE" 2>&1
750	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"	749	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
751	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"	750	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
752	echo -n "0" >/var/lib/univention-ldap/schema/id/id	751	reset_listener_schema
753	chown listener /var/lib/univention-ldap/schema/id/id
754	run_join_scripts	752	run_join_scripts
755		753
756	elif [ "$server_role" = "memberserver" ]; then	754	elif [ "$server_role" = "memberserver" ]; then
757	-
758	--
759	.../management/univention-join/univention-join \| 63 ++++++++--------------	755	.../management/univention-join/univention-join \| 63 ++++++++--------------
760	1 file changed, 21 insertions(+), 42 deletions(-)	756	1 file changed, 21 insertions(+), 42 deletions(-)




	univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1
}

copy_ucs_ca () {
	mkdir -p /etc/univention/ssl/ucsCA

	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1
	fi
	fix_ssl_permissions
}

fix_ssl_permissions () {
	# prevent join from failing if umask is modified (Bug #21587)
	chmod 755 /etc/univention/ssl
	chmod 755 /etc/univention/ssl/ucsCA
	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
}

if [ "$server_role" = "domaincontroller_backup" ]; then
	fetch_secret "ldap"
	fetch_secret "ldap-backup"

	univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1
	echo_right "done"

	fix_ssl_permissions
	chmod 755 /etc/univention/ssl
	chmod 755 /etc/univention/ssl/ucsCA
	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem

	check_ldap_tls_connection

	download_host_certificate

		ldap/master/port?7389 \
		ldap/server/type=slave \
		>>"$LOGFILE" 2>&1
	copy_ucs_ca
	mkdir -p /etc/univention/ssl/ucsCA
	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	# prevent join from failing if umask is modified (Bug #21587)
	chmod 755 /etc/univention/ssl
	chmod 755 /etc/univention/ssl/ucsCA
	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem

	check_ldap_tls_connection

	download_host_certificate

	run_join_scripts

elif [ "$server_role" = "memberserver" ]; then
	copy_ucs_ca
	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	# prevent join from failing if umask is modified (Bug #21587)
	chmod 755 /etc/univention/ssl
	chmod 755 /etc/univention/ssl/ucsCA
	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem

	check_ldap_tls_connection

	download_host_certificate


else
# Client and Mobile Client
	copy_ucs_ca

	mkdir -p /etc/univention/ssl/ucsCA

	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	# prevent join from failing if umask is modified (Bug #21587)
	chmod 755 /etc/univention/ssl
	chmod 755 /etc/univention/ssl/ucsCA
	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem

	check_ldap_tls_connection

	download_host_certificate
- 
--
.../ucs-3.2-0/management/univention-join/univention-join  | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)

Lines 665-670 fix_ssl_permissions () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-9 / +8 lines)
665	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem	665	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
666	}	666	}
667		667
		668	restart_ldap_server () {
		669	echo -n "Restart LDAP Server: "
		670	/etc/init.d/slapd restart >>"$LOGFILE" 2>&1
		671	echo_right "done"
		672	}
		673
668	if [ "$server_role" = "domaincontroller_backup" ]; then	674	if [ "$server_role" = "domaincontroller_backup" ]; then
669	fetch_secret "ldap"	675	fetch_secret "ldap"
670	fetch_secret "ldap-backup"	676	fetch_secret "ldap-backup"
Lines 699-707 if [ "$server_role" = "domaincontroller_backup" ]; then Link Here
699	>>"$LOGFILE" 2>&1	705	>>"$LOGFILE" 2>&1
700	echo_right "done"	706	echo_right "done"
701		707
702	echo -n "Restart LDAP Server: "	708	restart_ldap_server
703	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1
704	echo_right "done"
705		709
706	#TODO: implement a real sync	710	#TODO: implement a real sync
707	echo -n "Sync Kerberos settings: "	711	echo -n "Sync Kerberos settings: "
Lines 733-742 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
733	check_ldap_tls_connection	737	check_ldap_tls_connection
734		738
735	download_host_certificate	739	download_host_certificate
736		740	restart_ldap_server
737	echo -n "Restart LDAP Server: "
738	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1
739	echo_right "done"
740		741
741	echo -n "Sync Kerberos settings: "	742	echo -n "Sync Kerberos settings: "
742	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1	743	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
743	-
744	--
745	.../management/univention-join/univention-join \| 20 +++++++++-----------	744	.../management/univention-join/univention-join \| 20 +++++++++-----------
746	1 file changed, 9 insertions(+), 11 deletions(-)	745	1 file changed, 9 insertions(+), 11 deletions(-)




	echo_right "done"
}

sync_kerberos_setting () {
	#TODO: implement a real sync
	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>"$LOGFILE" 2>&1
	echo_right "done"
}

if [ "$server_role" = "domaincontroller_backup" ]; then
	fetch_secret "ldap"
	fetch_secret "ldap-backup"

	echo_right "done"

	restart_ldap_server
	sync_kerberos_setting
	#TODO: implement a real sync
	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo_right "done"

	invalidate_nscd_cache
	univention-config-registry set \
		ldap/server/name?"$DCNAME" \


	download_host_certificate
	restart_ldap_server
	sync_kerberos_setting
	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo_right "done"

	invalidate_nscd_cache
	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
- 
--
.../management/univention-join/univention-join     | 42 ++++++++++++----------
1 file changed, 24 insertions(+), 18 deletions(-)




fi


find_dc () {
	[ -n "$DCNAME" ] && return

	echo -n "Search DC Master: "
	DCNAME="$(lookup_dns_srv)"
	if [ -n "$DCNAME" ]; then
		echo_right "done"
		return
		for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do
			if [ -z "$i" ]; then continue; fi
			DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
			if [ -n "$DCNAME" ]; then
				echo_right "done"
				echo "domain $domainname" >/etc/resolv.conf
				echo "nameserver $i" >>/etc/resolv.conf
				test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1
				break
			fi
		done
	fi
fi

	for ns in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"
	do
		[ -n "$i" ] || continue
		DCNAME="$(lookup_dns_srv "$ns")"
		[ -n "$DCNAME" ] || continue

		echo_right "done"
		echo "domain $domainname" >/etc/resolv.conf
		echo "nameserver $ns" >>/etc/resolv.conf
		[ -x /etc/init.d/nscd ] && /etc/init.d/nscd restart >>"$LOGFILE" 2>&1
		return
	done

	failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname"
}
lookup_dns_srv () {
	host -t SRV "_domaincontroller_master._tcp.$domainname" ${1:+"$1"} |
		sed -ne '$s/.* \([^ ]\+\)\.$/\1/p'
}
find_dc

echo -n "Check DC Master: "

- 
--
.../management/univention-join/univention-join     | 101 +++++++++------------
1 file changed, 45 insertions(+), 56 deletions(-)





. /usr/share/univention-lib/all.sh

SIMPLEGUI="-n"
TYPE=
USERTMP="$(mktemp -d)"
DCPWD="$USERTMP/dcpwd"
VERSION_CHECK=true
VERBOSE=

LOGFILE="/var/log/univention/join.log"
log () {


trapOnExit() {
	rm -rf "$USERTMP"
	if [ "$VERBOSE" = "true" ]; then
		if [ -n "$old_listener_debug_level" ]; then
			ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1
		fi

	: > /var/univention-join/joined
	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined

	[ -d "/usr/lib/univention-install/" ] || return
	LC_COLLATE="C"
	for i in /usr/lib/univention-install/*.{inst,uinst}; do
		[ -e "$i" ] || continue
		local basename="$(basename "${i%.*}")"
		echo $SIMPLEGUI "Configure $basename "
		log "Configure $basename"
		if ! ${VERBOSE+bash -x} "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1
		then
			echo_right "failed"
			failed_message "FAILED: $basename"
		else
			echo_right "done"
			delete_unjoinscript "$basename"
		fi
		if [ "$basename" = "03univention-directory-listener.inst" ]; then
			# check failed.ldif
			if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then
				failed_message "FAILED: failed.ldif exists."
			fi
			case "$server_role" in
			domaincontroller_backup)
				copy_transaction_log
				;;
			domaincontroller_slave)
				if [ "$listener_supply_notifier" = "yes" ]; then
					copy_transaction_log

					# backup
					if [ "$server_role" = "domaincontroller_backup" ]; then
						univention-scp "$DCPWD" -r \
							"${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \
							"$USERTMP/tlog" >/dev/null 2>&1
						if [ ! -e "$USERTMP/tlog" ]; then
							failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again."
						fi

						id="$(</var/lib/univention-directory-listener/notifier_id)"
						awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction
					fi

					# slave 
					if [ "$server_role" = "domaincontroller_slave" ]; then
						if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then
							univention-scp "$DCPWD" -q \
								"${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \
								"$USERTMP/tlog" >/dev/null 2>&1
							id="$(</var/lib/univention-directory-listener/notifier_id)"
							awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction
						fi

					fi
				fi
				;;
			esac
		fi
	done
}

copy_transaction_log () {
	univention-scp "$DCPWD" -r \
		"${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \
		"$USERTMP/tlog" >/dev/null 2>&1
	if [ ! -e "$USERTMP/tlog" ]; then
		failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again."
	fi

	local id
	read id </var/lib/univention-directory-listener/notifier_id
	awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction
}

# log univention-join call

		"-simplegui")
			# output simpler gui for univention-installer to be able to parse output
			shift
			SIMPLEGUI=
			;;
		"-disableVersionCheck")
			shift

done

# verbose logging for univention-join and listener
if [ "$VERBOSE" = "true" ]; then
	exec 2>>"$LOGFILE"
	set -x
	if [ -n "$listener_debug_level" ]; then
- 
--
.../ucs-3.2-0/management/univention-join/univention-server-join   | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)




	else
		log 0 "Modify $desc [$old_dn]"

		cmd=(univention-directory-manager "$module" modify \
			--dn "$old_dn" \
			--set password="$computerPassword" \
			--set domain="$DOMAINNAME" \
			"${args[@]}" "${ADMINOPTIONS[@]}")
		#log 0 "${cmd[@]}"
		if ! rc="$("${cmd[@]}")"
		then
			log 1 "E: failed to modify $desc $old_dn [$rc]"
			exit 1
		fi
- 
--
branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)





if [ -z "$LDAPBASE" ]; then
	echo -n "Search ldap/base"
	ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr get ldap/base)"
else
	ldap_base="$LDAPBASE"
fi
- 
--
branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 4 ++--
.../ucs-3.2-0/management/univention-join/univention-server-join       | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)

Lines 188-195 check_ldap_tls_connection () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-2 / +2 lines)
188		188
189	eval "$(ucr shell ldap/master/port)"	189	eval "$(ucr shell ldap/master/port)"
190		190
191	ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null	191	if ! ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null
192	if [ $? != 0 ]; then	192	then
193	failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."	193	failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."
194	fi	194	fi
195		195




		echo "ldap_dn=\"$ldap_dn\""

		if [ -n "$group" ]; then
			if ! rc="$(univention-directory-manager groups/group modify \
				--dn="$group" \
				--append users="$ldap_dn" \
				"${ADMINOPTIONS[@]}")"
			then
				log 1 "E: failed to modify groups/group for $desc [$rc]"
				exit 1
			fi
- 
--
branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)




if [ -z "$binddn" ]; then
	# Next check is the local ldapi interface
	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
		ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p')"
fi

if [ -z "$binddn" ]; then
	# Check with anonymous bind
	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
		ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p')"
fi

if [ -z "$binddn" ]; then
- 
--
.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join  | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)




	check_ldap_tls_connection

	download_host_certificate

	univention-config-registry set \
		ldap/master="$DCNAME" \
		ldap/master/port?7389 \
		>>/var/log/univention/join.log 2>&1
	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	invalidate_nscd_cache
	univention-config-registry set \
		ldap/server/name?"$DCNAME" \

		>>"$LOGFILE" 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf
	run_join_scripts

else
- 
--
.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 9 +--------
.../ucs-3.2-0/management/univention-join/univention-server-join  | 2 +-
2 files changed, 2 insertions(+), 9 deletions(-)




if [ -n "$ldap_position" ]; then
	args+=(-position "$ldap_position")
fi
args+=(-binddn "$binddn")

if [ "${master_version:0:1}" -lt 3 ]; then
	# UCS 2.x does not support the -binddn parameter
	args+=(-bindaccount "$DCACCOUNT")
else
	args+=(-binddn "$binddn")
fi

for ip in $(ip addr show scope global | sed -rne '/\<scope global\>/s|.*\<inet6? ([0-9a-f.:/]+)\>.*|\1|p')
do




	ADMINOPTIONS+=(--binddn "$BINDDN")
fi
if [ -n "$BINDPWFILE" ]; then
	ADMINOPTIONS+=(--bindpwdfile "$BINDPWFILE")
fi


- 
--
.../management/univention-join/univention-join     | 27 +++++++++++-----------
.../univention-join/univention-server-join         |  2 +-
2 files changed, 14 insertions(+), 15 deletions(-)




	args+=(-mac "$(cat "${iface}/address")")
done

echo -n "Join Computer Account: "
args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")

echo -n "Join Computer Account: "
# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely
invalidate_nscd_cache
univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \


	if [ -n "$kpwd" ]; then
		backup_secret "machine"
		printf "%s" "$kpwd" >/etc/machine.secret
		fromdos /etc/machine.secret
		chmod 600 /etc/machine.secret
	else
		if [ -n "$res_message" ]; then

}

set_windows_domain () {

	local dcpwd="$1"
	local dcaccount="$2"
	local dcname="$3"

	echo_right "done"
}

case "$server_role" in
domaincontroller_backup)
	fetch_secret "ldap"
	fetch_secret "ldap-backup"
	univention-config-registry set \


	fix_ssl_permissions
	check_ldap_tls_connection

	download_host_certificate

	echo -n "Sync SSL settings: "

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	reset_listener_schema
	run_join_scripts
	;;

domaincontroller_slave)
	fetch_secret "ldap-backup"
	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \

		>>"$LOGFILE" 2>&1
	copy_ucs_ca
	check_ldap_tls_connection

	download_host_certificate
	restart_ldap_server
	sync_kerberos_setting

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	reset_listener_schema
	run_join_scripts
	;;

memberserver)
	copy_ucs_ca
	check_ldap_tls_connection

	download_host_certificate
	invalidate_nscd_cache
	univention-config-registry set \

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf
	run_join_scripts
	;;

*) # Client and Mobile Client
# Client and Mobile Client
	copy_ucs_ca
	check_ldap_tls_connection

	download_host_certificate
	invalidate_nscd_cache
	univention-config-registry set \

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"
	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf
	run_join_scripts
	;;
esac

if [ -d /etc/runit/univention-directory-notifier ]; then
	/etc/init.d/univention-directory-notifier restart >>"$LOGFILE" 2>&1

Lines 286-292 create_entry () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join (-2 / +1 lines)
286		286
287	if [ -n "$group" ]; then	287	if [ -n "$group" ]; then
288	if ! rc="$(univention-directory-manager groups/group modify \	288	if ! rc="$(univention-directory-manager groups/group modify \
289	--dn="$group" \	289	--dn "$group" \
290	--append users="$ldap_dn" \	290	--append users="$ldap_dn" \
291	"${ADMINOPTIONS[@]}")"	291	"${ADMINOPTIONS[@]}")"
292	then	292	then
293	-

Return to bug 28562

Lines 316-322 if [ -n "$IP" ]; then Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join (-3 / +4 lines)
316	subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"	316	subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"
317	else	317	else
318	# Fallback	318	# Fallback
319	subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$interfaces_${interfaces_primary:-eth0}_netmask" --output reverse --calcdns)"	319	varname="interfaces_${interfaces_primary:-eth0}_netmask"
		320	subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)"
320	fi	321	fi
321	log 0 " Calculated subnet = $subnet"	322	log 0 " Calculated subnet = $subnet"
322		323
323	-	324	The return status of a pipeline is the exit status of the last
		325	command, unless the pipefail option is enabled.
324	--
325	.../ucs-3.2-0/management/univention-join/univention-server-join \| 4 ++--	326	.../ucs-3.2-0/management/univention-join/univention-server-join \| 4 ++--
326	1 file changed, 2 insertions(+), 2 deletions(-)	327	1 file changed, 2 insertions(+), 2 deletions(-)

Lines 209-216 create_entry () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join (-4 / +2 lines)
209	local group="$5"	209	local group="$5"
210	log 0 "Join $desc"	210	log 0 "Join $desc"
211		211
212	old_dn="$(univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" \| sed -ne "s\|^DN: \|\|p")"	212	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" \| sed -ne "s\|^DN: \|\|p")"
213	if [ $? -gt 0 ]; then	213	then
214	log 1 "E: failed search $desc [$old_dn]"	214	log 1 "E: failed search $desc [$old_dn]"
215	exit 1	215	exit 1
216	fi	216	fi
217	-
218	--
219	.../management/univention-join/univention-join \| 24 ++----	217	.../management/univention-join/univention-join \| 24 ++----
220	.../univention-join/univention-server-join \| 97 +++++++++-------------	218	.../univention-join/univention-server-join \| 97 +++++++++-------------
221	2 files changed, 49 insertions(+), 72 deletions(-)	219	2 files changed, 49 insertions(+), 72 deletions(-)

Lines 487-507 else Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-15 / +9 lines)
487	args+=(-binddn "$binddn")	487	args+=(-binddn "$binddn")
488	fi	488	fi
489		489
490	# TODO: Support multiple network interfaces	490	for ip in $(ip addr show scope global \| sed -rne '/\<scope global\>/s\|.\<inet6? ([0-9a-f.:/]+)\>.\|\1\|p')
491	# Search for the standard IP:	491	do
492	IP="$(get_default_ip_address)"	492	args+=(-ip "$ip")
493	if [ -n "$IP" ]; then	493	done
494	args+=(-ip "$IP")	494	for iface in /sys/class/net/*
495	if [ "${master_version:0:1}" -ge 3 ]; then	495	do
496	NETMASK="$(get_default_netmask)"	496	[ -L "${iface}/device" ] \|\| continue
497	# Since UCS 3.0 it is possible to append the netmask	497	args+=(-mac "$(cat "${iface}/address")")
498	args+=(-netmask "$NETMASK")	498	done
499	fi
500	fi
501	mac_addr="$(LC_ALL=C ip link show \| sed -rne 's\|.link/ether ([0-9a-fA-F:]+) brd .\|\1\|p' \| head -n1)"
502	if [ -n "$mac_addr" ]; then
503	args+=(-mac "$mac_addr")
504	fi
505		499
506	# invalidate the nscd hosts cache	500	# invalidate the nscd hosts cache
507	# https://forge.univention.org/bugzilla/show_bug.cgi?id=30886	501	# https://forge.univention.org/bugzilla/show_bug.cgi?id=30886

Lines 367-393 then Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-23 / +5 lines)
367	fi	367	fi
368		368
369		369
370	# get master versions	370	get_master_version () {
371	versions="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^version/)"	371	local version_version version_patchlevel
372	OLDIFS=$IFS	372	eval "$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr shell version/version version/patchlevel)"
373	IFS=$'\n'	373	echo "${version_version}.${version_patchlevel}"
374	for i in $versions; do	374	}
375	key=${i%%: *}
376	value=${i#*: }
377	case "$key" in
378	"version/version")
379	master_version="$value"
380	;;
381	"version/patchlevel")
382	master_patchlevel="$value"
383	;;
384	"version/releasename")
385	master_releasename="$value"
386	;;
387	esac
388	done
389	IFS=$OLDIFS
390
391	# check join constraints	375	# check join constraints
392	log "running version check"	376	log "running version check"
393		377
394	-
395	--
396	.../management/univention-join/univention-join \| 28 ++++++++--------------	378	.../management/univention-join/univention-join \| 28 ++++++++--------------
397	1 file changed, 10 insertions(+), 18 deletions(-)	379	1 file changed, 10 insertions(+), 18 deletions(-)

Lines 126-131 bashquote () { # quote arguments for eval Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-36 / +26 lines)
126	echo -n "${escaped[@]}"	126	echo -n "${escaped[@]}"
127	}	127	}
128		128
		129	fetch_secret () {
		130	local name="/etc/${1}.secret"
		131	backup_secret "$1"
		132	echo -n "Sync ${name}: "
		133	if univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:${name} ${name}" >>"$LOGIFLE" 2>&1 &&
		134	[ -s "${name}" ]
		135	then
		136	echo_right "done"
		137	else
		138	echo_right "failed"
		139	failed_message "${name} not found"
		140	fi
		141	}
		142	backup_secret () {
		143	local name="/etc/${1}.secret"
		144	if [ -e "${name}" ]
		145	then
		146	cat "${name}" >>"${name}.SAVE"
		147	chmod 0600 "${name}.SAVE"
		148	fi
		149	}
		150
129	download_host_certificate () {	151	download_host_certificate () {
130	echo -n "Download host certificate "	152	echo -n "Download host certificate "
131	local HOSTPWD="/etc/machine.secret"	153	local HOSTPWD="/etc/machine.secret"
Lines 515-530 then Link Here
515	kpwd="$(sed -ne 's\|^KerberosPasswd="\(.\)" \|\1\|p' <"$USERTMP/log")"	537	kpwd="$(sed -ne 's\|^KerberosPasswd="\(.\)" \|\1\|p' <"$USERTMP/log")"
516		538
517	if [ -n "$kpwd" ]; then	539	if [ -n "$kpwd" ]; then
518	if [ -e /etc/machine.secret ]; then	540	backup_secret "machine"
519	cat /etc/machine.secret >>/etc/machine.secret.SAVE
520	fi
521
522	echo -n "$kpwd" >/etc/machine.secret	541	echo -n "$kpwd" >/etc/machine.secret
523	fromdos /etc/machine.secret	542	fromdos /etc/machine.secret
524	chmod 600 /etc/machine.secret	543	chmod 600 /etc/machine.secret
525	if [ -e /etc/machine.secret.SAVE ]; then
526	chmod 600 /etc/machine.secret.SAVE
527	fi
528	else	544	else
529	if [ -n "$res_message" ]; then	545	if [ -n "$res_message" ]; then
530	failed_message "$res_message"	546	failed_message "$res_message"
Lines 624-647 set_windows_domain () { Link Here
624	}	640	}
625		641
626	if [ "$server_role" = "domaincontroller_backup" ]; then	642	if [ "$server_role" = "domaincontroller_backup" ]; then
627		643	fetch_secret "ldap"
628	if [ -e "/etc/ldap.secret" ]; then cat /etc/ldap.secret >>/etc/ldap.secret.SAVE; fi	644	fetch_secret "ldap-backup"
629	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi
630
631	echo -n "Sync ldap.secret: "
632	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1
633	if [ ! -e "/etc/ldap.secret" ]; then
634	failed_message "/etc/ldap.secret not found"
635	fi
636	echo_right "done"
637
638	echo -n "Sync ldap-backup.secret: "
639	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1
640	if [ ! -e "/etc/ldap-backup.secret" ]; then
641	failed_message "/etc/ldap-backup.secret not found"
642	fi
643	echo_right "done"
644
645	univention-config-registry set \	645	univention-config-registry set \
646	ldap/server/name="$hostname.$domainname" \	646	ldap/server/name="$hostname.$domainname" \
647	ldap/server/ip="$IP" \	647	ldap/server/ip="$IP" \
Lines 707-721 if [ "$server_role" = "domaincontroller_backup" ]; then Link Here
707	run_join_scripts	707	run_join_scripts
708		708
709	elif [ "$server_role" = "domaincontroller_slave" ]; then	709	elif [ "$server_role" = "domaincontroller_slave" ]; then
710		710	fetch_secret "ldap-backup"
711	echo -n "Sync ldap-backup.secret: "
712
713	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi
714
715	univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1
716
717	echo_right "done"
718
719	univention-config-registry set \	711	univention-config-registry set \
720	ldap/server/name="$hostname.$domainname" \	712	ldap/server/name="$hostname.$domainname" \
721	ldap/server/ip="$IP" \	713	ldap/server/ip="$IP" \
722	-
723	--
724	.../management/univention-join/univention-join \| 22 ++++------------------	714	.../management/univention-join/univention-join \| 22 ++++------------------
725	1 file changed, 4 insertions(+), 18 deletions(-)	715	1 file changed, 4 insertions(+), 18 deletions(-)

Lines 94-100 log() { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join (-59 / +40 lines)
94	fi	94	fi
95	}	95	}
96		96
97	MAC=""	97	MAC=()
		98	IP=()
98	BINDDN=""	99	BINDDN=""
99	BINDPWFILE=""	100	BINDPWFILE=""
100	DOMAINNAME=""	101	DOMAINNAME=""
Lines 117-123 do Link Here
117	shift 2 \|\| exit 2	118	shift 2 \|\| exit 2
118	;;	119	;;
119	"-ip")	120	"-ip")
120	IP="${2:?missing IP address}"	121	IP+=("${2:?missing IP address}")
121	shift 2 \|\| exit 2	122	shift 2 \|\| exit 2
122	;;	123	;;
123	"-netmask")	124	"-netmask")
Lines 129-135 do Link Here
129	shift 2 \|\| exit 2	130	shift 2 \|\| exit 2
130	;;	131	;;
131	"-mac")	132	"-mac")
132	MAC="${2:?missing ethernet MAC address}"	133	MAC+=("${2:?missing ethernet MAC address}")
133	shift 2 \|\| exit 2	134	shift 2 \|\| exit 2
134	;;	135	;;
135	"-bindaccount")	136	"-bindaccount")
Lines 208-213 create_entry () { Link Here
208	local primaryGroup="$4"	209	local primaryGroup="$4"
209	local group="$5"	210	local group="$5"
210	log 0 "Join $desc"	211	log 0 "Join $desc"
		212	local mac ip
211		213
212	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" \| sed -ne "s\|^DN: \|\|p")"	214	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" \| sed -ne "s\|^DN: \|\|p")"
213	then	215	then
Lines 215-246 create_entry () { Link Here
215	exit 1	217	exit 1
216	fi	218	fi
217		219
218	args=()	220	declare -a args=()
		221
		222	for mac in "${MAC[@]}"
		223	do
		224	args+=(--set mac="$MAC")
		225	done
		226
		227	for ip in "${IP[@]}"
		228	do
		229	args+=(--set ip="${ip%/*}")
		230	done
		231
		232	# DNS
		233	if [ -n "$IP" ]
		234	then
		235	forwardZone="$(univention-directory-manager dns/forward_zone list \
		236	--filter zone="$DOMAINNAME" \
		237	"${ADMINOPTIONS[@]}" \| sed -ne 's/^DN: //p')"
		238	log 0 " forwardZone $forwardZone"
		239	fi
		240	for addr in "${IP[@]}"
		241	do
		242	local ip="${addr%/}" prefix="${addr#/}"
		243	: "${prefix:=NETMASK}"
		244	: "${prefix:=$(. /usr/share/univention-lib/base.sh && get_default_netmask)}"
		245	local subnet="$(univention-ipcalc6 --ip "$ip" --netmask "$prefix" --calcdns --output reverse)"
		246	local reverseZone="$(univention-directory-manager dns/reverse_zone list \
		247	--filter subnet="$subnet" \
		248	"${ADMINOPTIONS[@]}" \| sed -ne 's/^DN: //p')"
		249	log 0 " reverseZone $reverseZone"
		250	# UDM BUG: multiple --set don't work; --apend only prints a warning for modify; ignore old entries for now
		251	[ -n "$reverseZone" ] && args+=(--append dnsEntryZoneReverse="$reverseZone $ip")
		252	[ -n "$forwardZone" ] && args+=(--append dnsEntryZoneForward="$forwardZone $ip")
		253	done
		254
219	if [ -z "$old_dn" ]; then	255	if [ -z "$old_dn" ]; then
220	log 0 " Create new $desc "	256	log 0 " Create new $desc "
221		257
222	if [ -n "$IP" ]; then
223	args+=(--set ip="$IP")
224	# DNS
225	if [ -n "$forwardZone" ]; then
226	args+=(--set dnsEntryZoneForward="$forwardZone")
227	if [ -n "$reverseZone" ]; then
228	args+=(--set dnsEntryZoneReverse="$reverseZone")
229	fi
230	fi
231	fi
232	if [ -n "$MAC" ]; then
233	args+=(--set mac="$MAC")
234	fi
235	# DHCP
236	case "$module" in
237	computers/managedclient\|computers/mobileclient)
238	if [ -n "$dhcpEntry" ] && [ -n "$IP" ] && [ -n "$MAC" ]; then
239	args+=(--set dhcpEntryZone="$dhcpEntry $IP $MAC")
240	fi
241	;;
242	esac
243
244	cmd=(univention-directory-manager "$module" create \	258	cmd=(univention-directory-manager "$module" create \
245	--position "$position" \	259	--position "$position" \
246	--set name="$NEWHOSTNAME" \	260	--set name="$NEWHOSTNAME" \
Lines 283-294 create_entry () { Link Here
283	else	297	else
284	log 0 "Modify $desc [$old_dn]"	298	log 0 "Modify $desc [$old_dn]"
285		299
286	if [ -n "$MAC" ]; then
287	args+=(--set mac="$MAC")
288	fi
289	if [ -n "$IP" ]; then
290	args+=(--set ip="$IP")
291	fi
292	rc="$(univention-directory-manager "$module" modify \	300	rc="$(univention-directory-manager "$module" modify \
293	--dn "$old_dn" \	301	--dn "$old_dn" \
294	--set password="$computerPassword" \	302	--set password="$computerPassword" \
Lines 311-341 create_entry () { Link Here
311	fi	319	fi
312	}	320	}
313		321
314	if [ -n "$IP" ]; then
315	if [ -n "$NETMASK" ]; then
316	subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"
317	else
318	# Fallback
319	varname="interfaces_${interfaces_primary:-eth0}_netmask"
320	subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)"
321	fi
322	log 0 " Calculated subnet = $subnet"
323
324	forwardZone="$(univention-directory-manager dns/forward_zone list \
325	--filter zone="$DOMAINNAME" \
326	"${ADMINOPTIONS[@]}" \| sed -ne 's/^DN: //p')"
327	reverseZone="$(univention-directory-manager dns/reverse_zone list \
328	--filter subnet="$subnet" \
329	"${ADMINOPTIONS[@]}" \| sed -ne 's/^DN: //p')"
330	dhcpEntry="$(univention-directory-manager dhcp/service list \
331	--filter name="$DOMAINNAME" \
332	"${ADMINOPTIONS[@]}" \| sed -ne 's/^DN: //p')"
333
334	log 0 " forwardZone $forwardZone"
335	log 0 " reverseZone $reverseZone"
336	log 0 " dhcpEntry $dhcpEntry"
337	fi
338
339	computerPassword="$(create_machine_password)"	322	computerPassword="$(create_machine_password)"
340		323
341	case "$ROLE" in	324	case "$ROLE" in
342	-
343	--
344	.../management/univention-join/univention-join \| 127 +++++++++++----------	325	.../management/univention-join/univention-join \| 127 +++++++++++----------
345	.../univention-join/univention-run-join-scripts \| 15 ++-	326	.../univention-join/univention-run-join-scripts \| 15 ++-
346	2 files changed, 78 insertions(+), 64 deletions(-)	327	2 files changed, 78 insertions(+), 64 deletions(-)

Lines 150-155 download_host_certificate () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-20 / +10 lines)
150	failed_message "failed to get host certificate"	150	failed_message "failed to get host certificate"
151	}	151	}
152		152
		153	invalidate_nscd_cache () {
		154	# <https://forge.univention.org/bugzilla/show_bug.cgi?id=30886>
		155	nscd -i hosts
		156	}
		157
153		158
154	check_ldap_tls_connection () {	159	check_ldap_tls_connection () {
155	echo -n "Check TLS connection "	160	echo -n "Check TLS connection "
Lines 490-502 do Link Here
490	args+=(-mac "$(cat "${iface}/address")")	495	args+=(-mac "$(cat "${iface}/address")")
491	done	496	done
492		497
493	# invalidate the nscd hosts cache
494	# https://forge.univention.org/bugzilla/show_bug.cgi?id=30886
495	nscd -i hosts
496
497	echo -n "Join Computer Account: "	498	echo -n "Join Computer Account: "
498	args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")	499	args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")
499	# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely	500	# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely
		501	invalidate_nscd_cache
500	univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	502	univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
501	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \	503	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \
502	"$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 \| tee "$USERTMP/log" >>"$LOGFILE"	504	"$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 \| tee "$USERTMP/log" >>"$LOGFILE"
Lines 684-693 if [ "$server_role" = "domaincontroller_backup" ]; then Link Here
684	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1	686	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
685	echo_right "done"	687	echo_right "done"
686		688
687		689	invalidate_nscd_cache
688	# invalidate the nscd hosts cache
689	nscd -i hosts
690
691	univention-config-registry set \	690	univention-config-registry set \
692	ldap/server/name?"$DCNAME" \	691	ldap/server/name?"$DCNAME" \
693	ldap/master?"$DCNAME" \	692	ldap/master?"$DCNAME" \
Lines 751-759 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
751		750
752	mkdir -p /var/lib/univention-ldap/notify/	751	mkdir -p /var/lib/univention-ldap/notify/
753		752
754	# invalidate the nscd hosts cache	753	invalidate_nscd_cache
755	nscd -i hosts
756
757	univention-config-registry set \	754	univention-config-registry set \
758	ldap/server/name?"$DCNAME" \	755	ldap/server/name?"$DCNAME" \
759	ldap/master?"$DCNAME" \	756	ldap/master?"$DCNAME" \
Lines 791-799 elif [ "$server_role" = "memberserver" ]; then Link Here
791	>>/var/log/univention/join.log 2>&1	788	>>/var/log/univention/join.log 2>&1
792	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf \|\| echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf	789	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf \|\| echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf
793		790
794	# invalidate the nscd hosts cache	791	invalidate_nscd_cache
795	nscd -i hosts
796
797	univention-config-registry set \	792	univention-config-registry set \
798	ldap/server/name?"$DCNAME" \	793	ldap/server/name?"$DCNAME" \
799	ldap/server/port?7389 \	794	ldap/server/port?7389 \
Lines 827-836 else Link Here
827	check_ldap_tls_connection	822	check_ldap_tls_connection
828		823
829	download_host_certificate	824	download_host_certificate
830		825	invalidate_nscd_cache
831	# invalidate the nscd hosts cache
832	nscd -i hosts
833
834	univention-config-registry set \	826	univention-config-registry set \
835	ldap/server/name="$DCNAME" \	827	ldap/server/name="$DCNAME" \
836	ldap/server/port?7389 \	828	ldap/server/port?7389 \
837	-
838	--
839	.../management/univention-join/univention-join \| 60 ++++++++++------------	829	.../management/univention-join/univention-join \| 60 ++++++++++------------
840	1 file changed, 26 insertions(+), 34 deletions(-)	830	1 file changed, 26 insertions(+), 34 deletions(-)

Lines 648-653 set_windows_domain () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-44 / +21 lines)
648	univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1	648	univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1
649	}	649	}
650		650
		651	copy_ucs_ca () {
		652	mkdir -p /etc/univention/ssl/ucsCA
		653
		654	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1
		655	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		656	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1
		657	fi
		658	fix_ssl_permissions
		659	}
		660
		661	fix_ssl_permissions () {
		662	# prevent join from failing if umask is modified (Bug #21587)
		663	chmod 755 /etc/univention/ssl
		664	chmod 755 /etc/univention/ssl/ucsCA
		665	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
		666	}
		667
651	if [ "$server_role" = "domaincontroller_backup" ]; then	668	if [ "$server_role" = "domaincontroller_backup" ]; then
652	fetch_secret "ldap"	669	fetch_secret "ldap"
653	fetch_secret "ldap-backup"	670	fetch_secret "ldap-backup"
Lines 664-674 if [ "$server_role" = "domaincontroller_backup" ]; then Link Here
664	univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1	681	univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1
665	echo_right "done"	682	echo_right "done"
666		683
667	# prevent join from failing if umask is modified (Bug #21587)	684	fix_ssl_permissions
668	chmod 755 /etc/univention/ssl
669	chmod 755 /etc/univention/ssl/ucsCA
670	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
671
672	check_ldap_tls_connection	685	check_ldap_tls_connection
673		686
674	download_host_certificate	687	download_host_certificate
Lines 716-733 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
716	ldap/master/port?7389 \	729	ldap/master/port?7389 \
717	ldap/server/type=slave \	730	ldap/server/type=slave \
718	>>"$LOGFILE" 2>&1	731	>>"$LOGFILE" 2>&1
719		732	copy_ucs_ca
720	mkdir -p /etc/univention/ssl/ucsCA
721	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
722	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
723	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
724	fi
725
726	# prevent join from failing if umask is modified (Bug #21587)
727	chmod 755 /etc/univention/ssl
728	chmod 755 /etc/univention/ssl/ucsCA
729	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
730
731	check_ldap_tls_connection	733	check_ldap_tls_connection
732		734
733	download_host_certificate	735	download_host_certificate
Lines 752-768 elif [ "$server_role" = "domaincontroller_slave" ]; then Link Here
752	run_join_scripts	754	run_join_scripts
753		755
754	elif [ "$server_role" = "memberserver" ]; then	756	elif [ "$server_role" = "memberserver" ]; then
755	mkdir -p /etc/univention/ssl/ucsCA	757	copy_ucs_ca
756	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
757	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
758	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
759	fi
760
761	# prevent join from failing if umask is modified (Bug #21587)
762	chmod 755 /etc/univention/ssl
763	chmod 755 /etc/univention/ssl/ucsCA
764	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
765
766	check_ldap_tls_connection	758	check_ldap_tls_connection
767		759
768	download_host_certificate	760	download_host_certificate
Lines 787-806 elif [ "$server_role" = "memberserver" ]; then Link Here
787		779
788	else	780	else
789	# Client and Mobile Client	781	# Client and Mobile Client
790		782	copy_ucs_ca
791
792	mkdir -p /etc/univention/ssl/ucsCA
793
794	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
795	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
796	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
797	fi
798
799	# prevent join from failing if umask is modified (Bug #21587)
800	chmod 755 /etc/univention/ssl
801	chmod 755 /etc/univention/ssl/ucsCA
802	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem
803
804	check_ldap_tls_connection	783	check_ldap_tls_connection
805		784
806	download_host_certificate	785	download_host_certificate
807	-
808	--
809	.../ucs-3.2-0/management/univention-join/univention-join \| 15 ++++++++-------	786	.../ucs-3.2-0/management/univention-join/univention-join \| 15 ++++++++-------
810	1 file changed, 8 insertions(+), 7 deletions(-)	787	1 file changed, 8 insertions(+), 7 deletions(-)

Lines 366-395 if [ -z "$server_role" ]; then Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-20 / +24 lines)
366	fi	366	fi
367		367
368		368
369	if [ -z "$DCNAME" ]; then	369	find_dc () {
		370	[ -n "$DCNAME" ] && return
		371
370	echo -n "Search DC Master: "	372	echo -n "Search DC Master: "
371	DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" \| sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"	373	DCNAME="$(lookup_dns_srv)"
372	if [ -n "$DCNAME" ]; then	374	if [ -n "$DCNAME" ]; then
373	echo_right "done"	375	echo_right "done"
374	else	376	return
375	for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do
376	if [ -z "$i" ]; then continue; fi
377	DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" \| sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
378	if [ -n "$DCNAME" ]; then
379	echo_right "done"
380	echo "domain $domainname" >/etc/resolv.conf
381	echo "nameserver $i" >>/etc/resolv.conf
382	test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1
383	break
384	fi
385	done
386	fi	377	fi
387	fi
388		378
389	if [ -z "$DCNAME" ]; then	379	for ns in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"
390	failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname"	380	do
391	fi	381	[ -n "$i" ] \|\| continue
		382	DCNAME="$(lookup_dns_srv "$ns")"
		383	[ -n "$DCNAME" ] \|\| continue
		384
		385	echo_right "done"
		386	echo "domain $domainname" >/etc/resolv.conf
		387	echo "nameserver $ns" >>/etc/resolv.conf
		388	[ -x /etc/init.d/nscd ] && /etc/init.d/nscd restart >>"$LOGFILE" 2>&1
		389	return
		390	done
392		391
		392	failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname"
		393	}
		394	lookup_dns_srv () {
		395	host -t SRV "_domaincontroller_master._tcp.$domainname" ${1:+"$1"} \|
		396	sed -ne '$s/.* \([^ ]\+\)\.$/\1/p'
		397	}
		398	find_dc
393		399
394	echo -n "Check DC Master: "	400	echo -n "Check DC Master: "
395		401
396	-
397	--
398	.../management/univention-join/univention-join \| 101 +++++++++------------	402	.../management/univention-join/univention-join \| 101 +++++++++------------
399	1 file changed, 45 insertions(+), 56 deletions(-)	403	1 file changed, 45 insertions(+), 56 deletions(-)

Lines 38-49 eval "$(univention-config-registry shell)" Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-58 / +45 lines)
38		38
39	. /usr/share/univention-lib/all.sh	39	. /usr/share/univention-lib/all.sh
40		40
41	SIMPLEGUI=""	41	SIMPLEGUI="-n"
42	TYPE=	42	TYPE=
43	USERTMP="$(mktemp -d)"	43	USERTMP="$(mktemp -d)"
44	DCPWD="$USERTMP/dcpwd"	44	DCPWD="$USERTMP/dcpwd"
45	VERSION_CHECK=true	45	VERSION_CHECK=true
46	VERBOSE=false	46	VERBOSE=
47		47
48	LOGFILE="/var/log/univention/join.log"	48	LOGFILE="/var/log/univention/join.log"
49	log () {	49	log () {
Lines 56-62 echo_right () { Link Here
56		56
57	trapOnExit() {	57	trapOnExit() {
58	rm -rf "$USERTMP"	58	rm -rf "$USERTMP"
59	if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then	59	if [ "$VERBOSE" = "true" ]; then
60	if [ -n "$old_listener_debug_level" ]; then	60	if [ -n "$old_listener_debug_level" ]; then
61	ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1	61	ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1
62	fi	62	fi
Lines 202-263 run_join_scripts () { Link Here
202	: > /var/univention-join/joined	202	: > /var/univention-join/joined
203	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined	203	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined
204		204
		205	[ -d "/usr/lib/univention-install/" ] \|\| return
205	LC_COLLATE="C"	206	LC_COLLATE="C"
206	if test -d "/usr/lib/univention-install/"; then	207	for i in /usr/lib/univention-install/*.{inst,uinst}; do
207	for i in /usr/lib/univention-install/*.{inst,uinst}; do	208	[ -e "$i" ] \|\| continue
208	test -e "$i" \|\| continue	209	local basename="$(basename "${i%.*}")"
209	echo -n "Configure $(basename "$i") "	210	echo $SIMPLEGUI "Configure $basename "
210	[ -n "$SIMPLEGUI" ] && echo	211	log "Configure $basename"
211	log "Configure $(basename "$i")"	212	if ! ${VERBOSE+bash -x} "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1
212	bashVerbose=""	213	then
213	if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then	214	echo_right "failed"
214	bashVerbose="bash -x"	215	failed_message "FAILED: $basename"
215	fi	216	else
216	$bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1	217	echo_right "done"
217	if [ $? -ne 0 ]; then	218	delete_unjoinscript "$basename"
218	echo_right "failed"	219	fi
219	failed_message "FAILED: $(basename "$i")"	220	if [ "$basename" = "03univention-directory-listener.inst" ]; then
220	else	221	# check failed.ldif
221	echo_right "done"	222	if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then
222	delete_unjoinscript "$(basename "$i")"	223	failed_message "FAILED: failed.ldif exists."
223	fi	224	fi
224	if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then	225	case "$server_role" in
225		226	domaincontroller_backup)
226	# check failed.ldif	227	copy_transaction_log
227	if [ "$(basename "$i")" = "03univention-directory-listener.inst" ]; then	228	;;
228	if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then	229	domaincontroller_slave)
229	failed_message "FAILED: failed.ldif exists."	230	if [ "$listener_supply_notifier" = "yes" ]; then
230	fi	231	copy_transaction_log
231
232	# backup
233	if [ "$server_role" = "domaincontroller_backup" ]; then
234	univention-scp "$DCPWD" -r \
235	"${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \
236	"$USERTMP/tlog" >/dev/null 2>&1
237	if [ ! -e "$USERTMP/tlog" ]; then
238	failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again."
239	fi
240
241	id="$(</var/lib/univention-directory-listener/notifier_id)"
242	awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction
243	fi
244
245	# slave
246	if [ "$server_role" = "domaincontroller_slave" ]; then
247	if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then
248	univention-scp "$DCPWD" -q \
249	"${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \
250	"$USERTMP/tlog" >/dev/null 2>&1
251	id="$(</var/lib/univention-directory-listener/notifier_id)"
252	awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction
253	fi
254
255	fi
256	fi	232	fi
257	fi	233	;;
258	done	234	esac
		235	fi
		236	done
		237	}
		238
		239	copy_transaction_log () {
		240	univention-scp "$DCPWD" -r \
		241	"${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \
		242	"$USERTMP/tlog" >/dev/null 2>&1
		243	if [ ! -e "$USERTMP/tlog" ]; then
		244	failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again."
259	fi	245	fi
260		246
		247	local id
		248	read id </var/lib/univention-directory-listener/notifier_id
		249	awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction
261	}	250	}
262		251
263	# log univention-join call	252	# log univention-join call
Lines 298-304 do Link Here
298	"-simplegui")	287	"-simplegui")
299	# output simpler gui for univention-installer to be able to parse output	288	# output simpler gui for univention-installer to be able to parse output
300	shift	289	shift
301	SIMPLEGUI="yes"	290	SIMPLEGUI=
302	;;	291	;;
303	"-disableVersionCheck")	292	"-disableVersionCheck")
304	shift	293	shift
Lines 324-330 do Link Here
324	done	313	done
325		314
326	# verbose logging for univention-join and listener	315	# verbose logging for univention-join and listener
327	if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then	316	if [ "$VERBOSE" = "true" ]; then
328	exec 2>>"$LOGFILE"	317	exec 2>>"$LOGFILE"
329	set -x	318	set -x
330	if [ -n "$listener_debug_level" ]; then	319	if [ -n "$listener_debug_level" ]; then
331	-
332	--
333	.../ucs-3.2-0/management/univention-join/univention-server-join \| 8 +++++---	320	.../ucs-3.2-0/management/univention-join/univention-server-join \| 8 +++++---
334	1 file changed, 5 insertions(+), 3 deletions(-)	321	1 file changed, 5 insertions(+), 3 deletions(-)

Lines 445-451 fi Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-3 / +1 lines)
445		445
446	if [ -z "$LDAPBASE" ]; then	446	if [ -z "$LDAPBASE" ]; then
447	echo -n "Search ldap/base"	447	echo -n "Search ldap/base"
448	ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^ldap/base$ \| sed -ne 's\|^ldap/base: \|\|p')"	448	ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr get ldap/base)"
449	else	449	else
450	ldap_base="$LDAPBASE"	450	ldap_base="$LDAPBASE"
451	fi	451	fi
452	-
453	--
454	branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join \| 4 ++--	452	branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join \| 4 ++--
455	.../ucs-3.2-0/management/univention-join/univention-server-join \| 4 ++--	453	.../ucs-3.2-0/management/univention-join/univention-server-join \| 4 ++--
456	2 files changed, 4 insertions(+), 4 deletions(-)	454	2 files changed, 4 insertions(+), 4 deletions(-)

Lines 285-295 create_entry () { Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join (-4 / +2 lines)
285	echo "ldap_dn=\"$ldap_dn\""	285	echo "ldap_dn=\"$ldap_dn\""
286		286
287	if [ -n "$group" ]; then	287	if [ -n "$group" ]; then
288	rc="$(univention-directory-manager groups/group modify \	288	if ! rc="$(univention-directory-manager groups/group modify \
289	--dn="$group" \	289	--dn="$group" \
290	--append users="$ldap_dn" \	290	--append users="$ldap_dn" \
291	"${ADMINOPTIONS[@]}")"	291	"${ADMINOPTIONS[@]}")"
292	if [ $? -gt 0 ]; then	292	then
293	log 1 "E: failed to modify groups/group for $desc [$rc]"	293	log 1 "E: failed to modify groups/group for $desc [$rc]"
294	exit 1	294	exit 1
295	fi	295	fi
296	-
297	--
298	branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join \| 4 ++--	296	branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join \| 4 ++--
299	1 file changed, 2 insertions(+), 2 deletions(-)	297	1 file changed, 2 insertions(+), 2 deletions(-)

Lines 472-484 binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-4 / +2 lines)
472	if [ -z "$binddn" ]; then	472	if [ -z "$binddn" ]; then
473	# Next check is the local ldapi interface	473	# Next check is the local ldapi interface
474	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	474	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
475	ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"	475	ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p')"
476	fi	476	fi
477		477
478	if [ -z "$binddn" ]; then	478	if [ -z "$binddn" ]; then
479	# Check with anonymous bind	479	# Check with anonymous bind
480	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	480	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
481	ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"	481	ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p')"
482	fi	482	fi
483		483
484	if [ -z "$binddn" ]; then	484	if [ -z "$binddn" ]; then
485	-
486	--
487	.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join \| 8 +-------	485	.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join \| 8 +-------
488	1 file changed, 1 insertion(+), 7 deletions(-)	486	1 file changed, 1 insertion(+), 7 deletions(-)

Lines 502-515 args=() Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join (-8 / +1 lines)
502	if [ -n "$ldap_position" ]; then	502	if [ -n "$ldap_position" ]; then
503	args+=(-position "$ldap_position")	503	args+=(-position "$ldap_position")
504	fi	504	fi
505		505	args+=(-binddn "$binddn")
506
507	if [ "${master_version:0:1}" -lt 3 ]; then
508	# UCS 2.x does not support the -binddn parameter
509	args+=(-bindaccount "$DCACCOUNT")
510	else
511	args+=(-binddn "$binddn")
512	fi
513		506
514	for ip in $(ip addr show scope global \| sed -rne '/\<scope global\>/s\|.\<inet6? ([0-9a-f.:/]+)\>.\|\1\|p')	507	for ip in $(ip addr show scope global \| sed -rne '/\<scope global\>/s\|.\<inet6? ([0-9a-f.:/]+)\>.\|\1\|p')
515	do	508	do

Lines 181-187 if [ -n "$BINDDN" ]; then Link Here

(-)a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join (-3 / +1 lines)
181	ADMINOPTIONS+=(--binddn "$BINDDN")	181	ADMINOPTIONS+=(--binddn "$BINDDN")
182	fi	182	fi
183	if [ -n "$BINDPWFILE" ]; then	183	if [ -n "$BINDPWFILE" ]; then
184	ADMINOPTIONS+=(--bindpwd "$(<"$BINDPWFILE")")	184	ADMINOPTIONS+=(--bindpwdfile "$BINDPWFILE")
185	fi	185	fi
186		186
187		187
188	-
189	--
190	.../management/univention-join/univention-join \| 27 +++++++++++-----------	188	.../management/univention-join/univention-join \| 27 +++++++++++-----------
191	.../univention-join/univention-server-join \| 2 +-	189	.../univention-join/univention-server-join \| 2 +-
192	2 files changed, 14 insertions(+), 15 deletions(-)	190	2 files changed, 14 insertions(+), 15 deletions(-)