Attachment #9594 for bug #42022

View | Details | Raw Unified | Return to bug 42022
Collapse All | Expand All




	UCR.save()

	with _temporary_password_file(admin_password) as password_file:
		p1 = subprocess.Popen([
			'univention-join',
			'-dcname', master_fqdn,
			'-dcaccount', admin_username,
			'-dcpwd', password_file,
			'-checkPrerequisites'
		], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
		stdout, stderr = p1.communicate()
		if p1.returncode != 0:
			messages = [ line[11:] for line in stdout.split('\n')
			   if line.startswith("* Message: ")]
			raise UMC_Error(_(
				"univention-join -checkPrerequisites reported a problem. "
				"Output of check:\n\n"
			) + "\n".join(messages) )


def receive_domaincontroller_master_information(dns, nameserver, address, username, password):




}

failed_message () {
	{
	echo ""
	echo ""
	echo "**************************************************************************"

	echo "**************************************************************************"
	echo "* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- $@"
	echo "**************************************************************************"
	} | tee -a /var/log/univention/join.log
	exit 1
}



# First use udm to search the user DN
binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
	/usr/sbin/udm users/user list --filter uid="$DCACCOUNT" --logfile /dev/null  2> >(tee -a /var/log/univention/join.log >&2) | sed -ne 's|^DN: ||p')"

if [ -z "$binddn" ]; then
	echo "binddn search on ${DCNAME} with UDM failed" >>/var/log/univention/join.log
	# Next try ldapsearch with GSSAPI against OpenLDAP
	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
		kinit --password-file=STDIN "${DCACCOUNT}" ldapsearch -Y GSSAPI -LLL -o ldif-wrap=no "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn <"$DCPWD" 2>/dev/null | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')"
fi

if [ -z "$binddn" ]; then
	echo "binddn search on ${DCNAME} with GSSAPI failed" >>/var/log/univention/join.log
	# Next try the local ldapi interface, unlikely to succeed because only accessible for root
	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
		ldapsearch -x -LLL -o ldif-wrap=no -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')"
fi

if [ -z "$binddn" ]; then
	echo "binddn search on ${DCNAME} via LDAPI failed" >>/var/log/univention/join.log
	# Finally try anonymous bind, unlikely to succeed because anonymous bind is disabled by default
	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
		ldapsearch -x -LLL -o ldif-wrap=no "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')"
fi

if [ -z "$binddn" ]; then

Return to bug 42022

Lines 19-37 def set_role_and_check_if_join_will_work(role, master_fqdn, admin_username, admi Link Here

(-)a/base/univention-system-setup/umc/python/setup/checks/univention_join.py (-12 / +14 lines)
19	UCR.save()	19	UCR.save()
20		20
21	with _temporary_password_file(admin_password) as password_file:	21	with _temporary_password_file(admin_password) as password_file:
22	try:	22	p1 = subprocess.Popen([
23	subprocess.check_call([	23	'univention-join',
24	'univention-join',	24	'-dcname', master_fqdn,
25	'-dcname', master_fqdn,	25	'-dcaccount', admin_username,
26	'-dcaccount', admin_username,	26	'-dcpwd', password_file,
27	'-dcpwd', password_file,	27	'-checkPrerequisites'
28	'-checkPrerequisites'	28	], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
29	])	29	stdout, stderr = p1.communicate()
30	except subprocess.CalledProcessError:	30	if p1.returncode != 0:
		31	messages = [ line[11:] for line in stdout.split('\n')
		32	if line.startswith("* Message: ")]
31	raise UMC_Error(_(	33	raise UMC_Error(_(
32	"univention-join will not work with the given setup. "	34	"univention-join -checkPrerequisites reported a problem. "
33	"Check /var/log/univention/join.log to see what went wrong."	35	"Output of check:\n\n"
34	))	36	) + "\n".join(messages) )
35		37
36		38
37	def receive_domaincontroller_master_information(dns, nameserver, address, username, password):	39	def receive_domaincontroller_master_information(dns, nameserver, address, username, password):

Lines 106-111 display_version() { Link Here

(-)a/management/univention-join/univention-join (-5 / +16 lines)
106	}	106	}
107		107
108	failed_message () {	108	failed_message () {
		109	{
109	echo ""	110	echo ""
110	echo ""	111	echo ""
111	echo "**************************************************************************"	112	echo "**************************************************************************"
Lines 114-119 failed_message () { Link Here
114	echo "**************************************************************************"	115	echo "**************************************************************************"
115	echo "* Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- $@"	116	echo "* Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- $@"
116	echo "**************************************************************************"	117	echo "**************************************************************************"
		118	} \| tee -a /var/log/univention/join.log
117	exit 1	119	exit 1
118	}	120	}
119		121
Lines 572-589 echo -n "Search LDAP binddn " Link Here
572		574
573	# First use udm to search the user DN	575	# First use udm to search the user DN
574	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	576	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
575	/usr/sbin/udm users/user list --filter uid="$DCACCOUNT" --logfile /dev/null \| sed -ne 's\|^DN: \|\|p')"	577	/usr/sbin/udm users/user list --filter uid="$DCACCOUNT" --logfile /dev/null 2> >(tee -a /var/log/univention/join.log >&2) \| sed -ne 's\|^DN: \|\|p')"
576		578
577	if [ -z "$binddn" ]; then	579	if [ -z "$binddn" ]; then
578	# Next check is the local ldapi interface	580	echo "binddn search on ${DCNAME} with UDM failed" >>/var/log/univention/join.log
		581	# Next try ldapsearch with GSSAPI against OpenLDAP
579	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	582	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
580	ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"	583	kinit --password-file=STDIN "${DCACCOUNT}" ldapsearch -Y GSSAPI -LLL -o ldif-wrap=no "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn <"$DCPWD" 2>/dev/null \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"
581	fi	584	fi
582		585
583	if [ -z "$binddn" ]; then	586	if [ -z "$binddn" ]; then
584	# Check with anonymous bind	587	echo "binddn search on ${DCNAME} with GSSAPI failed" >>/var/log/univention/join.log
		588	# Next try the local ldapi interface, unlikely to succeed because only accessible for root
585	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	589	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
586	ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"	590	ldapsearch -x -LLL -o ldif-wrap=no -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"
		591	fi
		592
		593	if [ -z "$binddn" ]; then
		594	echo "binddn search on ${DCNAME} via LDAPI failed" >>/var/log/univention/join.log
		595	# Finally try anonymous bind, unlikely to succeed because anonymous bind is disabled by default
		596	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
		597	ldapsearch -x -LLL -o ldif-wrap=no "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"
587	fi	598	fi
588		599
589	if [ -z "$binddn" ]; then	600	if [ -z "$binddn" ]; then