Univention Bugzilla – Attachment 5694 Details for
Bug 28562
Join should store all IP- and MAC-addresses - currently uses wrong MAC for DHCP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Reister all MAC and IP addresses + cleanup
28562_join.diff (text/plain), 81.58 KB, created by
Philipp Hahn
on 2013-12-12 09:23:42 CET
(
hide
)
Description:
Reister all MAC and IP addresses + cleanup
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2013-12-12 09:23:42 CET
Size:
81.58 KB
patch
obsolete
>From 52acb1c900e9ab05a23f103247a1c1e0996067ee Mon Sep 17 00:00:00 2001 >Message-Id: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Thu, 12 Dec 2013 09:13:25 +0100 >Subject: [PATCH 00/22] *** SUBJECT HERE *** >Organization: Univention GmbH, Bremen, Germany > >*** BLURB HERE *** > >Philipp Hahn (22): > Bug #31926: join: Timeout SSL download > Bug #33727: join: Fix indirect variable > Bug #28562: join: Fix UDM search failure detection > Bug #28562: join: Register all interfaces > Bug #28562: join: Fix output width > Bug #28562: join: Fix version comparison > Bug #28562: join: Refacture cache invalidation > Bug #28562: join: Refacture common secret code > Bug #28562: join: Refacture join script code > Bug #28562: join: Refacture listener reset > Bug #28562: join: Refacture SSL CA copying > Bug #28562: join: Refacture LDAP stop code > Bug #28562: join: Refacture Kerberos sync > Bug #28562: join: Refacture DNS SRV lookup > Bug #28562: join: Refacture join script calling code > Bug #28562: join: Harmonize UDM calling code > Bug #28562: join: Simplify to "ucr get" > Bug #28562: join: Use exit status directly > Bug #28562: join: Remove upper-case DN handling > Bug #28562: join: Cleanup redundant UCR set > Bug #28562: join: Remove password from commandline > Bug #28562: join: Misc cleanups > > .../management/univention-join/univention-join | 589 +++++++++------------ > .../univention-join/univention-run-join-scripts | 15 +- > .../univention-join/univention-server-join | 116 ++-- > 3 files changed, 312 insertions(+), 408 deletions(-) > >-- >1.8.4.rc3 > >From ba14c128123ca2191ebdda80b32e69c2a90c367f Mon Sep 17 00:00:00 2001 >Message-Id: <ba14c128123ca2191ebdda80b32e69c2a90c367f.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:29:24 +0100 >Subject: [PATCH 01/22] Bug #31926: join: Timeout SSL download >Organization: Univention GmbH, Bremen, Germany > >Limit SSL host certificate download to 5 minutes. >If no certificates exists, something is very wrong with the listener >and/or replication schema. >--- > .../management/univention-join/univention-join | 24 ++++++++++------------ > 1 file changed, 11 insertions(+), 13 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 203c31f..967bce0 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -121,20 +121,27 @@ download_host_certificate () { > echo -n "Download host certificate " > local HOSTPWD="/etc/machine.secret" > local HOSTACCOUNT="$hostname\$" >- while true >+ local i delay=20 >+ for ((i=0;i<300;i+=delay)) # max 5 minutes > do > univention-scp "$HOSTPWD" -q -r \ > "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \ > "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \ > /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 >- [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ] && break >+ if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ] >+ then >+ echo -e "\033[60Gdone" >+ return >+ fi > echo -n "." >- sleep 20 >+ sleep $delay > done > >- echo -e "\033[60Gdone" >+ echo "failed" >+ failed_message "failed to get host certificate" > } > >+ > check_ldap_tls_connection () { > echo -n "Check TLS connection " > >@@ -668,11 +675,6 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > > download_host_certificate > >- if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then >- echo "failed to get host certificate" >- failed_message "failed to get host certificate" >- fi >- > echo -n "Sync SSL settings: " > eval "$(univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/common ssl/email)" > univention-config-registry set \ >@@ -752,10 +754,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > > download_host_certificate > >- if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then >- failed_message "failed to get host certificate" >- fi >- > echo -n "Restart LDAP Server: " > /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 > echo -e "\033[60Gdone" >-- >1.8.4.rc3 > > >From fc2311eb89a18cb0b61c07afa982803016399383 Mon Sep 17 00:00:00 2001 >Message-Id: <fc2311eb89a18cb0b61c07afa982803016399383.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:35:08 +0100 >Subject: [PATCH 02/22] Bug #33727: join: Fix indirect variable >Organization: Univention GmbH, Bremen, Germany > >The name of the variable is built dynamically, which can not be resolved >in one step using bash. > >Calculate the variable name first and then de-reference it using the >bash indirect variable reference feature. > >(`eval` would have required adding one additional round of quotes.) >--- > .../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 5 +++-- > .../ucs-3.2-0/management/univention-join/univention-server-join | 3 ++- > 2 files changed, 5 insertions(+), 3 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 967bce0..27e13c3 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -873,8 +873,9 @@ if [ -d /etc/runit/univention-directory-listener ]; then > /etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 > fi > >-if [ "$interfaces_${interfaces_primary:-eth0}_type" != "dhcp" ]; then >- univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1 >+varname="interfaces_${interfaces_primary:-eth0}_type" >+if [ "${!varname}" != "dhcp" ]; then >+ univention-config-registry commit /etc/resolv.conf >>"$LOGFILE" 2>&1 > fi > > exit 0 >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index 2af2c1e..89a0b6e 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -316,7 +316,8 @@ if [ -n "$IP" ]; then > subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)" > else > # Fallback >- subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$interfaces_${interfaces_primary:-eth0}_netmask" --output reverse --calcdns)" >+ varname="interfaces_${interfaces_primary:-eth0}_netmask" >+ subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)" > fi > log 0 " Calculated subnet = $subnet" > >-- >1.8.4.rc3 > > >From fadcb91d788dd8d68b4da213eb4c19c54f125a51 Mon Sep 17 00:00:00 2001 >Message-Id: <fadcb91d788dd8d68b4da213eb4c19c54f125a51.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:41:56 +0100 >Subject: [PATCH 03/22] Bug #28562: join: Fix UDM search failure detection >Organization: Univention GmbH, Bremen, Germany > >From man bash: >> The return status of a pipeline is the exit status of the last >> command, unless the pipefail option is enabled. > >Do that to detect a search failure. >--- > .../ucs-3.2-0/management/univention-join/univention-server-join | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index 89a0b6e..72417ee 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -209,8 +209,8 @@ create_entry () { > local group="$5" > log 0 "Join $desc" > >- old_dn="$(univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")" >- if [ $? -gt 0 ]; then >+ if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")" >+ then > log 1 "E: failed search $desc [$old_dn]" > exit 1 > fi >-- >1.8.4.rc3 > > >From 824ef5e80e81a068752d47230f668b6097437d2d Mon Sep 17 00:00:00 2001 >Message-Id: <824ef5e80e81a068752d47230f668b6097437d2d.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:39:45 +0100 >Subject: [PATCH 04/22] Bug #28562: join: Register all interfaces >Organization: Univention GmbH, Bremen, Germany > >Register all MAC and IP addresses on domain-join. > >DNS entries are added for all IP addresses in the forward and reverse >DNS zone. > >Unused code for handling the DHCP entries is removed completely. >--- > .../management/univention-join/univention-join | 24 ++---- > .../univention-join/univention-server-join | 97 +++++++++------------- > 2 files changed, 49 insertions(+), 72 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 27e13c3..418171c 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -487,21 +487,15 @@ else > args+=(-binddn "$binddn") > fi > >-# TODO: Support multiple network interfaces >-# Search for the standard IP: >-IP="$(get_default_ip_address)" >-if [ -n "$IP" ]; then >- args+=(-ip "$IP") >- if [ "${master_version:0:1}" -ge 3 ]; then >- NETMASK="$(get_default_netmask)" >- # Since UCS 3.0 it is possible to append the netmask >- args+=(-netmask "$NETMASK") >- fi >-fi >-mac_addr="$(LC_ALL=C ip link show | sed -rne 's|.*link/ether ([0-9a-fA-F:]+) brd .*|\1|p' | head -n1)" >-if [ -n "$mac_addr" ]; then >- args+=(-mac "$mac_addr") >-fi >+for ip in $(ip addr show scope global | sed -rne '/\<scope global\>/s|.*\<inet6? ([0-9a-f.:/]+)\>.*|\1|p') >+do >+ args+=(-ip "$ip") >+done >+for iface in /sys/class/net/* >+do >+ [ -L "${iface}/device" ] || continue >+ args+=(-mac "$(cat "${iface}/address")") >+done > > # invalidate the nscd hosts cache > # https://forge.univention.org/bugzilla/show_bug.cgi?id=30886 >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index 72417ee..4c44087 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -94,7 +94,8 @@ log() { > fi > } > >-MAC="" >+MAC=() >+IP=() > BINDDN="" > BINDPWFILE="" > DOMAINNAME="" >@@ -117,7 +118,7 @@ do > shift 2 || exit 2 > ;; > "-ip") >- IP="${2:?missing IP address}" >+ IP+=("${2:?missing IP address}") > shift 2 || exit 2 > ;; > "-netmask") >@@ -129,7 +130,7 @@ do > shift 2 || exit 2 > ;; > "-mac") >- MAC="${2:?missing ethernet MAC address}" >+ MAC+=("${2:?missing ethernet MAC address}") > shift 2 || exit 2 > ;; > "-bindaccount") >@@ -208,6 +209,7 @@ create_entry () { > local primaryGroup="$4" > local group="$5" > log 0 "Join $desc" >+ local mac ip > > if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")" > then >@@ -215,32 +217,44 @@ create_entry () { > exit 1 > fi > >- args=() >+ declare -a args=() >+ >+ for mac in "${MAC[@]}" >+ do >+ args+=(--set mac="$MAC") >+ done >+ >+ for ip in "${IP[@]}" >+ do >+ args+=(--set ip="${ip%/*}") >+ done >+ >+ # DNS >+ if [ -n "$IP" ] >+ then >+ forwardZone="$(univention-directory-manager dns/forward_zone list \ >+ --filter zone="$DOMAINNAME" \ >+ "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" >+ log 0 " forwardZone $forwardZone" >+ fi >+ for addr in "${IP[@]}" >+ do >+ local ip="${addr%/*}" prefix="${addr#*/}" >+ : "${prefix:=NETMASK}" >+ : "${prefix:=$(. /usr/share/univention-lib/base.sh && get_default_netmask)}" >+ local subnet="$(univention-ipcalc6 --ip "$ip" --netmask "$prefix" --calcdns --output reverse)" >+ local reverseZone="$(univention-directory-manager dns/reverse_zone list \ >+ --filter subnet="$subnet" \ >+ "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" >+ log 0 " reverseZone $reverseZone" >+ # UDM BUG: multiple --set don't work; --apend only prints a warning for modify; ignore old entries for now >+ [ -n "$reverseZone" ] && args+=(--append dnsEntryZoneReverse="$reverseZone $ip") >+ [ -n "$forwardZone" ] && args+=(--append dnsEntryZoneForward="$forwardZone $ip") >+ done >+ > if [ -z "$old_dn" ]; then > log 0 " Create new $desc " > >- if [ -n "$IP" ]; then >- args+=(--set ip="$IP") >- # DNS >- if [ -n "$forwardZone" ]; then >- args+=(--set dnsEntryZoneForward="$forwardZone") >- if [ -n "$reverseZone" ]; then >- args+=(--set dnsEntryZoneReverse="$reverseZone") >- fi >- fi >- fi >- if [ -n "$MAC" ]; then >- args+=(--set mac="$MAC") >- fi >- # DHCP >- case "$module" in >- computers/managedclient|computers/mobileclient) >- if [ -n "$dhcpEntry" ] && [ -n "$IP" ] && [ -n "$MAC" ]; then >- args+=(--set dhcpEntryZone="$dhcpEntry $IP $MAC") >- fi >- ;; >- esac >- > cmd=(univention-directory-manager "$module" create \ > --position "$position" \ > --set name="$NEWHOSTNAME" \ >@@ -283,12 +297,6 @@ create_entry () { > else > log 0 "Modify $desc [$old_dn]" > >- if [ -n "$MAC" ]; then >- args+=(--set mac="$MAC") >- fi >- if [ -n "$IP" ]; then >- args+=(--set ip="$IP") >- fi > rc="$(univention-directory-manager "$module" modify \ > --dn "$old_dn" \ > --set password="$computerPassword" \ >@@ -311,31 +319,6 @@ create_entry () { > fi > } > >-if [ -n "$IP" ]; then >- if [ -n "$NETMASK" ]; then >- subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)" >- else >- # Fallback >- varname="interfaces_${interfaces_primary:-eth0}_netmask" >- subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)" >- fi >- log 0 " Calculated subnet = $subnet" >- >- forwardZone="$(univention-directory-manager dns/forward_zone list \ >- --filter zone="$DOMAINNAME" \ >- "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" >- reverseZone="$(univention-directory-manager dns/reverse_zone list \ >- --filter subnet="$subnet" \ >- "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" >- dhcpEntry="$(univention-directory-manager dhcp/service list \ >- --filter name="$DOMAINNAME" \ >- "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" >- >- log 0 " forwardZone $forwardZone" >- log 0 " reverseZone $reverseZone" >- log 0 " dhcpEntry $dhcpEntry" >-fi >- > computerPassword="$(create_machine_password)" > > case "$ROLE" in >-- >1.8.4.rc3 > > >From bfa8274683e55dd8afde9c29e56b055087c5a178 Mon Sep 17 00:00:00 2001 >Message-Id: <bfa8274683e55dd8afde9c29e56b055087c5a178.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:24:06 +0100 >Subject: [PATCH 05/22] Bug #28562: join: Fix output width >Organization: Univention GmbH, Bremen, Germany > >Declare log file name as global constant. > >Extend width to 80 columns to better handle long join script names.. > >Right-align done and failure messages to column 80. > >Add time stamp to log messages. >--- > .../management/univention-join/univention-join | 127 +++++++++++---------- > .../univention-join/univention-run-join-scripts | 15 ++- > 2 files changed, 78 insertions(+), 64 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 418171c..a7ebb09 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -45,14 +45,23 @@ DCPWD="$USERTMP/dcpwd" > VERSION_CHECK=true > VERBOSE=false > >+LOGFILE="/var/log/univention/join.log" >+log () { >+ echo "$(LC_ALL=C date): $*" >>"$LOGFILE" >+} >+echo_right () { >+ local text="$*" >+ echo -e "\033[$((${COLUMNS:-80}-${#text}))G${text}" >+} >+ > trapOnExit() { > rm -rf "$USERTMP" > if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then > if [ -n "$old_listener_debug_level" ]; then >- ucr set listener/debug/level="$old_listener_debug_level" >>/var/log/univention/join.log 2>&1 >+ ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1 > fi > fi >- echo "$(LC_ALL=C date): finish $0" >>/var/log/univention/join.log 2>&1 >+ log "finish $0" > } > > trap trapOnExit EXIT >@@ -72,7 +81,7 @@ display_help() { > -realm <kerberos realm>: Kerberos realm, e.g. TEST.LOCAL > -windom <windows domain name>: Name of the windows (samba) domain > -disableVersionCheck Disable version check against _dcname_ >- -verbose Enable verbose logging (/var/log/univention/join.log) >+ -verbose Enable verbose logging ($LOGFILE) > > -h | --help | -?: Print this usage message and exit program > --version: Print version information and exit program >@@ -127,17 +136,17 @@ download_host_certificate () { > univention-scp "$HOSTPWD" -q -r \ > "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \ > "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \ >- /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 >+ /etc/univention/ssl/ >>"$LOGFILE" 2>&1 > if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ] > then >- echo -e "\033[60Gdone" >+ echo_right "done" > return > fi > echo -n "." > sleep $delay > done > >- echo "failed" >+ echo_right "failed" > failed_message "failed to get host certificate" > } > >@@ -152,7 +161,7 @@ check_ldap_tls_connection () { > failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." > fi > >- echo -e "\033[60Gdone" >+ echo_right "done" > } > > run_join_scripts () { >@@ -163,17 +172,17 @@ run_join_scripts () { > test -e "$i" || continue > echo -n "Configure $(basename "$i") " > [ -n "$SIMPLEGUI" ] && echo >- echo "Configure $(basename "$i") $(LC_ALL=C date)" >>/var/log/univention/join.log >+ log "Configure $(basename "$i")" > bashVerbose="" > if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then > bashVerbose="bash -x" > fi >- $bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 >+ $bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1 > if [ $? -ne 0 ]; then >- echo -e "\033[60Gfailed" >+ echo_right "failed" > failed_message "FAILED: $(basename "$i")" > else >- echo -e "\033[60Gdone" >+ echo_right "done" > delete_unjoinscript "$(basename "$i")" > fi > if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then >@@ -216,7 +225,7 @@ run_join_scripts () { > } > > # log univention-join call >-echo "$(LC_ALL=C date): starting $0 $*" >>/var/log/univention/join.log 2>&1 >+log "starting $0 $*" > > while [ $# -gt 0 ] > do >@@ -280,14 +289,14 @@ done > > # verbose logging for univention-join and listener > if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then >- exec 2>>/var/log/univention/join.log >+ exec 2>>"$LOGFILE" > set -x > if [ -n "$listener_debug_level" ]; then > old_listener_debug_level="$listener_debug_level" > else > old_listener_debug_level="2" > fi >- ucr set listener/debug/level=4 >>/var/log/univention/join.log 2>&1 >+ ucr set listener/debug/level=4 >&2 > listener_debug_level=4 > fi > >@@ -325,13 +334,13 @@ if [ -z "$DCNAME" ]; then > echo -n "Search DC Master: " > DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" > if [ -n "$DCNAME" ]; then >- echo -e "\033[60Gdone" >+ echo_right "done" > else > for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do > if [ -z "$i" ]; then continue; fi > DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" > if [ -n "$DCNAME" ]; then >- echo -e "\033[60Gdone" >+ echo_right "done" > echo "domain $domainname" >/etc/resolv.conf > echo "nameserver $i" >>/etc/resolv.conf > test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1 >@@ -352,7 +361,7 @@ if ! ping -c 1 "$DCNAME" >/dev/null 2>&1 && ! ping6 -c 1 "$DCNAME" >/dev/null 2> > failed_message "ping to $DCNAME failed" > fi > >-if ! univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check >+if ! univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" echo ssh-check 2>>"$LOGFILE" | grep -qs ssh-check > then > failed_message "ssh-login for ${DCACCOUNT}@${DCNAME} failed. Maybe you entered a wrong password." > fi >@@ -380,7 +389,7 @@ done > IFS=$OLDIFS > > # check join constraints >-echo "running version check" >>/var/log/univention/join.log >+log "running version check" > > mystatus="no" > if [ -n "$master_version" -a -n "$master_patchlevel" ]; then >@@ -395,28 +404,28 @@ if [ "no" = "$mystatus" ]; then > if $VERSION_CHECK; then > failed_message "$vmsg" > else >- echo "$vmsg Continuing anyway as requested with option (-disableVersionCheck)." >>/var/log/univention/join.log >+ log "$vmsg Continuing anyway as requested with option (-disableVersionCheck)." > fi > else >- echo "OK: UCS version on ${DCNAME} is higher or equal ($vmaster) to the local version ($vmyself)." >>/var/log/univention/join.log >+ log "OK: UCS version on ${DCNAME} is higher or equal ($vmaster) to the local version ($vmyself)." > fi > >-echo -e "\033[60Gdone" >+echo_right "done" > > if [ -x /etc/init.d/slapd ]; then > echo -n "Stop LDAP Server: " >- /etc/init.d/slapd stop >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ /etc/init.d/slapd stop >>"$LOGFILE" 2>&1 >+ echo_right "done" > fi > > if [ -x /etc/init.d/samba4 ]; then > echo -n "Stop Samba 4 Server: " > if [ "$dns_backend" = "samba4" ]; then >- ucr set dns/backend=ldap >>/var/log/univention/join.log 2>&1 >- /etc/init.d/bind9 restart >>/var/log/univention/join.log 2>&1 >+ ucr set dns/backend=ldap >>"$LOGFILE" 2>&1 >+ /etc/init.d/bind9 restart >>"$LOGFILE" 2>&1 > fi >- /etc/init.d/samba4 stop >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ /etc/init.d/samba4 stop >>"$LOGFILE" 2>&1 >+ echo_right "done" > fi > > if [ -z "$LDAPBASE" ]; then >@@ -428,15 +437,15 @@ fi > > if [ -n "$ldap_base" ]; then > univention-config-registry set ldap/base="$ldap_base" >/dev/null 2>&1 >- echo -e "\033[60Gdone" >+ echo_right "done" > else > failed_message "Failed to determine ldap/base." > fi > > if [ -x /etc/init.d/slapd ]; then > echo -n "Start LDAP Server: " >- /etc/init.d/slapd start >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ /etc/init.d/slapd start >>"$LOGFILE" 2>&1 >+ echo_right "done" > fi > > echo -n "Search LDAP binddn " >@@ -460,7 +469,7 @@ fi > if [ -z "$binddn" ]; then > failed_message "binddn for user $DCACCOUNT not found. " > else >- echo -e "\033[60Gdone" >+ echo_right "done" > fi > > if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then >@@ -470,7 +479,7 @@ fi > if [ -x /usr/bin/rdate ]; then > echo -n "Sync time " > /usr/bin/rdate "$DCNAME" >/dev/null 2>&1 >- echo -e "\033[60Gdone" >+ echo_right "done" > fi > > args=() >@@ -506,15 +515,15 @@ args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") > # Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely > univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ > 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \ >- "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>/var/log/univention/join.log >+ "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE" > res_message="$(sed -n '/^E:/ { s/^E:\s*// p }' "$USERTMP/log")" > if [ -z "$res_message" ]; then >- echo -e "\033[60Gdone" >+ echo_right "done" > fi > > if [ -s "$USERTMP/log" ] > then >- echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log >+ echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>"$LOGFILE" > > #try to get password > kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")" >@@ -540,7 +549,7 @@ then > > ldap_dn="$(sed -ne 's|^ldap_dn="\(.*\)" *|\1|p' <"$USERTMP/log")" > if [ -n "$ldap_dn" ]; then >- univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1 >+ univention-config-registry set ldap/hostdn="$ldap_dn" >>"$LOGFILE" 2>&1 > else > failed_message "No LDAP Host DN returned" > fi >@@ -602,13 +611,13 @@ set_kerberos_realm () { > local DCNAME="$3" > local realm="$4" > if [ -z "$realm" ]; then >- realm="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" '/usr/sbin/univention-config-registry get kerberos/realm')" >>/var/log/univention/join.log 2>&1 >+ realm="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" '/usr/sbin/univention-config-registry get kerberos/realm')" >>"$LOGFILE" 2>&1 > if [ $? != 0 -o -z "$realm" ]; then > echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>" > exit 1 > fi > fi >- univention-config-registry set kerberos/realm="$realm" >>/var/log/univention/join.log 2>&1 >+ univention-config-registry set kerberos/realm="$realm" >>"$LOGFILE" 2>&1 > } > > set_windows_domain () { >@@ -619,13 +628,13 @@ set_windows_domain () { > local windom="$4" > > if [ -z "$windom" ]; then >- windom="$(univention-ssh "$dcpwd" "${dcaccount}@${dcname}" '/usr/sbin/univention-config-registry get windows/domain')" >>/var/log/univention/join.log 2>&1 >+ windom="$(univention-ssh "$dcpwd" "${dcaccount}@${dcname}" '/usr/sbin/univention-config-registry get windows/domain')" >>"$LOGFILE" 2>&1 > if [ $? != 0 -o -z "$windom" ]; then > echo "Unable to retrieve the windows/domain. Try to use option -windom <windows/domain>" > exit 1 > fi > fi >- univention-config-registry set windows/domain="$windom" >>/var/log/univention/join.log 2>&1 >+ univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1 > } > > if [ "$server_role" = "domaincontroller_backup" ]; then >@@ -638,14 +647,14 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > if [ ! -e "/etc/ldap.secret" ]; then > failed_message "/etc/ldap.secret not found" > fi >- echo -e "\033[60Gdone" >+ echo_right "done" > > echo -n "Sync ldap-backup.secret: " > univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 > if [ ! -e "/etc/ldap-backup.secret" ]; then > failed_message "/etc/ldap-backup.secret not found" > fi >- echo -e "\033[60Gdone" >+ echo_right "done" > > univention-config-registry set \ > ldap/server/name="$hostname.$domainname" \ >@@ -654,11 +663,11 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > ldap/master="$DCNAME" \ > ldap/master/port?7389 \ > ldap/server/type=slave \ >- >>/var/log/univention/join.log 2>&1 >+ >>"$LOGFILE" 2>&1 > > echo -n "Sync SSL directory: " >- univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1 >+ echo_right "done" > > # prevent join from failing if umask is modified (Bug #21587) > chmod 755 /etc/univention/ssl >@@ -679,17 +688,17 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > ssl/organizationalunit="$ssl_organizationalunit" \ > ssl/common="$ssl_common" \ > ssl/email="$ssl_email" \ >- >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ >>"$LOGFILE" 2>&1 >+ echo_right "done" > > echo -n "Restart LDAP Server: " > /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ echo_right "done" > > #TODO: implement a real sync > echo -n "Sync Kerberos settings: " > univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ echo_right "done" > > > # invalidate the nscd hosts cache >@@ -699,7 +708,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > ldap/server/name?"$DCNAME" \ > ldap/master?"$DCNAME" \ > kerberos/adminserver?"$DCNAME" \ >- >>/var/log/univention/join.log 2>&1 >+ >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > eval "$(univention-config-registry shell)" >@@ -722,7 +731,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > > univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1 > >- echo -e "\033[60Gdone" >+ echo_right "done" > > univention-config-registry set \ > ldap/server/name="$hostname.$domainname" \ >@@ -731,7 +740,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > ldap/master="$DCNAME" \ > ldap/master/port?7389 \ > ldap/server/type=slave \ >- >>/var/log/univention/join.log 2>&1 >+ >>"$LOGFILE" 2>&1 > > mkdir -p /etc/univention/ssl/ucsCA > univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >@@ -750,11 +759,11 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > > echo -n "Restart LDAP Server: " > /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ echo_right "done" > > echo -n "Sync Kerberos settings: " > univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 >- echo -e "\033[60Gdone" >+ echo_right "done" > > mkdir -p /var/lib/univention-ldap/notify/ > >@@ -765,7 +774,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > ldap/server/name?"$DCNAME" \ > ldap/master?"$DCNAME" \ > kerberos/adminserver?"$DCNAME" \ >- >>/var/log/univention/join.log 2>&1 >+ >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > echo -n "0" >/var/lib/univention-ldap/schema/id/id >@@ -807,7 +816,7 @@ elif [ "$server_role" = "memberserver" ]; then > ldap/master?"$DCNAME" \ > ldap/master/port?7389 \ > kerberos/adminserver?"$DCNAME" \ >- >>/var/log/univention/join.log 2>&1 >+ >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > touch /var/univention-join/joined >@@ -845,7 +854,7 @@ else > ldap/master/port?7389 \ > kerberos/adminserver="$DCNAME" \ > nsswitch/ldap=yes \ >- >>/var/log/univention/join.log 2>&1 >+ >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf >@@ -859,12 +868,12 @@ else > fi > > if [ -d /etc/runit/univention-directory-notifier ]; then >- /etc/init.d/univention-directory-notifier restart >>/var/log/univention/join.log 2>&1 >+ /etc/init.d/univention-directory-notifier restart >>"$LOGFILE" 2>&1 > sleep 3 > fi > > if [ -d /etc/runit/univention-directory-listener ]; then >- /etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 >+ /etc/init.d/univention-directory-listener restart >>"$LOGFILE" 2>&1 > fi > > varname="interfaces_${interfaces_primary:-eth0}_type" >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts >index 462c1dd..0fc06e2 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts >@@ -79,6 +79,11 @@ failed_message () { > exit 1 > } > >+echo_right () { >+ local text="$*" >+ echo -e "\033[$((${COLUMNS:-80}-${#text}))G${text}" >+} >+ > while [ $# -gt 0 ] > do > case "$1" in >@@ -177,7 +182,7 @@ if [ ! "$server_role" = "domaincontroller_master" ] || [ -n "$ASK_PASS" ] ; then > then > failed_message "Invalid credentials" > else >- echo -e "\033[60Gdone" >+ echo_right "done" > fi > fi > fi >@@ -222,12 +227,12 @@ then > echo "RUNNING $(basename "$i")" > > if ! joinscript_extern_init "$i"; then >- echo -e "\033[60Gskipped (invalid joinscript)" >&3 >+ echo_right "skipped (invalid joinscript)" >&3 > echo "EXITCODE=invalid_joinscript" > continue > fi > if joinscript_check_already_executed && [ -z "$JOIN_FORCE" ]; then >- echo -e "\033[60Gskipped (already executed)" >&3 >+ echo_right "skipped (already executed)" >&3 > echo "EXITCODE=already_executed" > continue > fi >@@ -240,9 +245,9 @@ then > RET=$? > echo "EXITCODE=$RET" > if [ $RET != 0 ]; then >- echo -e "\033[60Gfailed (exitcode: $RET)" >&3 >+ echo_right "failed (exitcode: $RET)" >&3 > else >- echo -e "\033[60Gdone" >&3 >+ echo_right "done" >&3 > delete_unjoinscript "$(basename "$i")" > fi > done >-- >1.8.4.rc3 > > >From c71716a99f40d457e02e2cd69f7faf58f6463590 Mon Sep 17 00:00:00 2001 >Message-Id: <c71716a99f40d457e02e2cd69f7faf58f6463590.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:12:27 +0100 >Subject: [PATCH 06/22] Bug #28562: join: Fix version comparison >Organization: Univention GmbH, Bremen, Germany > >Fix bug in version comparison, where "version/version" is concatenated >with "version/patchlevel" without a separater, which makes "3.1-10" less >than "3.10-0". > >Removed unused release name fetch. >--- > .../management/univention-join/univention-join | 26 +++++----------------- > 1 file changed, 5 insertions(+), 21 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index a7ebb09..67e77b2 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -367,27 +367,11 @@ then > fi > > >-# get master versions >-versions="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^version/)" >-OLDIFS=$IFS >-IFS=$'\n' >-for i in $versions; do >- key=${i%%: *} >- value=${i#*: } >- case "$key" in >- "version/version") >- master_version="$value" >- ;; >- "version/patchlevel") >- master_patchlevel="$value" >- ;; >- "version/releasename") >- master_releasename="$value" >- ;; >- esac >-done >-IFS=$OLDIFS >- >+get_master_version () { >+ local version_version version_patchlevel >+ eval "$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr shell version/version version/patchlevel)" >+ echo "${version_version}.${version_patchlevel}" >+} > # check join constraints > log "running version check" > >-- >1.8.4.rc3 > > >From 0a4a3286420d6d170544ce562422ae28f37ae95c Mon Sep 17 00:00:00 2001 >Message-Id: <0a4a3286420d6d170544ce562422ae28f37ae95c.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:46:21 +0100 >Subject: [PATCH 07/22] Bug #28562: join: Refacture cache invalidation >Organization: Univention GmbH, Bremen, Germany > >Just implement NSCD cache invalidation once. >--- > .../management/univention-join/univention-join | 28 ++++++++-------------- > 1 file changed, 10 insertions(+), 18 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 67e77b2..d2dcf42 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -150,6 +150,11 @@ download_host_certificate () { > failed_message "failed to get host certificate" > } > >+invalidate_nscd_cache () { >+ # <https://forge.univention.org/bugzilla/show_bug.cgi?id=30886> >+ nscd -i hosts >+} >+ > > check_ldap_tls_connection () { > echo -n "Check TLS connection " >@@ -490,13 +495,10 @@ do > args+=(-mac "$(cat "${iface}/address")") > done > >-# invalidate the nscd hosts cache >-# https://forge.univention.org/bugzilla/show_bug.cgi?id=30886 >-nscd -i hosts >- > echo -n "Join Computer Account: " > args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") > # Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely >+invalidate_nscd_cache > univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ > 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \ > "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE" >@@ -684,10 +686,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 > echo_right "done" > >- >- # invalidate the nscd hosts cache >- nscd -i hosts >- >+ invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ > ldap/master?"$DCNAME" \ >@@ -751,9 +750,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > > mkdir -p /var/lib/univention-ldap/notify/ > >- # invalidate the nscd hosts cache >- nscd -i hosts >- >+ invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ > ldap/master?"$DCNAME" \ >@@ -791,9 +788,7 @@ elif [ "$server_role" = "memberserver" ]; then > >>/var/log/univention/join.log 2>&1 > grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf > >- # invalidate the nscd hosts cache >- nscd -i hosts >- >+ invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ > ldap/server/port?7389 \ >@@ -827,10 +822,7 @@ else > check_ldap_tls_connection > > download_host_certificate >- >- # invalidate the nscd hosts cache >- nscd -i hosts >- >+ invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name="$DCNAME" \ > ldap/server/port?7389 \ >-- >1.8.4.rc3 > > >From 4b30a111f0edda14de95c38ce47097615e148792 Mon Sep 17 00:00:00 2001 >Message-Id: <4b30a111f0edda14de95c38ce47097615e148792.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:50:23 +0100 >Subject: [PATCH 08/22] Bug #28562: join: Refacture common secret code >Organization: Univention GmbH, Bremen, Germany > >Use common function to backup and download /etc/*.secret files. > >Add error handling to detect download failures. >--- > .../management/univention-join/univention-join | 60 ++++++++++------------ > 1 file changed, 26 insertions(+), 34 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index d2dcf42..b1b6aa2 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -126,6 +126,28 @@ bashquote () { # quote arguments for eval > echo -n "${escaped[@]}" > } > >+fetch_secret () { >+ local name="/etc/${1}.secret" >+ backup_secret "$1" >+ echo -n "Sync ${name}: " >+ if univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:${name} ${name}" >>"$LOGIFLE" 2>&1 && >+ [ -s "${name}" ] >+ then >+ echo_right "done" >+ else >+ echo_right "failed" >+ failed_message "${name} not found" >+ fi >+} >+backup_secret () { >+ local name="/etc/${1}.secret" >+ if [ -e "${name}" ] >+ then >+ cat "${name}" >>"${name}.SAVE" >+ chmod 0600 "${name}.SAVE" >+ fi >+} >+ > download_host_certificate () { > echo -n "Download host certificate " > local HOSTPWD="/etc/machine.secret" >@@ -515,16 +537,10 @@ then > kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")" > > if [ -n "$kpwd" ]; then >- if [ -e /etc/machine.secret ]; then >- cat /etc/machine.secret >>/etc/machine.secret.SAVE >- fi >- >+ backup_secret "machine" > echo -n "$kpwd" >/etc/machine.secret > fromdos /etc/machine.secret > chmod 600 /etc/machine.secret >- if [ -e /etc/machine.secret.SAVE ]; then >- chmod 600 /etc/machine.secret.SAVE >- fi > else > if [ -n "$res_message" ]; then > failed_message "$res_message" >@@ -624,24 +640,8 @@ set_windows_domain () { > } > > if [ "$server_role" = "domaincontroller_backup" ]; then >- >- if [ -e "/etc/ldap.secret" ]; then cat /etc/ldap.secret >>/etc/ldap.secret.SAVE; fi >- if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi >- >- echo -n "Sync ldap.secret: " >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1 >- if [ ! -e "/etc/ldap.secret" ]; then >- failed_message "/etc/ldap.secret not found" >- fi >- echo_right "done" >- >- echo -n "Sync ldap-backup.secret: " >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 >- if [ ! -e "/etc/ldap-backup.secret" ]; then >- failed_message "/etc/ldap-backup.secret not found" >- fi >- echo_right "done" >- >+ fetch_secret "ldap" >+ fetch_secret "ldap-backup" > univention-config-registry set \ > ldap/server/name="$hostname.$domainname" \ > ldap/server/ip="$IP" \ >@@ -707,15 +707,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > run_join_scripts > > elif [ "$server_role" = "domaincontroller_slave" ]; then >- >- echo -n "Sync ldap-backup.secret: " >- >- if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi >- >- univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1 >- >- echo_right "done" >- >+ fetch_secret "ldap-backup" > univention-config-registry set \ > ldap/server/name="$hostname.$domainname" \ > ldap/server/ip="$IP" \ >-- >1.8.4.rc3 > > >From 13a94ab98d8e382cc4f9fb9f1f64bc0bee41e551 Mon Sep 17 00:00:00 2001 >Message-Id: <13a94ab98d8e382cc4f9fb9f1f64bc0bee41e551.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:53:43 +0100 >Subject: [PATCH 09/22] Bug #28562: join: Refacture join script code >Organization: Univention GmbH, Bremen, Germany > >Move resetting the join status into common function to reduce code >duplication. >--- > .../management/univention-join/univention-join | 22 ++++------------------ > 1 file changed, 4 insertions(+), 18 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index b1b6aa2..085e157 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -192,6 +192,10 @@ check_ldap_tls_connection () { > } > > run_join_scripts () { >+ eval "$(univention-config-registry shell)" >+ >+ : > /var/univention-join/joined >+ ln -sf /var/univention-join/joined /usr/share/univention-join/.joined > > LC_COLLATE="C" > if test -d "/usr/lib/univention-install/"; then >@@ -694,13 +698,8 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" >- eval "$(univention-config-registry shell)" >- > mkdir -p /var/lib/univention-ldap/notify/ > >- touch /var/univention-join/joined >- ln -sf /var/univention-join/joined /usr/share/univention-join/.joined >- > echo -n "0" >/var/lib/univention-ldap/schema/id/id > chown listener /var/lib/univention-ldap/schema/id/id > >@@ -752,10 +751,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > echo -n "0" >/var/lib/univention-ldap/schema/id/id > chown listener /var/lib/univention-ldap/schema/id/id >- >- touch /var/univention-join/joined >- ln -sf /var/univention-join/joined /usr/share/univention-join/.joined >- > run_join_scripts > > elif [ "$server_role" = "memberserver" ]; then >@@ -790,9 +785,6 @@ elif [ "$server_role" = "memberserver" ]; then > >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" >- touch /var/univention-join/joined >- ln -sf /var/univention-join/joined /usr/share/univention-join/.joined >- > run_join_scripts > > else >@@ -826,12 +818,6 @@ else > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf >- >- touch /var/univention-join/joined >- ln -sf /var/univention-join/joined /usr/share/univention-join/.joined >- >- eval "$(univention-config-registry shell)" >- > run_join_scripts > fi > >-- >1.8.4.rc3 > > >From eff1b6b015f2dfc948a25ca5d8fabee3749f327a Mon Sep 17 00:00:00 2001 >Message-Id: <eff1b6b015f2dfc948a25ca5d8fabee3749f327a.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:54:44 +0100 >Subject: [PATCH 10/22] Bug #28562: join: Refacture listener reset >Organization: Univention GmbH, Bremen, Germany > >Implement function to reset listener LDAP schema once. >--- > .../ucs-3.2-0/management/univention-join/univention-join | 16 +++++++--------- > 1 file changed, 7 insertions(+), 9 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 085e157..d6d5206 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -177,6 +177,11 @@ invalidate_nscd_cache () { > nscd -i hosts > } > >+reset_listener_schema () { >+ mkdir -p /var/lib/univention-ldap/notify/ >+ echo -n "0" >/var/lib/univention-ldap/schema/id/id >+ chown listener /var/lib/univention-ldap/schema/id/id >+} > > check_ldap_tls_connection () { > echo -n "Check TLS connection " >@@ -698,11 +703,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" >- mkdir -p /var/lib/univention-ldap/notify/ >- >- echo -n "0" >/var/lib/univention-ldap/schema/id/id >- chown listener /var/lib/univention-ldap/schema/id/id >- >+ reset_listener_schema > run_join_scripts > > elif [ "$server_role" = "domaincontroller_slave" ]; then >@@ -739,8 +740,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 > echo_right "done" > >- mkdir -p /var/lib/univention-ldap/notify/ >- > invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ >@@ -749,8 +748,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" >- echo -n "0" >/var/lib/univention-ldap/schema/id/id >- chown listener /var/lib/univention-ldap/schema/id/id >+ reset_listener_schema > run_join_scripts > > elif [ "$server_role" = "memberserver" ]; then >-- >1.8.4.rc3 > > >From f2e917bb65e735557b66f5974bc1051ae156188b Mon Sep 17 00:00:00 2001 >Message-Id: <f2e917bb65e735557b66f5974bc1051ae156188b.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:56:58 +0100 >Subject: [PATCH 11/22] Bug #28562: join: Refacture SSL CA copying >Organization: Univention GmbH, Bremen, Germany > >Move function to copy CA certificate and fixing file permissions into >common function. >--- > .../management/univention-join/univention-join | 63 ++++++++-------------- > 1 file changed, 21 insertions(+), 42 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index d6d5206..ff7d6cb 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -648,6 +648,23 @@ set_windows_domain () { > univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1 > } > >+copy_ucs_ca () { >+ mkdir -p /etc/univention/ssl/ucsCA >+ >+ univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1 >+ if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then >+ univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1 >+ fi >+ fix_ssl_permissions >+} >+ >+fix_ssl_permissions () { >+ # prevent join from failing if umask is modified (Bug #21587) >+ chmod 755 /etc/univention/ssl >+ chmod 755 /etc/univention/ssl/ucsCA >+ chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem >+} >+ > if [ "$server_role" = "domaincontroller_backup" ]; then > fetch_secret "ldap" > fetch_secret "ldap-backup" >@@ -664,11 +681,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1 > echo_right "done" > >- # prevent join from failing if umask is modified (Bug #21587) >- chmod 755 /etc/univention/ssl >- chmod 755 /etc/univention/ssl/ucsCA >- chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem >- >+ fix_ssl_permissions > check_ldap_tls_connection > > download_host_certificate >@@ -716,18 +729,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > ldap/master/port?7389 \ > ldap/server/type=slave \ > >>"$LOGFILE" 2>&1 >- >- mkdir -p /etc/univention/ssl/ucsCA >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >- if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >- fi >- >- # prevent join from failing if umask is modified (Bug #21587) >- chmod 755 /etc/univention/ssl >- chmod 755 /etc/univention/ssl/ucsCA >- chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem >- >+ copy_ucs_ca > check_ldap_tls_connection > > download_host_certificate >@@ -752,17 +754,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > run_join_scripts > > elif [ "$server_role" = "memberserver" ]; then >- mkdir -p /etc/univention/ssl/ucsCA >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >- if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >- fi >- >- # prevent join from failing if umask is modified (Bug #21587) >- chmod 755 /etc/univention/ssl >- chmod 755 /etc/univention/ssl/ucsCA >- chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem >- >+ copy_ucs_ca > check_ldap_tls_connection > > download_host_certificate >@@ -787,20 +779,7 @@ elif [ "$server_role" = "memberserver" ]; then > > else > # Client and Mobile Client >- >- >- mkdir -p /etc/univention/ssl/ucsCA >- >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >- if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then >- univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 >- fi >- >- # prevent join from failing if umask is modified (Bug #21587) >- chmod 755 /etc/univention/ssl >- chmod 755 /etc/univention/ssl/ucsCA >- chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem >- >+ copy_ucs_ca > check_ldap_tls_connection > > download_host_certificate >-- >1.8.4.rc3 > > >From 71812f1285fe823188611a21ce83b7c5d46ab16e Mon Sep 17 00:00:00 2001 >Message-Id: <71812f1285fe823188611a21ce83b7c5d46ab16e.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 19:58:42 +0100 >Subject: [PATCH 12/22] Bug #28562: join: Refacture LDAP stop code >Organization: Univention GmbH, Bremen, Germany > >Move code to stop LDAP server into one function. >--- > .../ucs-3.2-0/management/univention-join/univention-join | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index ff7d6cb..ddb2784 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -665,6 +665,12 @@ fix_ssl_permissions () { > chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem > } > >+restart_ldap_server () { >+ echo -n "Restart LDAP Server: " >+ /etc/init.d/slapd restart >>"$LOGFILE" 2>&1 >+ echo_right "done" >+} >+ > if [ "$server_role" = "domaincontroller_backup" ]; then > fetch_secret "ldap" > fetch_secret "ldap-backup" >@@ -699,9 +705,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > >>"$LOGFILE" 2>&1 > echo_right "done" > >- echo -n "Restart LDAP Server: " >- /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 >- echo_right "done" >+ restart_ldap_server > > #TODO: implement a real sync > echo -n "Sync Kerberos settings: " >@@ -733,10 +737,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > check_ldap_tls_connection > > download_host_certificate >- >- echo -n "Restart LDAP Server: " >- /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 >- echo_right "done" >+ restart_ldap_server > > echo -n "Sync Kerberos settings: " > univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 >-- >1.8.4.rc3 > > >From 24294316e99aeb9b3a6e91de68d4f0ae6b1edfe6 Mon Sep 17 00:00:00 2001 >Message-Id: <24294316e99aeb9b3a6e91de68d4f0ae6b1edfe6.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:00:10 +0100 >Subject: [PATCH 13/22] Bug #28562: join: Refacture Kerberos sync >Organization: Univention GmbH, Bremen, Germany > >Move shared code to download Kerberos tickets into common function. >--- > .../management/univention-join/univention-join | 20 +++++++++----------- > 1 file changed, 9 insertions(+), 11 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index ddb2784..bfadbba 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -671,6 +671,13 @@ restart_ldap_server () { > echo_right "done" > } > >+sync_kerberos_setting () { >+ #TODO: implement a real sync >+ echo -n "Sync Kerberos settings: " >+ univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>"$LOGFILE" 2>&1 >+ echo_right "done" >+} >+ > if [ "$server_role" = "domaincontroller_backup" ]; then > fetch_secret "ldap" > fetch_secret "ldap-backup" >@@ -706,12 +713,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > echo_right "done" > > restart_ldap_server >- >- #TODO: implement a real sync >- echo -n "Sync Kerberos settings: " >- univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 >- echo_right "done" >- >+ sync_kerberos_setting > invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ >@@ -738,11 +740,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > > download_host_certificate > restart_ldap_server >- >- echo -n "Sync Kerberos settings: " >- univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 >- echo_right "done" >- >+ sync_kerberos_setting > invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ >-- >1.8.4.rc3 > > >From 76f8913a05afdfa781324dd092037887eb383b18 Mon Sep 17 00:00:00 2001 >Message-Id: <76f8913a05afdfa781324dd092037887eb383b18.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:14:33 +0100 >Subject: [PATCH 14/22] Bug #28562: join: Refacture DNS SRV lookup >Organization: Univention GmbH, Bremen, Germany > >Move code into function to improve code for readability. > >Extract common function to lookup DNS SRV RR. >--- > .../management/univention-join/univention-join | 42 ++++++++++++---------- > 1 file changed, 24 insertions(+), 18 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index bfadbba..f1db354 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -366,30 +366,36 @@ if [ -z "$server_role" ]; then > fi > > >-if [ -z "$DCNAME" ]; then >+find_dc () { >+ [ -n "$DCNAME" ] && return >+ > echo -n "Search DC Master: " >- DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" >+ DCNAME="$(lookup_dns_srv)" > if [ -n "$DCNAME" ]; then > echo_right "done" >- else >- for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do >- if [ -z "$i" ]; then continue; fi >- DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" >- if [ -n "$DCNAME" ]; then >- echo_right "done" >- echo "domain $domainname" >/etc/resolv.conf >- echo "nameserver $i" >>/etc/resolv.conf >- test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1 >- break >- fi >- done >+ return > fi >-fi > >-if [ -z "$DCNAME" ]; then >- failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname" >-fi >+ for ns in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3" >+ do >+ [ -n "$i" ] || continue >+ DCNAME="$(lookup_dns_srv "$ns")" >+ [ -n "$DCNAME" ] || continue >+ >+ echo_right "done" >+ echo "domain $domainname" >/etc/resolv.conf >+ echo "nameserver $ns" >>/etc/resolv.conf >+ [ -x /etc/init.d/nscd ] && /etc/init.d/nscd restart >>"$LOGFILE" 2>&1 >+ return >+ done > >+ failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname" >+} >+lookup_dns_srv () { >+ host -t SRV "_domaincontroller_master._tcp.$domainname" ${1:+"$1"} | >+ sed -ne '$s/.* \([^ ]\+\)\.$/\1/p' >+} >+find_dc > > echo -n "Check DC Master: " > >-- >1.8.4.rc3 > > >From 6cfcb6359de32b3a5339e40691f16a9d3fbf259f Mon Sep 17 00:00:00 2001 >Message-Id: <6cfcb6359de32b3a5339e40691f16a9d3fbf259f.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:16:16 +0100 >Subject: [PATCH 15/22] Bug #28562: join: Refacture join script calling code >Organization: Univention GmbH, Bremen, Germany > >Extract the basename once and strip the suffix. > >Move common code for backup and slave to its own function to reduce code >duplication. > >Drop redundant "test -n" as as the VERBOSE variable is also compared to >a constant. Also initialize with empty value to simplify calling the >join scripts in bash verbose mode. > >Simplify new-line handling for SIMPLE-GUI mode. >--- > .../management/univention-join/univention-join | 101 +++++++++------------ > 1 file changed, 45 insertions(+), 56 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index f1db354..9fb48a4 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -38,12 +38,12 @@ eval "$(univention-config-registry shell)" > > . /usr/share/univention-lib/all.sh > >-SIMPLEGUI="" >+SIMPLEGUI="-n" > TYPE= > USERTMP="$(mktemp -d)" > DCPWD="$USERTMP/dcpwd" > VERSION_CHECK=true >-VERBOSE=false >+VERBOSE= > > LOGFILE="/var/log/univention/join.log" > log () { >@@ -56,7 +56,7 @@ echo_right () { > > trapOnExit() { > rm -rf "$USERTMP" >- if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then >+ if [ "$VERBOSE" = "true" ]; then > if [ -n "$old_listener_debug_level" ]; then > ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1 > fi >@@ -202,62 +202,51 @@ run_join_scripts () { > : > /var/univention-join/joined > ln -sf /var/univention-join/joined /usr/share/univention-join/.joined > >+ [ -d "/usr/lib/univention-install/" ] || return > LC_COLLATE="C" >- if test -d "/usr/lib/univention-install/"; then >- for i in /usr/lib/univention-install/*.{inst,uinst}; do >- test -e "$i" || continue >- echo -n "Configure $(basename "$i") " >- [ -n "$SIMPLEGUI" ] && echo >- log "Configure $(basename "$i")" >- bashVerbose="" >- if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then >- bashVerbose="bash -x" >- fi >- $bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1 >- if [ $? -ne 0 ]; then >- echo_right "failed" >- failed_message "FAILED: $(basename "$i")" >- else >- echo_right "done" >- delete_unjoinscript "$(basename "$i")" >+ for i in /usr/lib/univention-install/*.{inst,uinst}; do >+ [ -e "$i" ] || continue >+ local basename="$(basename "${i%.*}")" >+ echo $SIMPLEGUI "Configure $basename " >+ log "Configure $basename" >+ if ! ${VERBOSE+bash -x} "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1 >+ then >+ echo_right "failed" >+ failed_message "FAILED: $basename" >+ else >+ echo_right "done" >+ delete_unjoinscript "$basename" >+ fi >+ if [ "$basename" = "03univention-directory-listener.inst" ]; then >+ # check failed.ldif >+ if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then >+ failed_message "FAILED: failed.ldif exists." > fi >- if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then >- >- # check failed.ldif >- if [ "$(basename "$i")" = "03univention-directory-listener.inst" ]; then >- if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then >- failed_message "FAILED: failed.ldif exists." >- fi >- >- # backup >- if [ "$server_role" = "domaincontroller_backup" ]; then >- univention-scp "$DCPWD" -r \ >- "${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \ >- "$USERTMP/tlog" >/dev/null 2>&1 >- if [ ! -e "$USERTMP/tlog" ]; then >- failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." >- fi >- >- id="$(</var/lib/univention-directory-listener/notifier_id)" >- awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction >- fi >- >- # slave >- if [ "$server_role" = "domaincontroller_slave" ]; then >- if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then >- univention-scp "$DCPWD" -q \ >- "${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \ >- "$USERTMP/tlog" >/dev/null 2>&1 >- id="$(</var/lib/univention-directory-listener/notifier_id)" >- awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction >- fi >- >- fi >+ case "$server_role" in >+ domaincontroller_backup) >+ copy_transaction_log >+ ;; >+ domaincontroller_slave) >+ if [ "$listener_supply_notifier" = "yes" ]; then >+ copy_transaction_log > fi >- fi >- done >+ ;; >+ esac >+ fi >+ done >+} >+ >+copy_transaction_log () { >+ univention-scp "$DCPWD" -r \ >+ "${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \ >+ "$USERTMP/tlog" >/dev/null 2>&1 >+ if [ ! -e "$USERTMP/tlog" ]; then >+ failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." > fi > >+ local id >+ read id </var/lib/univention-directory-listener/notifier_id >+ awk -F ' ' '{ if ( $1 <= '$id') print }' "$USERTMP/tlog" >/var/lib/univention-ldap/notify/transaction > } > > # log univention-join call >@@ -298,7 +287,7 @@ do > "-simplegui") > # output simpler gui for univention-installer to be able to parse output > shift >- SIMPLEGUI="yes" >+ SIMPLEGUI= > ;; > "-disableVersionCheck") > shift >@@ -324,7 +313,7 @@ do > done > > # verbose logging for univention-join and listener >-if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then >+if [ "$VERBOSE" = "true" ]; then > exec 2>>"$LOGFILE" > set -x > if [ -n "$listener_debug_level" ]; then >-- >1.8.4.rc3 > > >From 257da8a37327a317e6d62c68a32b7594f3d8a84a Mon Sep 17 00:00:00 2001 >Message-Id: <257da8a37327a317e6d62c68a32b7594f3d8a84a.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:19:30 +0100 >Subject: [PATCH 16/22] Bug #28562: join: Harmonize UDM calling code >Organization: Univention GmbH, Bremen, Germany > >Build the command first, then execute it. This helped in debugging. >--- > .../ucs-3.2-0/management/univention-join/univention-server-join | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index 4c44087..9a5073b 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -297,12 +297,14 @@ create_entry () { > else > log 0 "Modify $desc [$old_dn]" > >- rc="$(univention-directory-manager "$module" modify \ >+ cmd=(univention-directory-manager "$module" modify \ > --dn "$old_dn" \ > --set password="$computerPassword" \ > --set domain="$DOMAINNAME" \ >- "${args[@]}" "${ADMINOPTIONS[@]}")" >- if [ $? -gt 0 ]; then >+ "${args[@]}" "${ADMINOPTIONS[@]}") >+ #log 0 "${cmd[@]}" >+ if ! rc="$("${cmd[@]}")" >+ then > log 1 "E: failed to modify $desc $old_dn [$rc]" > exit 1 > fi >-- >1.8.4.rc3 > > >From 5c9fa0e891015a11a64d32e81186c4671045e5fa Mon Sep 17 00:00:00 2001 >Message-Id: <5c9fa0e891015a11a64d32e81186c4671045e5fa.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:23:20 +0100 >Subject: [PATCH 17/22] Bug #28562: join: Simplify to "ucr get" >Organization: Univention GmbH, Bremen, Germany > >Use "ucr get" instead of "ucr search | sed". >--- > branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 9fb48a4..d692996 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -445,7 +445,7 @@ fi > > if [ -z "$LDAPBASE" ]; then > echo -n "Search ldap/base" >- ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^ldap/base$ | sed -ne 's|^ldap/base: ||p')" >+ ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr get ldap/base)" > else > ldap_base="$LDAPBASE" > fi >-- >1.8.4.rc3 > > >From dc0c1e0db60a12f049e743125c0b6772a5ac652c Mon Sep 17 00:00:00 2001 >Message-Id: <dc0c1e0db60a12f049e743125c0b6772a5ac652c.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:22:28 +0100 >Subject: [PATCH 18/22] Bug #28562: join: Use exit status directly >Organization: Univention GmbH, Bremen, Germany > >Directly use the command in the if statement instead of evaluating $?. >--- > branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 4 ++-- > .../ucs-3.2-0/management/univention-join/univention-server-join | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index d692996..3fd89ec 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -188,8 +188,8 @@ check_ldap_tls_connection () { > > eval "$(ucr shell ldap/master/port)" > >- ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null >- if [ $? != 0 ]; then >+ if ! ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null >+ then > failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." > fi > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index 9a5073b..58f87cd 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -285,11 +285,11 @@ create_entry () { > echo "ldap_dn=\"$ldap_dn\"" > > if [ -n "$group" ]; then >- rc="$(univention-directory-manager groups/group modify \ >+ if ! rc="$(univention-directory-manager groups/group modify \ > --dn="$group" \ > --append users="$ldap_dn" \ > "${ADMINOPTIONS[@]}")" >- if [ $? -gt 0 ]; then >+ then > log 1 "E: failed to modify groups/group for $desc [$rc]" > exit 1 > fi >-- >1.8.4.rc3 > > >From ffda22cb5a8a437dd57b04fa8bfc077d14eed0ac Mon Sep 17 00:00:00 2001 >Message-Id: <ffda22cb5a8a437dd57b04fa8bfc077d14eed0ac.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:27:38 +0100 >Subject: [PATCH 19/22] Bug #28562: join: Remove upper-case DN handling >Organization: Univention GmbH, Bremen, Germany > >ldapsearch does never return an uppercase DN, so drop the variant. >--- > branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index 3fd89ec..db14f7c 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -472,13 +472,13 @@ binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ > if [ -z "$binddn" ]; then > # Next check is the local ldapi interface > binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ >- ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')" >+ ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p')" > fi > > if [ -z "$binddn" ]; then > # Check with anonymous bind > binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ >- ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')" >+ ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p')" > fi > > if [ -z "$binddn" ]; then >-- >1.8.4.rc3 > > >From e344a6f6bf9e3305b4828fa4155924094ae76f7b Mon Sep 17 00:00:00 2001 >Message-Id: <e344a6f6bf9e3305b4828fa4155924094ae76f7b.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:32:14 +0100 >Subject: [PATCH 20/22] Bug #28562: join: Cleanup redundant UCR set >Organization: Univention GmbH, Bremen, Germany > >The UCR variables are overwritten directly after that again, so drop the >first set. > >Move adding the UCS CA certificate to the ldap.conf file. >--- > .../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 8 +------- > 1 file changed, 1 insertion(+), 7 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index db14f7c..b92437c 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -752,13 +752,6 @@ elif [ "$server_role" = "memberserver" ]; then > check_ldap_tls_connection > > download_host_certificate >- >- univention-config-registry set \ >- ldap/master="$DCNAME" \ >- ldap/master/port?7389 \ >- >>/var/log/univention/join.log 2>&1 >- grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf >- > invalidate_nscd_cache > univention-config-registry set \ > ldap/server/name?"$DCNAME" \ >@@ -769,6 +762,7 @@ elif [ "$server_role" = "memberserver" ]; then > >>"$LOGFILE" 2>&1 > set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" >+ grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf > run_join_scripts > > else >-- >1.8.4.rc3 > > >From c2315f63991779e5d3a9c536f7c3d0b22d24249a Mon Sep 17 00:00:00 2001 >Message-Id: <c2315f63991779e5d3a9c536f7c3d0b22d24249a.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 20:26:16 +0100 >Subject: [PATCH 21/22] Bug #28562: join: Remove password from commandline >Organization: Univention GmbH, Bremen, Germany > >We verified, that the UCS version of the server is newer than the >current system, so the script can safely pass the password via a file >instead of the command line, where is is visible to other users. >--- > .../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 9 +-------- > .../ucs-3.2-0/management/univention-join/univention-server-join | 2 +- > 2 files changed, 2 insertions(+), 9 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index b92437c..c6b8814 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -502,14 +502,7 @@ args=() > if [ -n "$ldap_position" ]; then > args+=(-position "$ldap_position") > fi >- >- >-if [ "${master_version:0:1}" -lt 3 ]; then >- # UCS 2.x does not support the -binddn parameter >- args+=(-bindaccount "$DCACCOUNT") >-else >- args+=(-binddn "$binddn") >-fi >+args+=(-binddn "$binddn") > > for ip in $(ip addr show scope global | sed -rne '/\<scope global\>/s|.*\<inet6? ([0-9a-f.:/]+)\>.*|\1|p') > do >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index 58f87cd..ac1f6f2 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -181,7 +181,7 @@ if [ -n "$BINDDN" ]; then > ADMINOPTIONS+=(--binddn "$BINDDN") > fi > if [ -n "$BINDPWFILE" ]; then >- ADMINOPTIONS+=(--bindpwd "$(<"$BINDPWFILE")") >+ ADMINOPTIONS+=(--bindpwdfile "$BINDPWFILE") > fi > > >-- >1.8.4.rc3 > > >From 52acb1c900e9ab05a23f103247a1c1e0996067ee Mon Sep 17 00:00:00 2001 >Message-Id: <52acb1c900e9ab05a23f103247a1c1e0996067ee.1386836005.git.hahn@univention.de> >In-Reply-To: <cover.1386836005.git.hahn@univention.de> >References: <cover.1386836005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Wed, 11 Dec 2013 22:51:59 +0100 >Subject: [PATCH 22/22] Bug #28562: join: Misc cleanups >Organization: Univention GmbH, Bremen, Germany > >Convert if-elif-else on server/role into switch statement. > >Use printf instead of "echo -n", which has issues. > >Remove un-needed "fromdos" calls. > >Remove several empty lines. >--- > .../management/univention-join/univention-join | 27 +++++++++++----------- > .../univention-join/univention-server-join | 2 +- > 2 files changed, 14 insertions(+), 15 deletions(-) > >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >index c6b8814..6adb183 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join >@@ -514,8 +514,9 @@ do > args+=(-mac "$(cat "${iface}/address")") > done > >-echo -n "Join Computer Account: " > args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") >+ >+echo -n "Join Computer Account: " > # Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely > invalidate_nscd_cache > univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ >@@ -535,8 +536,7 @@ then > > if [ -n "$kpwd" ]; then > backup_secret "machine" >- echo -n "$kpwd" >/etc/machine.secret >- fromdos /etc/machine.secret >+ printf "%s" "$kpwd" >/etc/machine.secret > chmod 600 /etc/machine.secret > else > if [ -n "$res_message" ]; then >@@ -620,7 +620,6 @@ set_kerberos_realm () { > } > > set_windows_domain () { >- > local dcpwd="$1" > local dcaccount="$2" > local dcname="$3" >@@ -666,7 +665,8 @@ sync_kerberos_setting () { > echo_right "done" > } > >-if [ "$server_role" = "domaincontroller_backup" ]; then >+case "$server_role" in >+domaincontroller_backup) > fetch_secret "ldap" > fetch_secret "ldap-backup" > univention-config-registry set \ >@@ -684,7 +684,6 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > > fix_ssl_permissions > check_ldap_tls_connection >- > download_host_certificate > > echo -n "Sync SSL settings: " >@@ -712,8 +711,9 @@ if [ "$server_role" = "domaincontroller_backup" ]; then > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > reset_listener_schema > run_join_scripts >+ ;; > >-elif [ "$server_role" = "domaincontroller_slave" ]; then >+domaincontroller_slave) > fetch_secret "ldap-backup" > univention-config-registry set \ > ldap/server/name="$hostname.$domainname" \ >@@ -725,7 +725,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > >>"$LOGFILE" 2>&1 > copy_ucs_ca > check_ldap_tls_connection >- > download_host_certificate > restart_ldap_server > sync_kerberos_setting >@@ -739,11 +738,11 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > reset_listener_schema > run_join_scripts >+ ;; > >-elif [ "$server_role" = "memberserver" ]; then >+memberserver) > copy_ucs_ca > check_ldap_tls_connection >- > download_host_certificate > invalidate_nscd_cache > univention-config-registry set \ >@@ -757,12 +756,11 @@ elif [ "$server_role" = "memberserver" ]; then > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf > run_join_scripts >+ ;; > >-else >-# Client and Mobile Client >+*) # Client and Mobile Client > copy_ucs_ca > check_ldap_tls_connection >- > download_host_certificate > invalidate_nscd_cache > univention-config-registry set \ >@@ -777,7 +775,8 @@ else > set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" > grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf > run_join_scripts >-fi >+ ;; >+esac > > if [ -d /etc/runit/univention-directory-notifier ]; then > /etc/init.d/univention-directory-notifier restart >>"$LOGFILE" 2>&1 >diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >index ac1f6f2..3bc9bc7 100755 >--- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >+++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join >@@ -286,7 +286,7 @@ create_entry () { > > if [ -n "$group" ]; then > if ! rc="$(univention-directory-manager groups/group modify \ >- --dn="$group" \ >+ --dn "$group" \ > --append users="$ldap_dn" \ > "${ADMINOPTIONS[@]}")" > then >-- >1.8.4.rc3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5694">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 28562
: 5694