1. Update for ucs-school-single-master / ucs-school-master and normal UCS Master / Backup (all with samba4) * Problem: there is no Samba4 specific package in UCS@school Master / Backup where we could increase the joinscript version * Instead the steps are done via an Errata update for the normal UCS * To avoid increasing the joinscript-version in an errata update, the steps are done in univention-s4-connector.postinst: * append 'Enterprise Domain Controllers' to 'connector/s4/mapping/group/ignorelist' on all hosts having the univention-s4-connector package installed. restart s4-connector afterwards. * If Master or Backup run the real S4 Connector create the group and add all currently registered Samba4 DCs to it (univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py) * wait for samba4-idmap and run samba-tool ntacl sysvolreset 2. On UCS@school 3.1 R2 Slaves the group creation and sysvolreset is done via the join script 98univention-samba4slavepdc-dns.inst (from univention-ldb-modules) (++VERSION). This way,even if there is no Samba4 on the Master / Backup we still can create the group (with the given Administrator credentials), wait for the samba4-idmap listener and perform the sysvolreset. (separate Bug #31438) * In this case 'Enterprise Domain Controllers' has already been appended to 'connector/s4/mapping/group/ignorelist' by univention-s4-connector.postinst, S4 connector has been restarted. * Create group and add all currently registered Samba4 DCs to it (univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py) * wait for samba4-idmap and run samba-tool ntacl sysvolreset 3. Errata for UCS@school Slaves is handled in univention-s4-connector.postinst: * append 'Enterprise Domain Controllers' to 'connector/s4/mapping/group/ignorelist' on all hosts having the univention-s4-connector package installed. restart s4-connector afterwards. * In case the Master holds Samba4 and is errata-updated before the slaves, we probably have a reject in the S4 Connector on the UCS@school Slave due to the objectSid conflict with the exisiting foreignSecurityPrincipal object. We simply remove this reject in the postinst. 4. New Installations are handled in the Join script 97univention-s4-connector.inst: * append 'Enterprise Domain Controllers' to 'connector/s4/mapping/group/ignorelist' on all hosts having the univention-s4-connector package installed. restart s4-connector afterwards. * If the system runs a S4 Connector try to create the group and add all currently registered Samba4 DCs to it (univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py) * wait for samba4-idmap * In this case "samba-tool ntacl sysvolreset" is run by 98univention-samba4-dns.inst later, so we skip this step here. 5. New installed Samba4 DCs add themselves to the new group via Join script 96univention-samba4.inst