Index: debian/univention-system-activation.postinst
===================================================================
--- debian/univention-system-activation.postinst	(Revision 67211)
+++ debian/univention-system-activation.postinst	(Arbeitskopie)
@@ -39,16 +39,7 @@
 
 		# Don't change it on a configured system
 		if [ ! -e /var/univention-join/joined ]; then
-			# disallow root login
-			ucr set --force auth/gdm/user/root=no \
-							auth/kdm/user/root=no \
-							auth/login/user/root=no \
-							auth/other/user/root=no \
-							auth/sshd/user/root=no
-
-			# disallow su
-			ucr set --force auth/su/restrict=yes \
-							auth/su/user/root=no
+			/usr/sbin/univention-system-activation restrict-root
 		fi
 		;;
 
Index: debian/univention-system-activation.install
===================================================================
--- debian/univention-system-activation.install	(Revision 67211)
+++ debian/univention-system-activation.install	(Arbeitskopie)
@@ -1,5 +1,5 @@
 scripts/univention-system-activation	usr/sbin
-src/*     usr/share/pyshared/univention/system_activation
+src/*	usr/share/pyshared/univention/system_activation
 www	usr/share/univention-system-activation
 conffiles/etc/sudoers.d/univention-system-activation	etc/sudoers.d
 conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation	usr/lib/univention-system-setup/appliance-hooks.d
Index: scripts/univention-system-activation
===================================================================
--- scripts/univention-system-activation	(Revision 67211)
+++ scripts/univention-system-activation	(Arbeitskopie)
@@ -29,6 +29,40 @@
 # /usr/share/common-licenses/AGPL-3; if not, see
 # <http://www.gnu.org/licenses/>.
 
+function allow_root_login() {
+	ucr unset --force auth/gdm/user/root \
+		auth/kdm/user/root \
+		auth/login/user/root \
+		auth/other/user/root \
+		auth/sshd/user/root
+
+	# reset su restrictions
+	ucr unset --force auth/su/restrict \
+		auth/su/user/root
+
+	# set to the default values, these values are not set
+	# during the pam installation, because they were set
+	# in the force layer
+	ucr set auth/gdm/user/root?yes \
+		auth/kdm/user/root?yes \
+		auth/login/user/root?yes \
+		auth/other/user/root?yes \
+		auth/sshd/user/root?yes
+}
+
+function restrict_root_login() {
+	# disallow root login
+	ucr set --force auth/gdm/user/root=no \
+		auth/kdm/user/root=no \
+		auth/login/user/root=no \
+		auth/other/user/root=no \
+		auth/sshd/user/root=no
+
+	# disallow su
+	ucr set --force auth/su/restrict=yes \
+		auth/su/user/root=no
+}
+
 if [ $# -eq 0 -o "$1" = "-h" -o "$1" = "--help" ]; then
 	echo
 	echo "When started, deactivates all access to the UCS and enforces the"
@@ -62,6 +96,8 @@
 	# disable sites
 	a2dissite ${active_sites[@]}
 
+	restrict_root_login
+
 	# enable system activation site configuration and reload apache
 	a2ensite univention-system-activation
 	/etc/init.d/apache2 reload
@@ -84,32 +120,17 @@
 	# unset previously stored sites
 	ucr unset apache2/system_activation/sites
 
-	# allow root login again
-	ucr unset --force auth/gdm/user/root \
-					auth/kdm/user/root \
-					auth/login/user/root \
-					auth/other/user/root \
-					auth/sshd/user/root
+	allow_root_login
 
-	# reset su restrictions
-	ucr unset --force auth/su/restrict \
-					auth/su/user/root
-
-	# set to the default values, these values are not set
-	# during the pam installation, because they were set
-	# in the force layer
-	ucr set auth/gdm/user/root?yes \
-				auth/kdm/user/root?yes \
-				auth/login/user/root?yes \
-				auth/other/user/root?yes \
-				auth/sshd/user/root?yes
-
 	# apache reload as last step
 	/etc/init.d/apache2 reload
+elif [ "$ACTION" == "allow-root" ]; then
+	allow_root_login
+elif [ "$ACTION" == "restrict-root" ]; then
+	restrict_root_login
 else
 	echo
 	echo "ERROR: Unknown action given"
 	echo
 	exit 1
 fi
-
Index: conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation
===================================================================
--- conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation	(Revision 67211)
+++ conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation	(Arbeitskopie)
@@ -33,8 +33,15 @@
 	/usr/bin/univention-ldapsearch -LLL '(&(objectClass=univentionLicense)(univentionLicenseKeyID=*))' dn | grep -q 'dn:'
 }
 
-if ! has_activated_license; then
+role="$(ucr get server/role)"
+if [ "$role" == "domaincontroller_master" ]; then
 	/usr/sbin/univention-system-activation start
+elif has_activated_license; then
+	# Installing an App Appliance as non DC Master without activated license in the domain
+	# is restricted by system-setup and not handled here
+
+	# lift root restrictions set by univention-system-activation.postinst on non DC Master
+	# roles because system-activation is not started there
+	/usr/sbin/univention-system-activation allow-root
 fi
-
 exit 0