Lines 209-228
stop_conflicting_services() {
|
Link Here
|
---|
|
209 |
fi |
209 |
fi |
210 |
fi |
210 |
fi |
211 |
|
211 |
|
212 |
tmp_ucr_key_value_list=() |
212 |
declare -a tmp_ucr_key_value_list=() |
213 |
if [ "$samba_autostart" != "no" ]; then |
213 |
if [ "$samba_autostart" != "no" ]; then |
214 |
tmp_ucr_key_value_list[0]="samba/autostart=no" |
214 |
tmp_ucr_key_value_list+=("samba/autostart=no") |
215 |
fi |
215 |
fi |
216 |
if [ "$winbind_autostart" != "no" ]; then |
216 |
if [ "$winbind_autostart" != "no" ]; then |
217 |
tmp_ucr_key_value_list[${#tmp_ucr_key_value_list[@]}]="winbind/autostart=no" |
217 |
tmp_ucr_key_value_list+=("winbind/autostart=no") |
218 |
fi |
218 |
fi |
219 |
if [ "$kerberos_autostart" != "no" ]; then |
219 |
if [ "$kerberos_autostart" != "no" ]; then |
220 |
tmp_ucr_key_value_list[${#tmp_ucr_key_value_list[@]}]="kerberos/autostart=no" |
220 |
tmp_ucr_key_value_list+=("kerberos/autostart=no") |
221 |
fi |
221 |
fi |
222 |
if [ -n "$tmp_ucr_key_value_list" ]; then |
222 |
if [ -n "$tmp_ucr_key_value_list" ]; then |
223 |
univention-config-registry set "${tmp_ucr_key_value_list[@]}" |
223 |
univention-config-registry set "${tmp_ucr_key_value_list[@]}" |
224 |
fi |
224 |
fi |
225 |
unset tmp_ucr_key_value_list |
|
|
226 |
} |
225 |
} |
227 |
|
226 |
|
228 |
get_samba_role() { |
227 |
get_samba_role() { |
Lines 309-319
samba_domain_join() {
|
Link Here
|
---|
|
309 |
fi |
308 |
fi |
310 |
else |
309 |
else |
311 |
|
310 |
|
312 |
# Let's try to join against the S4 Connector |
311 |
# Let's try to join against the S4 Connector |
313 |
s4connector_dc=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ |
312 |
s4connector_dc=$(ldapsearch -x -ZZ -LLLo ldif-wrap=no -D "$ldap_hostdn" -y /etc/machine.secret \ |
314 |
"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \ |
313 |
"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \ |
315 |
| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') |
314 |
| sed -n 's/^cn: //p') |
316 |
|
315 |
|
317 |
if [ -n "$s4connector_dc" ]; then |
316 |
if [ -n "$s4connector_dc" ]; then |
318 |
echo "Join against S4 Connector server: $s4connector_dc" |
317 |
echo "Join against S4 Connector server: $s4connector_dc" |
319 |
if samba-tool domain info "$s4connector_dc.$domainname"; then |
318 |
if samba-tool domain info "$s4connector_dc.$domainname"; then |
Lines 343-351
samba_domain_join() {
|
Link Here
|
---|
|
343 |
|
342 |
|
344 |
if [ -z "$success" ]; then |
343 |
if [ -z "$success" ]; then |
345 |
# try again with --server |
344 |
# try again with --server |
346 |
cn=($(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ |
345 |
cn=($(ldapsearch -x -ZZ -LLLo ldif-wrap=no -D "$ldap_hostdn" -y /etc/machine.secret \ |
347 |
"(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn \ |
346 |
"(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn \ |
348 |
| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p' )) |
347 |
| sed -n 's/^cn: //p' )) |
349 |
for name in "${cn[@]}"; do |
348 |
for name in "${cn[@]}"; do |
350 |
if samba-tool domain info "$name.$domainname"; then |
349 |
if samba-tool domain info "$name.$domainname"; then |
351 |
samba-tool domain join "$domainname" "$samba4_role" --server "$name.$domainname" "${samba_join_options[@]}" |
350 |
samba-tool domain join "$domainname" "$samba4_role" --server "$name.$domainname" "${samba_join_options[@]}" |
Lines 392-398
disable_slapd_on_standard_port() {
|
Link Here
|
---|
|
392 |
} |
391 |
} |
393 |
|
392 |
|
394 |
backup_samba4_keytab() { |
393 |
backup_samba4_keytab() { |
395 |
pre_join_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="$hostname\$" msDS-KeyVersionNumber | sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p') |
394 |
pre_join_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="$hostname\$" msDS-KeyVersionNumber | sed -n 's/^msDS-KeyVersionNumber: //p') |
396 |
if [ -n "$pre_join_kvno" ]; then |
395 |
if [ -n "$pre_join_kvno" ]; then |
397 |
if ! [ -f /etc/krb5.keytab ]; then |
396 |
if ! [ -f /etc/krb5.keytab ]; then |
398 |
## usually the keytab is removed during 03univention-directory-listener.inst |
397 |
## usually the keytab is removed during 03univention-directory-listener.inst |
Lines 416-422
backup_samba4_keytab() {
|
Link Here
|
---|
|
416 |
|
415 |
|
417 |
merge_backup_samba4_keytab() { |
416 |
merge_backup_samba4_keytab() { |
418 |
if [ -n "$pre_join_kvno" ] && [ -f "$backup_dir/krb5.keytab" ]; then |
417 |
if [ -n "$pre_join_kvno" ] && [ -f "$backup_dir/krb5.keytab" ]; then |
419 |
post_join_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="$hostname\$" msDS-KeyVersionNumber | sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p') |
418 |
post_join_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="$hostname\$" msDS-KeyVersionNumber | sed -n 's/^msDS-KeyVersionNumber: //p') |
420 |
if [ "$post_join_kvno" -gt "$pre_join_kvno" ]; then |
419 |
if [ "$post_join_kvno" -gt "$pre_join_kvno" ]; then |
421 |
tmp_krb5_keytab=$(mktemp) |
420 |
tmp_krb5_keytab=$(mktemp) |
422 |
cp "$backup_dir/krb5.keytab" "$tmp_krb5_keytab" |
421 |
cp "$backup_dir/krb5.keytab" "$tmp_krb5_keytab" |
|
461 |
register_server_ips_with_domain() { |
460 |
register_server_ips_with_domain() { |
462 |
zone="$(udm dns/forward_zone list "$@" --filter zoneName="$domainname" | sed -ne 's|^DN: ||p')" |
461 |
zone="$(udm dns/forward_zone list "$@" --filter zoneName="$domainname" | sed -ne 's|^DN: ||p')" |
463 |
if [ -n "$zone" ]; then |
462 |
if [ -n "$zone" ]; then |
464 |
IPs=$(univention-ldapsearch "(&(relativeDomainname=$hostname)(zoneName=$domainname))" aRecord aAAARecord \ |
463 |
IPs=$(univention-ldapsearch -LLLo ldif-wrap=no "(&(relativeDomainname=$hostname)(zoneName=$domainname))" aRecord aAAARecord \ |
465 |
| ldapsearch-wrapper | sed -ne 's|^aRecord: ||p;s|^aAAARecord: ||p') |
464 |
| sed -ne 's|^aRecord: ||p;s|^aAAARecord: ||p') |
466 |
for ip in $IPs; do |
465 |
for ip in $IPs; do |
467 |
udm dns/forward_zone modify "$@" --ignore_exists --dn "$zone" --append a="$ip" |
466 |
udm dns/forward_zone modify "$@" --ignore_exists --dn "$zone" --append a="$ip" |
468 |
done |
467 |
done |
Lines 472-480
register_server_ips_with_domain() {
|
Link Here
|
---|
|
472 |
set_samba4_sysvol_sync_host() { |
471 |
set_samba4_sysvol_sync_host() { |
473 |
## determine default sysvol parent for this host from univentionService="S4 Connector" |
472 |
## determine default sysvol parent for this host from univentionService="S4 Connector" |
474 |
if [ -z "$samba4_sysvol_sync_host" ]; then |
473 |
if [ -z "$samba4_sysvol_sync_host" ]; then |
475 |
s4connectorservicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ |
474 |
s4connectorservicedcs=$(ldapsearch -x -ZZ -LLLo ldif-wrap=no -D "$ldap_hostdn" -y /etc/machine.secret \ |
476 |
"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \ |
475 |
"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \ |
477 |
| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') ## currently there is no u-d-m module computers/dc |
476 |
| sed -n 's/^cn: //p') ## currently there is no u-d-m module computers/dc |
478 |
if [ -n "$s4connectorservicedcs" ]; then |
477 |
if [ -n "$s4connectorservicedcs" ]; then |
479 |
univention-config-registry set samba4/sysvol/sync/host="$s4connectorservicedcs" |
478 |
univention-config-registry set samba4/sysvol/sync/host="$s4connectorservicedcs" |
480 |
fi |
479 |
fi |
Lines 521-527
get_available_s4connector_dc() {
|
Link Here
|
---|
|
521 |
local s4connector_dc |
520 |
local s4connector_dc |
522 |
local s4connector_dc_candidates |
521 |
local s4connector_dc_candidates |
523 |
s4connector_dc=() |
522 |
s4connector_dc=() |
524 |
s4connector_dc_candidates=$(univention-ldapsearch "(&(univentionService=S4 Connector)(objectClass=univentionDomainController))" cn | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') |
523 |
s4connector_dc_candidates=$(univention-ldapsearch -LLLo ldif-wrap=no "(&(univentionService=S4 Connector)(objectClass=univentionDomainController))" cn | sed -n 's/^cn: //p') |
525 |
if univention-ldapsearch -LLL univentionservice=UCS@school dn | grep -q ^dn; then |
524 |
if univention-ldapsearch -LLL univentionservice=UCS@school dn | grep -q ^dn; then |
526 |
for dc in "${s4connector_dc_candidates[@]}"; do |
525 |
for dc in "${s4connector_dc_candidates[@]}"; do |
527 |
if samba-tool drs showrepl "$dc" >/dev/null 2>&1; then |
526 |
if samba-tool drs showrepl "$dc" >/dev/null 2>&1; then |
Lines 547-553
wait_until_dc_was_replicated_to_connector_dc() {
|
Link Here
|
---|
|
547 |
|
546 |
|
548 |
echo -n "Waiting for DRS replication: " |
547 |
echo -n "Waiting for DRS replication: " |
549 |
for((i=0;i<300;i++)); do |
548 |
for((i=0;i<300;i++)); do |
550 |
search_result="$(ldbsearch -H "ldap://$s4connector_dc" -U"${hostname}$"%"$(</etc/machine.secret)" "(&(objectClass=computer)(cn=${hostname}))" cn 2>/dev/null| sed -n 's/^cn: \(.*\)/\1/p')" |
549 |
search_result="$(ldbsearch -H "ldap://$s4connector_dc" -U"${hostname}$"%"$(</etc/machine.secret)" "(&(objectClass=computer)(cn=${hostname}))" cn 2>/dev/null| sed -n 's/^cn: //p')" |
551 |
test -n "$search_result" && break |
550 |
test -n "$search_result" && break |
552 |
echo -n "." |
551 |
echo -n "." |
553 |
sleep 1 |
552 |
sleep 1 |
Lines 645-652
_create_group_with_special_sid()
|
Link Here
|
---|
|
645 |
local ldif |
644 |
local ldif |
646 |
|
645 |
|
647 |
shift 3 |
646 |
shift 3 |
648 |
|
647 |
|
649 |
group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')" |
648 |
group_dn="$(univention-ldapsearch -LLLo ldif-wrap=no "(&(objectClass=univentionGroup)(cn=$name))" dn | sed -ne 's|^dn: ||p')" |
650 |
|
649 |
|
651 |
if [ -z "$group_dn" ]; then |
650 |
if [ -z "$group_dn" ]; then |
652 |
|
651 |
|
Lines 683-690
univentionSamba4SID: $sid
|
Link Here
|
---|
|
683 |
" |
682 |
" |
684 |
fi |
683 |
fi |
685 |
|
684 |
|
686 |
echo "$ldif" | ldapmodify -x -h "$ldap_master" -p "${ldap_master_port:-7389}" -D "$binddn" -w "$bindpwd" |
685 |
echo "$ldif" | ldapmodify -x -h "$ldap_master" -p "${ldap_master_port:-7389}" -D "$binddn" -w "$bindpwd" |
687 |
|
686 |
|
688 |
if [ "$name" = "Authenticated Users" ]; then |
687 |
if [ "$name" = "Authenticated Users" ]; then |
689 |
udm groups/group modify "$@" --dn "cn=$name,$position,$ldap_base" \ |
688 |
udm groups/group modify "$@" --dn "cn=$name,$position,$ldap_base" \ |
690 |
--append nestedGroup="cn=DC Slave Hosts,cn=groups,$ldap_base" \ |
689 |
--append nestedGroup="cn=DC Slave Hosts,cn=groups,$ldap_base" \ |
Lines 742-749
_update_pseudo_group()
|
Link Here
|
---|
|
742 |
local name="$1" |
741 |
local name="$1" |
743 |
|
742 |
|
744 |
shift 1 |
743 |
shift 1 |
745 |
|
744 |
|
746 |
group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name)(!(univentionGroupType=-2147483643)))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')" |
745 |
group_dn="$(univention-ldapsearch -LLLo ldif-wrap=no "(&(objectClass=univentionGroup)(cn=$name)(!(univentionGroupType=-2147483643)))" | sed -ne 's|^dn: ||p')" |
747 |
|
746 |
|
748 |
if [ -n "$group_dn" ]; then |
747 |
if [ -n "$group_dn" ]; then |
749 |
extract_binddn_and_bindpwd_from_args "$@" |
748 |
extract_binddn_and_bindpwd_from_args "$@" |
Lines 759-765
add: univentionGroupType
|
Link Here
|
---|
|
759 |
univentionGroupType: -2147483643 |
758 |
univentionGroupType: -2147483643 |
760 |
- |
759 |
- |
761 |
replace: sambaGroupType |
760 |
replace: sambaGroupType |
762 |
sambaGroupType: 5" | ldapmodify -x -h "$ldap_master" -p "${ldap_master_port:-7389}" -D "$binddn" -w "$bindpwd" |
761 |
sambaGroupType: 5" | ldapmodify -x -h "$ldap_master" -p "${ldap_master_port:-7389}" -D "$binddn" -w "$bindpwd" |
763 |
fi |
762 |
fi |
764 |
} |
763 |
} |
765 |
|
764 |
|
Lines 784-792
exit_on_slave_if_no_s4_connector_on_master_or_backup()
|
Link Here
|
---|
|
784 |
if [ "$server_role" != "domaincontroller_slave" ]; then |
783 |
if [ "$server_role" != "domaincontroller_slave" ]; then |
785 |
return |
784 |
return |
786 |
fi |
785 |
fi |
787 |
s4connectorservicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ |
786 |
s4connectorservicedcs=$(ldapsearch -x -ZZ -LLLo ldif-wrap=no -D "$ldap_hostdn" -y /etc/machine.secret \ |
788 |
"(&(univentionService=S4 Connector)(|(univentionServerRole=master)(univentionServerRole=backup)))" cn \ |
787 |
"(&(univentionService=S4 Connector)(|(univentionServerRole=master)(univentionServerRole=backup)))" cn \ |
789 |
| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') |
788 |
| sed -n 's/^cn: //p') |
790 |
if [ -z "$s4connectorservicedcs" ]; then |
789 |
if [ -z "$s4connectorservicedcs" ]; then |
791 |
echo "ERROR: No S4 Connector installed yet on DC Master or DC Backup." |
790 |
echo "ERROR: No S4 Connector installed yet on DC Master or DC Backup." |
792 |
exit 1 |
791 |
exit 1 |
Lines 802-809
exit_on_slave_if_no_s4_connector_on_master_or_backup
|
Link Here
|
---|
|
802 |
|
801 |
|
803 |
extract_binddn_and_bindpwd_from_args "$@" |
802 |
extract_binddn_and_bindpwd_from_args "$@" |
804 |
if [ -n "$binddn" ]; then |
803 |
if [ -n "$binddn" ]; then |
805 |
dcaccount=$(ldapsearch -xLLL -ZZ -D "$ldap_hostdn" -y /etc/machine.secret \ |
804 |
dcaccount=$(ldapsearch -xLLLo ldif-wrap=no -ZZ -D "$ldap_hostdn" -y /etc/machine.secret \ |
806 |
-s base -b "$binddn" uid | ldapsearch-wrapper | sed -n 's/^uid: //p') |
805 |
-s base -b "$binddn" uid | sed -n 's/^uid: //p') |
807 |
fi |
806 |
fi |
808 |
|
807 |
|
809 |
configure_samba_role |
808 |
configure_samba_role |
Lines 864-876
if [ "$samba4_role" = 'DC' ]; then
|
Link Here
|
---|
|
864 |
fi |
863 |
fi |
865 |
|
864 |
|
866 |
## check if we there already is a **domaincontroller** providing the service "Samba 4" |
865 |
## check if we there already is a **domaincontroller** providing the service "Samba 4" |
867 |
samba4servicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ |
866 |
samba4servicedcs=$(ldapsearch -x -ZZ -LLLo ldif-wrap=no -D "$ldap_hostdn" -y /etc/machine.secret \ |
868 |
"(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \ |
867 |
"(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \ |
869 |
| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') ## currently there is no u-d-m module computers/dc |
868 |
| sed -n 's/^cn: //p') ## currently there is no u-d-m module computers/dc |
870 |
|
869 |
|
871 |
s4connector_is_used=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ |
870 |
s4connector_is_used=$(ldapsearch -x -ZZ -LLLo ldif-wrap=no -D "$ldap_hostdn" -y /etc/machine.secret \ |
872 |
"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(cn=$hostname))" cn \ |
871 |
"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(cn=$hostname))" cn \ |
873 |
| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') |
872 |
| sed -n 's/^cn: //p') |
874 |
|
873 |
|
875 |
/etc/init.d/samba stop |
874 |
/etc/init.d/samba stop |
876 |
|
875 |
|
|
1149 |
|
1148 |
|
1150 |
/etc/init.d/samba restart |
1149 |
/etc/init.d/samba restart |
1151 |
|
1150 |
|
1152 |
# To prevent a DRS replication conflict: |
1151 |
# To prevent a DRS replication conflict: |
1153 |
# https://forge.univention.org/bugzilla/show_bug.cgi?id=32257 |
1152 |
# https://forge.univention.org/bugzilla/show_bug.cgi?id=32257 |
1154 |
wait_until_dc_was_replicated_to_connector_dc |
1153 |
wait_until_dc_was_replicated_to_connector_dc |
1155 |
|
1154 |
|