fi

		fi

	fi

	fi

	if [ "$samba_autostart" != "no" ]; then

	if [ "$samba_autostart" != "no" ]; then

	fi

	fi

	if [ "$winbind_autostart" != "no" ]; then

	if [ "$winbind_autostart" != "no" ]; then

	fi

	fi

	if [ "$kerberos_autostart" != "no" ]; then

	if [ "$kerberos_autostart" != "no" ]; then

	fi

	fi

	if [ -n "$tmp_ucr_key_value_list" ]; then

	if [ -n "$tmp_ucr_key_value_list" ]; then

		univention-config-registry set "${tmp_ucr_key_value_list[@]}"

		univention-config-registry set "${tmp_ucr_key_value_list[@]}"

	fi

	fi

}

}

get_samba_role() {

get_samba_role() {

		fi

		fi

	else

	else

			"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \

			"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \

		if [ -n "$s4connector_dc" ]; then

		if [ -n "$s4connector_dc" ]; then

			echo "Join against S4 Connector server: $s4connector_dc"

			echo "Join against S4 Connector server: $s4connector_dc"

			if samba-tool domain info "$s4connector_dc.$domainname"; then

			if samba-tool domain info "$s4connector_dc.$domainname"; then

		if [ -z "$success" ]; then

		if [ -z "$success" ]; then

			# try again with --server

			# try again with --server

						"(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn \

						"(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn \

			for name in "${cn[@]}"; do

			for name in "${cn[@]}"; do

				if samba-tool domain info "$name.$domainname"; then

				if samba-tool domain info "$name.$domainname"; then

					samba-tool domain join "$domainname" "$samba4_role" --server "$name.$domainname" "${samba_join_options[@]}"

					samba-tool domain join "$domainname" "$samba4_role" --server "$name.$domainname" "${samba_join_options[@]}"

}

}

backup_samba4_keytab() {

backup_samba4_keytab() {

	if [ -n "$pre_join_kvno" ]; then

	if [ -n "$pre_join_kvno" ]; then

		if ! [ -f /etc/krb5.keytab ]; then

		if ! [ -f /etc/krb5.keytab ]; then

			## usually the keytab is removed during 03univention-directory-listener.inst

			## usually the keytab is removed during 03univention-directory-listener.inst

merge_backup_samba4_keytab() {

merge_backup_samba4_keytab() {

	if [ -n "$pre_join_kvno" ] && [ -f "$backup_dir/krb5.keytab" ]; then

	if [ -n "$pre_join_kvno" ] && [ -f "$backup_dir/krb5.keytab" ]; then

		if [ "$post_join_kvno" -gt "$pre_join_kvno" ]; then

		if [ "$post_join_kvno" -gt "$pre_join_kvno" ]; then

			tmp_krb5_keytab=$(mktemp)

			tmp_krb5_keytab=$(mktemp)

			cp "$backup_dir/krb5.keytab" "$tmp_krb5_keytab"

			cp "$backup_dir/krb5.keytab" "$tmp_krb5_keytab"

register_server_ips_with_domain() {

register_server_ips_with_domain() {

	zone="$(udm dns/forward_zone list "$@" --filter zoneName="$domainname" | sed -ne 's|^DN: ||p')"

	zone="$(udm dns/forward_zone list "$@" --filter zoneName="$domainname" | sed -ne 's|^DN: ||p')"

	if [ -n "$zone" ]; then

	if [ -n "$zone" ]; then

		for ip in $IPs; do

		for ip in $IPs; do

			udm dns/forward_zone modify "$@" --ignore_exists --dn "$zone" --append a="$ip"

			udm dns/forward_zone modify "$@" --ignore_exists --dn "$zone" --append a="$ip"

		done

		done

set_samba4_sysvol_sync_host() {

set_samba4_sysvol_sync_host() {

	## determine default sysvol parent for this host from univentionService="S4 Connector"

	## determine default sysvol parent for this host from univentionService="S4 Connector"

	if [ -z "$samba4_sysvol_sync_host" ]; then

	if [ -z "$samba4_sysvol_sync_host" ]; then

			"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \

			"(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \

		if [ -n "$s4connectorservicedcs" ]; then

		if [ -n "$s4connectorservicedcs" ]; then

			univention-config-registry set samba4/sysvol/sync/host="$s4connectorservicedcs"

			univention-config-registry set samba4/sysvol/sync/host="$s4connectorservicedcs"

		fi

		fi

	local s4connector_dc

	local s4connector_dc

	local s4connector_dc_candidates

	local s4connector_dc_candidates

	s4connector_dc=()

	s4connector_dc=()

	if univention-ldapsearch -LLL univentionservice=UCS@school dn | grep -q ^dn; then

	if univention-ldapsearch -LLL univentionservice=UCS@school dn | grep -q ^dn; then

		for dc in "${s4connector_dc_candidates[@]}"; do

		for dc in "${s4connector_dc_candidates[@]}"; do

			if samba-tool drs showrepl "$dc" >/dev/null 2>&1; then

			if samba-tool drs showrepl "$dc" >/dev/null 2>&1; then

	echo -n "Waiting for DRS replication: "

	echo -n "Waiting for DRS replication: "

	for((i=0;i<300;i++)); do

	for((i=0;i<300;i++)); do

		test -n "$search_result" && break

		test -n "$search_result" && break

		echo -n "."

		echo -n "."

		sleep 1

		sleep 1

	local ldif

	local ldif

	shift 3

	shift 3

	if [ -z "$group_dn" ]; then

	if [ -z "$group_dn" ]; then

"

"

		fi

		fi

		if [ "$name" = "Authenticated Users" ]; then

		if [ "$name" = "Authenticated Users" ]; then

			udm groups/group modify "$@" --dn "cn=$name,$position,$ldap_base" \

			udm groups/group modify "$@" --dn "cn=$name,$position,$ldap_base" \

				--append nestedGroup="cn=DC Slave Hosts,cn=groups,$ldap_base" \

				--append nestedGroup="cn=DC Slave Hosts,cn=groups,$ldap_base" \

	local name="$1"

	local name="$1"

	shift 1

	shift 1

	if [ -n "$group_dn" ]; then

	if [ -n "$group_dn" ]; then

		extract_binddn_and_bindpwd_from_args "$@"

		extract_binddn_and_bindpwd_from_args "$@"

univentionGroupType: -2147483643

univentionGroupType: -2147483643

-

-

replace: sambaGroupType

replace: sambaGroupType

	fi

	fi

}

}

	if [ "$server_role" != "domaincontroller_slave" ]; then

	if [ "$server_role" != "domaincontroller_slave" ]; then

		return

		return

	fi

	fi

		"(&(univentionService=S4 Connector)(|(univentionServerRole=master)(univentionServerRole=backup)))" cn \

		"(&(univentionService=S4 Connector)(|(univentionServerRole=master)(univentionServerRole=backup)))" cn \

	if [ -z "$s4connectorservicedcs" ]; then

	if [ -z "$s4connectorservicedcs" ]; then

		echo "ERROR: No S4 Connector installed yet on DC Master or DC Backup."

		echo "ERROR: No S4 Connector installed yet on DC Master or DC Backup."

		exit 1

		exit 1

extract_binddn_and_bindpwd_from_args "$@"

extract_binddn_and_bindpwd_from_args "$@"

if [ -n "$binddn" ]; then

if [ -n "$binddn" ]; then

fi

fi

configure_samba_role

configure_samba_role

	fi

	fi

	## check if we there already is a **domaincontroller** providing the service "Samba 4"

	## check if we there already is a **domaincontroller** providing the service "Samba 4"

	                   "(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \

	                   "(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \

	                   "(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(cn=$hostname))" cn \

	                   "(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(cn=$hostname))" cn \

	/etc/init.d/samba stop

	/etc/init.d/samba stop

/etc/init.d/samba restart

/etc/init.d/samba restart

#  https://forge.univention.org/bugzilla/show_bug.cgi?id=32257

#  https://forge.univention.org/bugzilla/show_bug.cgi?id=32257

wait_until_dc_was_replicated_to_connector_dc

wait_until_dc_was_replicated_to_connector_dc

fi

fi

# Change the dns/backend to samba4 only whether a S4 Connector is installed in our domain

# Change the dns/backend to samba4 only whether a S4 Connector is installed in our domain

if [ $JS_LAST_EXECUTED_VERSION = 0 ] && [ "$dns_backend" != "samba4" ] && [ -n "$s4connectorservicedcs" ]; then

if [ $JS_LAST_EXECUTED_VERSION = 0 ] && [ "$dns_backend" != "samba4" ] && [ -n "$s4connectorservicedcs" ]; then

	univention-config-registry set dns/backend=samba4

	univention-config-registry set dns/backend=samba4

if [ "$1" = "configure" ]; then

if [ "$1" = "configure" ]; then

	if [ -z "$2" ]; then

	if [ -z "$2" ]; then

		# only set this for new installations

		# only set this for new installations

		if [ "$server_role" = "domaincontroller_master" ]; then

		if [ "$server_role" = "domaincontroller_master" ]; then

			univention-config-registry set samba/domain/master?yes

			univention-config-registry set samba/domain/master?yes

		fi

		fi

		update-rc.d -f samba remove > /dev/null

		update-rc.d -f samba remove > /dev/null

		divert_univention_heimdal_service_cfg

		divert_univention_heimdal_service_cfg

				fi

				fi

			fi

			fi

		fi

		fi

		### The following block of code may be removed after ucs_3.2-0

		### The following block of code may be removed after ucs_3.2-0

		if dpkg --compare-versions "$2" lt-nl "2.0.44-24"; then

		if dpkg --compare-versions "$2" lt-nl "2.0.44-24"; then

			default_domain_gpo_dir="/var/lib/samba/sysvol/$domainname/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}"

			default_domain_gpo_dir="/var/lib/samba/sysvol/$domainname/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}"

			if [ -d "$default_domain_gpo_dir" ]; then

			if [ -d "$default_domain_gpo_dir" ]; then

				gpo_dir_owner=$(stat --printf '%U' "$default_domain_gpo_dir" 2>&1)

				gpo_dir_owner=$(stat --printf '%U' "$default_domain_gpo_dir" 2>&1)

				if [ "$gpo_dir_owner" = "UNKNOWN" ]; then

				if [ "$gpo_dir_owner" = "UNKNOWN" ]; then

				fi

				fi

			fi

			fi

		fi

		fi

				backup_dir="/var/backups/samba4.$backup_id"

				backup_dir="/var/backups/samba4.$backup_id"

				if [ -d "$backup_dir" ]; then

				if [ -d "$backup_dir" ]; then

					rm -rf "$backup_dir"

					rm -rf "$backup_dir"

				mkdir "$backup_dir" && \

				mkdir "$backup_dir" && \

				cp -a /var/lib/samba/private "$backup_dir" && \

				cp -a /var/lib/samba/private "$backup_dir" && \

				samba-tool dbcheck --cross-ncs --fix --yes

				samba-tool dbcheck --cross-ncs --fix --yes

			if ! [ -r "/etc/krb5.keytab" ]; then

			if ! [ -r "/etc/krb5.keytab" ]; then

				echo "/etc/krb5.keytab does not exist yet."

				echo "/etc/krb5.keytab does not exist yet."

				backup_dir="/var/backups/samba4_update_to_ucs4.1-4.$backup_id"

				backup_dir="/var/backups/samba4_update_to_ucs4.1-4.$backup_id"

				if [ -d "$backup_dir" ]; then

				if [ -d "$backup_dir" ]; then

					rm -rf "$backup_dir"

					rm -rf "$backup_dir"

				service samba stop

				service samba stop

				mkdir "$backup_dir" && \

				mkdir "$backup_dir" && \

				cp -a /var/lib/samba/private "$backup_dir" && \

				cp -a /var/lib/samba/private "$backup_dir" && \

				samba-tool dbcheck --cross-ncs --fix --yes

				samba-tool dbcheck --cross-ncs --fix --yes

				service samba start

				service samba start

		fi

		fi

	fi

	fi

# Run a samba-tool ntacl sysvolreset, this is required for the rc6 upgrade

# Run a samba-tool ntacl sysvolreset, this is required for the rc6 upgrade

if [ "$1" = "configure" -a -n "$2" ] && dpkg --compare-versions "$2" lt-nl 2.0.28; then

if [ "$1" = "configure" -a -n "$2" ] && dpkg --compare-versions "$2" lt-nl 2.0.28; then

fi

fi

exit 0

exit 0

	ucr unset kerberos/autostart

	ucr unset kerberos/autostart

	test -x /etc/init.d/heimdal-kdc && invoke-rc.d heimdal-kdc start

	test -x /etc/init.d/heimdal-kdc && invoke-rc.d heimdal-kdc start

	divert_univention_heimdal_service_cfg

	divert_univention_heimdal_service_cfg

	cp /usr/lib/univention-uninstall/04univention-samba4.uinst /usr/lib/univention-install/

	cp /usr/lib/univention-uninstall/04univention-samba4.uinst /usr/lib/univention-install/

fi

fi

exit 0

exit 0

eval "$(univention-config-registry shell windows/domain samba4/ldap/base ldap/hostdn)"

eval "$(univention-config-registry shell windows/domain samba4/ldap/base ldap/hostdn)"

## Now lookup DNS entries

## Now lookup DNS entries

host gc._msdcs

host gc._msdcs

## retrive DC specific GUID

## retrive DC specific GUID

NTDS_objectGUIDs=()

NTDS_objectGUIDs=()

sites=()

sites=()

for s4dc in $samba4servicedcs; do

for s4dc in $samba4servicedcs; do

	server_object_dn=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${s4dc}\$" \

	server_object_dn=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${s4dc}\$" \

	if [ -z "$server_object_dn" ]; then

	if [ -z "$server_object_dn" ]; then

		continue

		continue

	fi

	fi

	NTDS_objectGUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "$server_object_dn" \

	NTDS_objectGUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "$server_object_dn" \

	NTDS_objectGUIDs+=($NTDS_objectGUID)

	NTDS_objectGUIDs+=($NTDS_objectGUID)

	## Determine sitename

	## Determine sitename

	# get msDS-KeyVersionNumber

	# get msDS-KeyVersionNumber

	msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb  samAccountName="$spn_account_name" msDS-KeyVersionNumber \

	msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb  samAccountName="$spn_account_name" msDS-KeyVersionNumber \

	if [ -z "$msdsKeyVersion" ]; then

	if [ -z "$msdsKeyVersion" ]; then

		echo "ERROR: Could not determine msDS-KeyVersionNumber of $spn_account_name account!"

		echo "ERROR: Could not determine msDS-KeyVersionNumber of $spn_account_name account!"

		exit 1

		exit 1

	esac

	esac

done

done

## helper function

## helper function

stop_conflicting_services() {

stop_conflicting_services() {

		fi

		fi

	fi

	fi

	if [ "$samba_autostart" != "no" ]; then

	if [ "$samba_autostart" != "no" ]; then

	fi

	fi

	if [ "$winbind_autostart" != "no" ]; then

	if [ "$winbind_autostart" != "no" ]; then

	fi

	fi

	if [ "$kerberos_autostart" != "no" ]; then

	if [ "$kerberos_autostart" != "no" ]; then

	fi

	fi

	if [ -n "$tmp_ucr_key_value_list" ]; then

	if [ -n "$tmp_ucr_key_value_list" ]; then

		univention-config-registry set "${tmp_ucr_key_value_list[@]}" 2>&1 | tee -a "$LOGFILE"

		univention-config-registry set "${tmp_ucr_key_value_list[@]}" 2>&1 | tee -a "$LOGFILE"

	fi

	fi

}

}

set_machine_secret() {

set_machine_secret() {

	## 1. store password locally in secrets.ldb

	## 1. store password locally in secrets.ldb

	new_kvno=$(($old_kvno + 1))

	new_kvno=$(($old_kvno + 1))

	ldbmodify -H "$samba_secrets" <<-%EOF

	ldbmodify -H "$samba_secrets" <<-%EOF

}

}

# Search for Samba 3 DCs

# Search for Samba 3 DCs

if [ -n "$S3_DCS" ]; then

if [ -n "$S3_DCS" ]; then

	## safty belt

	## safty belt

	if is_ucr_true samba4/ignore/mixsetup; then

	if is_ucr_true samba4/ignore/mixsetup; then

else

else

	## Before starting the upgrade check for Samba accounts that are not POSIX accounts:

	## Before starting the upgrade check for Samba accounts that are not POSIX accounts:

	if [ -n "$non_posix_sambaSamAccount_dns" ]; then

	if [ -n "$non_posix_sambaSamAccount_dns" ]; then

		echo "ERROR: Found Samba accounts in LDAP that are not POSIX accounts, please remove these before updating to Samba 4" >&2

		echo "ERROR: Found Samba accounts in LDAP that are not POSIX accounts, please remove these before updating to Samba 4" >&2

		echo "$non_posix_sambaSamAccount_dns" | while read dn; do

		echo "$non_posix_sambaSamAccount_dns" | while read dn; do

	## Before starting the upgrade check for group names colliding with user names

	## Before starting the upgrade check for group names colliding with user names

	uid_ldap_check_function() {

	uid_ldap_check_function() {

		local filter="$1"

		local filter="$1"

		if [ -n "$collision" ]; then

		if [ -n "$collision" ]; then

			echo "ERROR: Group names and user names must be unique, please rename these before updating to Samba 4" >&2

			echo "ERROR: Group names and user names must be unique, please rename these before updating to Samba 4" >&2

			echo "The following user names are also present as group names:" >&2

			echo "The following user names are also present as group names:" >&2

			uid_ldap_check_function "$filter"

			uid_ldap_check_function "$filter"

			filter="(uid=$name)"

			filter="(uid=$name)"

		fi

		fi

	if [ -n "$filter" ]; then

	if [ -n "$filter" ]; then

		uid_ldap_check_function "$filter"

		uid_ldap_check_function "$filter"

	fi

	fi

	extract_binddn_and_bindpwd_from_args "$@"

	extract_binddn_and_bindpwd_from_args "$@"

	groups=("Windows Hosts" "DC Backup Hosts" "DC Slave Hosts" "Computers" "Power Users")

	groups=("Windows Hosts" "DC Backup Hosts" "DC Slave Hosts" "Computers" "Power Users")

	for group in "${groups[@]}"; do

	for group in "${groups[@]}"; do

		if [ -z "$description" ]; then

		if [ -z "$description" ]; then

			univention-directory-manager groups/group modify "$@" --dn "$dn" --set description="$group"

			univention-directory-manager groups/group modify "$@" --dn "$dn" --set description="$group"

		fi

		fi

	done

	done

set_machine_secret() {

set_machine_secret() {

	## 1. store password locally in secrets.ldb

	## 1. store password locally in secrets.ldb

	new_kvno=$(($old_kvno + 1))

	new_kvno=$(($old_kvno + 1))

	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

		## currently the password in the secrets.ldb is set to machine.secret only on provision host, so we need to look it up from the secrets.ldb

		## currently the password in the secrets.ldb is set to machine.secret only on provision host, so we need to look it up from the secrets.ldb

		# sampassword=$(cat /etc/machine.secret)

		# sampassword=$(cat /etc/machine.secret)

		samaccount="${hostname}\$"

		samaccount="${hostname}\$"

	fi

	fi