First Last Prev Next    This bug is not in your last search results.
Bug 29872 - Synchronisation von weiteren Computer Accounts
Synchronisation von weiteren Computer Accounts
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 3.1
Other Linux
: P5 enhancement (vote)
: UCS 3.1-1
Assigned To: Stefan Gohmann
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-21 07:47 CET by Stefan Gohmann
Modified: 2013-03-25 19:56 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2012-12-21 07:47:07 CET 
Derzeit werden nur DCs, Windows Server, Windows Clients und Memberserver zwischen S4 und OpenLDAP synchronisiert. Dadurch können die die anderen Systemrollen (ucc, linux, macos, ubuntu) derzeit keine Kerberos Dienste anbieten.

Das gleiche gilt vermutlich für DC Slaves, die den S4 Dienst nicht definiert haben, da bin ich mir aber nicht sicher.

Der Connector sollte entsprechend erweitert werden, beispielsweise:

--- conffiles/etc/univention/s4connector/s4/mapping.py  (Revision 37960)
+++ conffiles/etc/univention/s4connector/s4/mapping.py  (Arbeitskopie)
@@ -443,7 +443,7 @@
                        ucs_default_dn='cn=computers,@%@ldap/base@%@',
                        con_default_dn='cn=computers,@%@connector/s4/ldap/base@%@',
                        ucs_module='computers/windows',
-                       ucs_module_others=['computers/memberserver'],
+                       ucs_module_others=['computers/memberserver', 'computers/ucc', 'computers/linux', 'computers/ubuntu', 'computers/macos'],
 
                        sync_mode='@%@connector/s4/mapping/syncmode@%@',
 
@@ -454,7 +454,7 @@
                        con_search_filter='(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=4096))',
 
                        # ignore_filter='userAccountControl=4096',
-                       match_filter='(|(&(objectClass=univentionWindows)(!(univentionServerRole=windows_domaincontroller)))(objectClass=computer)(objectClass=univentionMemberServer))',
+                       match_filter='(|(&(objectClass=univentionWindows)(!(univentionServerRole=windows_domaincontroller)))(objectClass=computer)(objectClass=univentionMemberServer)(objectClass=univentionUbuntuClient)(objectClass=univentionMacOSClient)(objectClass=univentionLinuxClient))',
 
                        ignore_subtree = global_ignore_subtree,
 @!@


Die Systemrollen setzen derzeit die S4 Objektklasse nicht, das müsste entweder geändert werden, oder der Connector kommt damit zurecht.
Comment 1 Erik Damrose univentionstaff 2013-01-24 13:17:20 CET 
Solange dies nicht umgesetzt ist können UCC Terminalservertests mit Samba4-DCs ( bug 29096 ) nicht durchgeführt werden.
Comment 2 Stefan Gohmann univentionstaff 2013-01-24 13:46:04 CET 
(In reply to comment #1)
> Solange dies nicht umgesetzt ist können UCC Terminalservertests mit Samba4-DCs
> ( bug 29096 ) nicht durchgeführt werden.

Das ist im UCC Scope bereits behoben. Es sollte dadurch funktionieren, wenn man ein Ticket hat, dann kann man mit diesem Ticket auf den UCC Terminalserver.
Comment 3 Stefan Gohmann univentionstaff 2013-03-06 10:04:22 CET 
Die Objekte werden nun synchronisiert.
Comment 4 Arvid Requate univentionstaff 2013-03-20 18:04:54 CET 
A UCC client account is not synchronized to Samba4, the connector-s4.log shows that the connector decided to delay the sync:

13.02.2013 07:42:48,563 LDAP        (PROCESS): sync from ucs: [           dns] [       add] relativeDomainName=101,zonename=8.200.10.in-addr.arpa,cn=microsoftdns,cn=system,dc=arucs31i0,dc=qa
13.02.2013 07:42:48,600 LDAP        (PROCESS): sync from ucs: [           dns] [    modify] zonename=8.200.10.in-addr.arpa,cn=microsoftdns,cn=system,dc=arucs31i0,dc=qa
13.02.2013 07:42:49,691 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=desktop01,dc=arucs31i0.qa,cn=dns,dc=arucs31i0,dc=qa
13.02.2013 07:42:49,703 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=101,dc=8.200.10.in-addr.arpa,cn=dns,dc=arucs31i0,dc=qa
13.02.2013 07:42:49,716 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=@,dc=arucs31i0.qa,cn=dns,dc=arucs31i0,dc=qa
13.02.2013 07:42:49,731 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=@,dc=8.200.10.in-addr.arpa,cn=dns,dc=arucs31i0,dc=qa
13.02.2013 08:38:03,379 LDAP        (PROCESS): Drop /var/lib/univention-connector/s4/1360741079.627630. The DN cn=desktop01,cn=computers,dc=arucs31i0,dc=qa will synced later

Login as a domain user was possible on the UCC client.
Comment 5 Arvid Requate univentionstaff 2013-03-20 18:13:25 CET 
No rejects and the file /var/lib/univention-connector/s4/1360741079.627630 is gone. univention-s4search samaccountname=desktop01\$  shows no result. Changing the description on the ucc account does not trigger a sync. The S4 Connector works though: creating a new user via UDM cli triggers the user sync.
Comment 6 Stefan Gohmann univentionstaff 2013-03-20 21:01:02 CET 
(In reply to comment #5)
> No rejects and the file /var/lib/univention-connector/s4/1360741079.627630 is
> gone. univention-s4search samaccountname=desktop01\$  shows no result. Changing
> the description on the ucc account does not trigger a sync. The S4 Connector
> works though: creating a new user via UDM cli triggers the user sync.

Does it work if you restart the connector after the installation of the UCC integration packages? The connector has to recognize the new udm computers/ucc module.
Comment 7 Stefan Gohmann univentionstaff 2013-03-20 21:12:28 CET 
(In reply to comment #6)
> (In reply to comment #5)
> > No rejects and the file /var/lib/univention-connector/s4/1360741079.627630 is
> > gone. univention-s4search samaccountname=desktop01\$  shows no result. Changing
> > the description on the ucc account does not trigger a sync. The S4 Connector
> > works though: creating a new user via UDM cli triggers the user sync.
> 
> Does it work if you restart the connector after the installation of the UCC
> integration packages? The connector has to recognize the new udm computers/ucc
> module.

The restart mus be done in the UCC integration packages: Bug #30845.
Comment 8 Arvid Requate univentionstaff 2013-03-21 11:54:22 CET 
Verified:
 * UCC client synchronized
 * Code review: OK
 * Related MacOSX code checked via Bug 29998
 * Changelog OK
Comment 9 Stefan Gohmann univentionstaff 2013-03-25 19:56:46 CET 
UCS 3.1-1 has been released: 
 http://download.univention.de/doc/release-notes-3.1-1_en.pdf
 http://download.univention.de/doc/release-notes-3.1-1.pdf

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.