Univention Bugzilla – Bug 30544
Call purge_s4_computer.py during join
Last modified: 2013-02-23 10:16:30 CET
I think we should call the script when the DC is joined again. +++ This bug was initially created as a clone of Bug #29460 +++ Das Entfernen eines Samba4-DCs aus UCS und Samba4 benötigt im Moment mehrere, teils sehr technische und potentiell gefährliche Schritte. Dazu sollte es ein Tool geben oder es sollte vollständig über den S4-Connector/Samba4 abgebildet werden. Mindestens notwendig sind: - Entfernen via UDM inkl. DNS/DHCP-Einträge - (rekursives) Entfernen der Server-Objekte unter cn=configuration,$LDAP_BASE im Samba4 per ldbdel Entfernt werden sollten auch weitere Einträge im S4 sofern vorhanden sowie Einträge im DNS (Service Records, Alias sofern nicht automatisch entfernt).
Is there really anything we need to run purge_s4_computer.py for? * During the join of a prestine UCS DC with Samba4 ("Reinstall") it is supposed to remove an existing computer account of the same name by itself (it's done with Administrative credentials..). Before Bug 29083 Comment 5 this was prevented with --keep-existing, but now we don't keep the account in this case. Supposedly this also cleans up all DC related objects. * During "Re-Join" of a Samba4 DC that already had Samba4 running (local sam.ldb exists), we use --keep-existing to explicitely maintain the SID of the DC. * Generally the GUID ._msdcs alias schould be removed now as well during any kind of Samba4 join (also via Bug 29083 Comment 5). Maybe I'm overlooking something but currently I'm leaning towards the feeling that purge_s4_computer.py would be a "too big gun". If there is anything else to clean up, maybe Bug 29461 is a good start and we should then automate some additional precise cleanups during join once we have identified the need for it? Just my gut feeling.
(In reply to comment #1) > Is there really anything we need to run purge_s4_computer.py for? > > * During the join of a prestine UCS DC with Samba4 ("Reinstall") it is supposed > to remove an existing computer account of the same name by itself (it's done > with Administrative credentials..). Before Bug 29083 Comment 5 this was > prevented with --keep-existing, but now we don't keep the account in this case. > Supposedly this also cleans up all DC related objects. OK, I think I'd forgotten this. If the Admin is able to reinstall an existing Server with the same hostname without any problem, everything is fine.