Univention Bugzilla – Bug 34091
UCS in Active Directory domain
Last modified: 2014-08-07 17:45:37 CEST
It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality. The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind. The UCS system should able to provide Samba shares. Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
We may want to generate a krb5.keytab for the UCS systems and any kerberized services they run (LDAP, Squid). Probably it's straight forward to derive that locally from the machine.secret via ktutil. I guess we would need to modify univention-heimdal anyway to take case that the keytab* listeners don't do inappropriate things in this mode, like deleting the keytab and hoping for the UCS master to generate a new one. And then the joinscript of univention-heimdal should be adjusted as well as the joinscripts of the kerberized services. Another point is the server password change.
In this mode, DNS is disabled and a warning should be prompted when opening the DNS UMC module (→ c.f. Bug 32313).
It shouldn't be allowed to install S4 as DC in this scenario. But UCS AD Takeover should be possible.
Several library calls for the admember mode have been added to univention-lib: r52072 + r52080 + r52081 + r52090 + r52095 YAML: r52098
*** Bug 35458 has been marked as a duplicate of this bug. ***
I've created a product test page: https://hutten.knut.univention.de/mediawiki/index.php/Produkttests_UCS_3.2-3_UCS-in-AD YAML: 2014-07-23-univention-lib.yaml
Ok, these packages have been adjusted for this and it's dependent Bugs: univention-lib univention-heimdal univention-ldap univention-pam univention-samba univention-samba4 univention-s4-connector univention-directory-manager-modules univention-join univention-ad-connector univention-management-console-module-adtakeover univention-management-console-module-udm univention-management-console univention-management-console-module-appcenter All have been merged in SVN to the UCS 3.2-3 and UCS 4.0-0 branches.
product test, see http://hutten/mediawiki/index.php/Produkttests_UCS_3.2_UCS-in-AD
http://errata.univention.de/ucs/3.2/165.html