Bug 34091 - UCS in Active Directory domain
UCS in Active Directory domain
Product: UCS
Classification: Unclassified
Component: General
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Stefan Gohmann
Felix Botner
: 35458 (view as bug list)
Depends on: 34092 34093 35090 35091 35092 35093 35094 35095 35096 35233 35252 35346 35453 35454 35500 35501 35507 35513 35520 35551 35566
  Show dependency treegraph
Reported: 2014-02-10 09:53 CET by Stefan Gohmann
Modified: 2014-08-07 17:45 CEST (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-02-10 09:53:17 CET
It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Arvid Requate univentionstaff 2014-02-27 21:53:00 CET
We may want to generate a krb5.keytab for the UCS systems and any kerberized services they run (LDAP, Squid). Probably it's straight forward to derive that locally from the machine.secret via ktutil.

I guess we would need to modify univention-heimdal anyway to take case that the keytab* listeners don't do inappropriate things in this mode, like deleting the keytab and hoping for the UCS master to generate a new one. And then the joinscript of univention-heimdal should be adjusted as well as the joinscripts of the kerberized services.

Another point is the server password change.
Comment 2 Alexander Kläser univentionstaff 2014-03-06 11:29:36 CET
In this mode, DNS is disabled and a warning should be prompted when opening the DNS UMC module (→ c.f. Bug 32313).
Comment 3 Stefan Gohmann univentionstaff 2014-07-02 07:51:38 CEST
It shouldn't be allowed to install S4 as DC in this scenario. But UCS AD Takeover should be possible.
Comment 4 Stefan Gohmann univentionstaff 2014-07-23 12:15:41 CEST
Several library calls for the admember mode have been added to univention-lib:
r52072 + r52080 + r52081 + r52090 + r52095

YAML: r52098
Comment 5 Stefan Gohmann univentionstaff 2014-07-29 06:42:20 CEST
*** Bug 35458 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Gohmann univentionstaff 2014-07-31 07:20:13 CEST
I've created a product test page:

YAML: 2014-07-23-univention-lib.yaml
Comment 7 Arvid Requate univentionstaff 2014-08-06 13:20:12 CEST
Ok, these packages have been adjusted for this and it's dependent Bugs:


All have been merged in SVN to the UCS 3.2-3 and UCS 4.0-0 branches.
Comment 8 Felix Botner univentionstaff 2014-08-07 10:01:15 CEST
product test, see http://hutten/mediawiki/index.php/Produkttests_UCS_3.2_UCS-in-AD
Comment 9 Janek Walkenhorst univentionstaff 2014-08-07 17:45:37 CEST