Bug 34139 - UMC wizard for AD Takeover (backend)
UMC wizard for AD Takeover (backend)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-1-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 34019
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-17 15:44 CET by Dirk Wiesenthal
Modified: 2014-04-22 06:47 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2014-02-17 15:44:23 CET
univention-ad-takeover needs to be converted into a lib to be used in univention-management-console-module-adtakeover

I have put the functions I need in takeover.py of the package along with some dummy implementation. Please fill the gaps and tell me if something has to be changed in the frontend or the UMC functions (e.g. missing parameters)

+++ This bug was initially created as a clone of Bug #34019 +++

A UMC wizard for AD Takeover should be implemented. If univention-ad-takeover needs to be adjusted for this another bug should be cloned.
Comment 1 Arvid Requate univentionstaff 2014-03-05 17:58:22 CET
* The backend routines have been migrated to the python module in
  univention-management-console-module-adtakeover.
* Persistent state management has been implemented.
* A new state "done" has been defined, signifying that a takeover has been
  completed already before. In this case the frontend shows an initial info
  dialog before the "start" dialog can be accessed.

* A new sysvol GPO check has been implemented
* A fix for Bug 29753 has been implemented in the backend module

* Initial sanity checks for the AD server have been improved:
** Check that an AD is present at all before trying to authenticate.
   This improves the user experience by avoiding the authentication timeout.
** Check that the given AD server has a different NTDS GUID from the
   local UCS server. This blocks silly attempts to takeover the local system
   and it also blocks attempts to do the same takeover again.

Advisory: 2014-03-05-univention-management-console-module-adtakeover.yaml
Comment 2 Dirk Wiesenthal univentionstaff 2014-04-02 13:32:17 CEST
A python syntax checker revealed:
UCS_License_detection.check_license: Undefined variable 'find_licenses'
UCS_License_detection.check_license: Undefined variable 'baseDN'
UCS_License_detection.check_license: Undefined variable 'choose_license'
Comment 3 Arvid Requate univentionstaff 2014-04-02 14:18:11 CEST
fixed.
Comment 4 Felix Botner univentionstaff 2014-04-08 11:43:10 CEST
Please check if the ldap base of the UCS server and the AD server is equal.

I got the following Traceback in UMC during the adtakeover against an AD with a different ldap base.

Die Ausführung des Kommandos copy_domain_data ist fehlgeschlagen:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background
    result = func(self, request)
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/__init__.py", line 107, in copy_domain_data
    takeover.join_to_domain_and_copy_domain_data(ip, username, password, self.progress)
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/takeover.py", line 267, in join_to_domain_and_copy_domain_data
    takeover.post_join_tasks_and_start_samba_without_drsuapi()
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/takeover.py", line 920, in post_join_tasks_and_start_samba_without_drsuapi
    attrs=["objectSid"])
LdbError: (32, 'No such Base DN: DC=W2K12,DC=TEST')

UCS ldap base: DC=W2K12,DC=TEST
AD ldap base: DC=W2K3,DC=TEST
Comment 5 Arvid Requate univentionstaff 2014-04-08 17:42:56 CEST
* added a check for the LDAP base DN.
* added a check for the GPO file version against the container version
  (to detect non-copied GPOs in case only default policies were modified).
Comment 6 Felix Botner univentionstaff 2014-04-10 14:29:16 CEST
AD-Takeover:

OK, tested with W2K12, W2K8, W2K8R2 (english), W2K12 (french, without windows clients) and W2K3 as AD Domain Controller. Created users/groups/policies and joined windows clients to the AD domain.

=> adtakeover

 OK - users/groups/policies are synced
 OK - create users/groups/policies with RSAT-Tools 
 OK - logon to already joined windows client (new and old users)
 OK - join of a new windows client
 OK - GPO's  are applied on the windows clients

 FAIL - W2K12 (french) robocopy failed (wrong ntacl's on the default policy 
        container and not mapping for "Administrateur" in samba/adminuser to 
        override ntacl's)
        -> bug #34527

UMC:

OK - states
OK - time diff test
OK - GPO test
OK - function level test
OK - license test
OK - ldap base test
Comment 7 Stefan Gohmann univentionstaff 2014-04-22 06:47:34 CEST
http://errata.univention.de/ucs/3.2/88.html