Bug 35095 - UCS in Active Directory domain - univention-samba
UCS in Active Directory domain - univention-samba
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks: 34091
  Show dependency treegraph
 
Reported: 2014-06-11 08:30 CEST by Stefan Gohmann
Modified: 2014-08-07 17:45 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
create_user_and_test_kerberos_smbclient.sh (1.18 KB, text/plain)
2014-07-31 12:20 CEST, Arvid Requate
Details
check_user_against_winbind_ad_and_ldap.sh (3.03 KB, text/plain)
2014-07-31 13:02 CEST, Arvid Requate
Details
create_user_and_test_kerberos_smbclient.sh (1.34 KB, text/plain)
2014-07-31 18:46 CEST, Arvid Requate
Details
check_user_against_winbind_ad_and_ldap.sh (3.06 KB, text/plain)
2014-07-31 18:47 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-06-11 08:30:14 CEST
The univention-samba changes should be checked and merged:
 ucs-3.2/component/ucs-in-ad-domain/univention-samba

+++ This bug was initially created as a clone of Bug #34091 +++

It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Felix Botner univentionstaff 2014-07-16 16:24:24 CEST
Merged patches from ucs-3.2/component/ucs-in-ad-domain/univention-samba/ to ucs-3.2-2.

Also added a new package univention-samba-ad-member. This package has the exact same contents as univention-samba, but conflicts with univention-samba (univention-samba and univention-samba-ad-member can not both installed on same machine). We need this package to differentiate the "AD member mode" and normal "NT domaincontroller mode" in the appcenter.

Import UCR variables:

 samba/role - is set automatically during postinst/join (depending on ad/member)
              defines the samba role "domaincontroller" or "member"

 ad/member (bool) - is set by the ad member mode wizard

Modes:

NT domaincontroller - ad/member has to be false, install univention-samba 
AD member - ad/member has to be true, install univention-samba-ad-member

Test done so far:

 * NT Mode: no samba config differences on master/slave/member between old
            and new univention-samba package
 * NT Mode: master, slave and member with new univention-samba package,
            join OK, samba login OK, windows join OK
 * Member Mode: master, slave and member with new univention-samba-ad-member
                package (and ad/member=true), join to AD OK, samba login OK
                wbinfo OK

YAML: 2014-07-16-univention-samba.yaml
Comment 2 Felix Botner univentionstaff 2014-07-22 16:47:31 CEST
We need only package, but we have to check the if the postinst supports changes of ad/member (samba/role)
Comment 3 Felix Botner univentionstaff 2014-07-24 10:21:51 CEST
(In reply to Felix Botner from comment #2)
> We need only package, but we have to check the if the postinst supports
> changes of ad/member (samba/role)

done

YAML: 2014-07-16-univention-samba.yaml
Comment 4 Arvid Requate univentionstaff 2014-07-31 12:20:25 CEST
Created attachment 6030 [details]
create_user_and_test_kerberos_smbclient.sh

This is a testscript which creates a user in ADS, tests kinit and kerberos write access to his home directory on the local UCS server as well as read access to the sysvol of the AD server.

Verified:
* Code review
* Functionality
* Due to Bug 35533 the "Administrateur" is not configured as "admin users" in smb.conf. But that's a general univention-samba issue.
* Advisory Ok
Comment 5 Arvid Requate univentionstaff 2014-07-31 13:02:27 CEST
Created attachment 6031 [details]
check_user_against_winbind_ad_and_ldap.sh

Another test to check consitency of username/SID/uidNumber resolution against IDMAP/winbind/AD/OpenLDAP in AD Member mode.

This also looks good. So, verified.
Comment 6 Arvid Requate univentionstaff 2014-07-31 18:46:45 CEST
Created attachment 6035 [details]
create_user_and_test_kerberos_smbclient.sh

Fixed an authentication bug and wait for ad connector.
Comment 7 Arvid Requate univentionstaff 2014-07-31 18:47:45 CEST
Created attachment 6036 [details]
check_user_against_winbind_ad_and_ldap.sh

Fixed an authentication bug and wait for ad connector.
Comment 8 Janek Walkenhorst univentionstaff 2014-08-07 17:45:05 CEST
http://errata.univention.de/ucs/3.2/164.html