Univention Bugzilla – Bug 35095
UCS in Active Directory domain - univention-samba
Last modified: 2014-08-07 17:45:05 CEST
The univention-samba changes should be checked and merged: ucs-3.2/component/ucs-in-ad-domain/univention-samba +++ This bug was initially created as a clone of Bug #34091 +++ It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality. The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind. The UCS system should able to provide Samba shares. Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Merged patches from ucs-3.2/component/ucs-in-ad-domain/univention-samba/ to ucs-3.2-2. Also added a new package univention-samba-ad-member. This package has the exact same contents as univention-samba, but conflicts with univention-samba (univention-samba and univention-samba-ad-member can not both installed on same machine). We need this package to differentiate the "AD member mode" and normal "NT domaincontroller mode" in the appcenter. Import UCR variables: samba/role - is set automatically during postinst/join (depending on ad/member) defines the samba role "domaincontroller" or "member" ad/member (bool) - is set by the ad member mode wizard Modes: NT domaincontroller - ad/member has to be false, install univention-samba AD member - ad/member has to be true, install univention-samba-ad-member Test done so far: * NT Mode: no samba config differences on master/slave/member between old and new univention-samba package * NT Mode: master, slave and member with new univention-samba package, join OK, samba login OK, windows join OK * Member Mode: master, slave and member with new univention-samba-ad-member package (and ad/member=true), join to AD OK, samba login OK wbinfo OK YAML: 2014-07-16-univention-samba.yaml
We need only package, but we have to check the if the postinst supports changes of ad/member (samba/role)
(In reply to Felix Botner from comment #2) > We need only package, but we have to check the if the postinst supports > changes of ad/member (samba/role) done YAML: 2014-07-16-univention-samba.yaml
Created attachment 6030 [details] create_user_and_test_kerberos_smbclient.sh This is a testscript which creates a user in ADS, tests kinit and kerberos write access to his home directory on the local UCS server as well as read access to the sysvol of the AD server. Verified: * Code review * Functionality * Due to Bug 35533 the "Administrateur" is not configured as "admin users" in smb.conf. But that's a general univention-samba issue. * Advisory Ok
Created attachment 6031 [details] check_user_against_winbind_ad_and_ldap.sh Another test to check consitency of username/SID/uidNumber resolution against IDMAP/winbind/AD/OpenLDAP in AD Member mode. This also looks good. So, verified.
Created attachment 6035 [details] create_user_and_test_kerberos_smbclient.sh Fixed an authentication bug and wait for ad connector.
Created attachment 6036 [details] check_user_against_winbind_ad_and_ldap.sh Fixed an authentication bug and wait for ad connector.
http://errata.univention.de/ucs/3.2/164.html