Univention Bugzilla – Bug 35233
UCS in Active Directory domain
Last modified: 2015-04-01 13:49:27 CEST
This should be documented. +++ This bug was initially created as a clone of Bug #34091 +++ It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality. The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind. The UCS system should able to provide Samba shares. Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
It is now also possible to sync the password hashes, but you have to switch back from host authentication to the Administrator authentication: ucr set connector/ad/ldap/binddn=Administrator ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password touch /etc/univention/connector/password chmod 700 /etc/univention/connector/password echo -n "Administrator password" > /etc/univention/connector/password
The chapter on services for windows has been modified in the german version to cover the new wizard and describe the AS member mode a bit. The sections modified are 9.1 and 9.4, especially 9.4.1, 9.4.2 and 9.4.3.1. There are no screenshots yet, the XML-comments indicate the locations. I hand it over for a first QA feedback before continuing with more details (and english translation). Please reopen with comments (e.g. via email or whatever). Feel free to also ask Felix when your discover doubtful statements or think that essential topics are left out.
First paragraph (in introduction): Maybe link to the App Center chapter? Strictly speaking, it is also installable on a DC Backup. You have a paragraph in 9.4.3.: "Der Connector kann mit der Applikation Active Directory-Verbindung aus dem Univention App Center installiert werden. Alternativ kann das Softwarepaket univention-ad-connector installiert werden. Weitere Informationen finden sich in Abschnitt 5.6." This should be moved. This may be expanded until "Alle Active Directory- und UCS-Server in einer Connector-Umgebung müssen dieselbe Zeitzone verwenden.". Does this also hold for ad/member? In the first paragraph, please introduce the abbreviation AD as soon as possible (and only once) - maybe use AD everywhere you also use UCS? Also add a sentence like: "It is based on the service UCS Active Directory Connector" because you reference this name later on. (It is then mentioned in the very last sentence) In the introduction you mention time constraints with Kerberos. I think this is a bit over the top for a brief introduction. The real use case is evaluation and preparation for AD takeover, is it? The text sometimes speaks of requirements, constraints, etc. without highlighting it. E.g., "Der angegebene Active Directory-Domänencontroller muss auch DNS-Dienste für die Domäne bereitstellen.", the whole paragraph "Nach Einrichtung des Betriebsmodus als Mitglied der Active Directory-Domäne ... Well Known SID (z.B. Domain Admins).", "Im Falle von Authentifikationsproblemen sollte immer als erstes die Systemzeit überprüft werden." One should <note> or <warn>. "Die abschließende Meldung weist darauf hin, dass eventuell zuvor gejointe UCS-Systeme neu gejoint werden müssen..." -> "<warn>Andere UCS-Systeme, die zuvor Teil dieser UCS-Domäne waren, müssen der Domäne neu beitreten...</warn>" (or remove, as you have a similar paragraph later on. But <warn>") The name of the AD member mode (which is, coincidentally, "AD member") should be mentioned at the beginning, not in the middle of 9.4.2. "In einigen Szenarien kann es dennoch sinnvoll sein, die verschlüsselten Passwortdaten zu übertragen." -> Some applications in the App Center require this. One should add this as "e.g." or something. Paragraph "Nach dem initialen Sync werden weitere Änderungen in einem festen Intervall abfragt. Dieser Wert ist auf fünf Sekunden eingestellt und kann über das &ucsUMC;-Konfigurationsmodul angepasst werden." *and following*: No, this cannot be configured anymore. I guess this is a UCR variable? Then it needs to be configured manually with ucr. 9.4.3.3. still shows an old screenshot.
Adjusted.
Okay, well documented. I have moved some paragraphs, fixed some typos, changed some <guimenu> to <mousebutton>. Let me know if you think I did something wrong. One more thing: The old wizard allowed a "Reconfiguration". This is not possible anymore. So changing the credentials for the password service is a bit of a hassle, see Bug#35608. This should be documented.
Translation and screenshots are checked in now. > changing the credentials for the password service Is now documented as well.
Ok, changed some names in English manual