Bug 35252 - UCS in Active Directory domain & Samba 4
UCS in Active Directory domain & Samba 4
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Arvid Requate
Felix Botner
Depends on:
Blocks: 34091 35500
  Show dependency treegraph
Reported: 2014-07-04 06:51 CEST by Stefan Gohmann
Modified: 2014-08-07 17:49 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-07-04 06:51:41 CEST
The join of Samba 4 should be prevented.

+++ This bug was initially created as a clone of Bug #34091 +++

It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Arvid Requate univentionstaff 2014-07-28 18:36:44 CEST
The package has been adjusted and built in scope errata3.2-2.

Advisory: 2014-07-28-univention-samba4.yaml
Comment 2 Arvid Requate univentionstaff 2014-07-28 18:43:10 CEST
Actually this comprises two changes to the joinscript:

A) abort in AD-Member mode
B) during AD-Takeover (status "start") run only up to the point where the local OpenLDAP server has been disabled on port 389 and then save the joinscript state as VERSION=1. This way it can be run again after the takeover to complete the samba4 settings while avoiding removal of /var/lib/samba/private.
Comment 3 Felix Botner univentionstaff 2014-08-01 08:38:13 CEST

31.07.14 17:29:20.582  MODULE      ( PROCESS ) : Calling joinscript 96univention-samba4.inst ...
31.07.14 17:29:21.920  MODULE      ( PROCESS ) : ERROR: The domain is in AD Member Mode, cannot join as DC.
31.07.14 17:29:21.922  MODULE      ( PROCESS ) : univention-samba4 installiert
31.07.14 17:29:21.922  MODULE      ( PROCESS ) : Joinscript 96univention-samba4.inst finished with exitcode 1


31.07.14 17:29:31.950  MODULE      ( PROCESS ) : Calling joinscript 97univention-s4-connector.inst ...
31.07.14 17:29:32.536  MODULE      ( PROCESS ) : ERROR: The domain is in AD Member Mode.
31.07.14 17:29:32.537  MODULE      ( PROCESS ) : Stopping univention-s4-connector daemon.
31.07.14 17:29:32.538  MODULE      ( PROCESS ) : failed.
31.07.14 17:29:32.660  MODULE      ( PROCESS ) : Create connector/s4/autostart
31.07.14 17:29:32.660  MODULE      ( PROCESS ) : Create connector/s4/listener/disabled
31.07.14 17:29:32.693  MODULE      ( PROCESS ) : sv status returns no running listener, don't need to restart..
31.07.14 17:29:32.693  MODULE      ( PROCESS ) : Joinscript 97univention-s4-connector.inst finished with exitcode 1


-> univention-check-join-status 
Warning: 'univention-samba4' is not configured.
Warning: 'univention-s4-connector' is not configured.
Warning: 'univention-samba4-dns' is not configured.
Error: Not all install files configured: 3 missing

Comment 4 Janek Walkenhorst univentionstaff 2014-08-07 17:49:43 CEST