Univention Bugzilla – Bug 35446
support ad member mode in univention-join
Last modified: 2014-08-07 17:43:47 CEST
during join, univention-join checks for member mode in domain and activates member mode on the system (if ad/member is false) or deactivates ad member mode (if ad/member is true and domain ist not in ad member mode). YAML: 2014-06-19-univention-join.yaml
YAML: Please add a description about the change, for example: univention-join now checks for the AD member mode during the join. If the domain is in the AD member mode, univention-join configures the local system as part of the AD domain. Code review: OK, just a small thing: The function check_ad_member_mode() does not only check the state it also configures the AD member mode. Maybe a different name would be better, for example check_and_configure_ad_member_mode(). The message "Not updating kerberos/adminserver" is new during the join: Sync time done Join Computer Account: done Sync ldap-backup.secret: done Check TLS connection done Download host certificate done Restart LDAP Server: done Sync Kerberos settings: done Not updating kerberos/adminserver Configure 01univention-ldap-server-init.inst done
*** Bug 35094 has been marked as a duplicate of this bug. ***
(In reply to Stefan Gohmann from comment #2) > YAML: Please add a description about the change, for example: > univention-join now checks for the AD member mode during the join. If the > domain is in the AD member mode, univention-join configures the local system > as part of the AD domain. OK > Code review: OK, just a small thing: The function check_ad_member_mode() > does not only check the state it also configures the AD member mode. Maybe a > different name would be better, for example > check_and_configure_ad_member_mode(). OK > The message "Not updating kerberos/adminserver" is new during the join: OK, univention-join now sets kerberos/adminserver only if ! is_domain_in_admember_mode
YAML: OK Tests: OK (Join of backup, slave and member) (In reply to Felix Botner from comment #4) > OK, univention-join now sets kerberos/adminserver only if ! > is_domain_in_admember_mode OK, what I meant was the redirection to the log file. But that is currently not so important. → Verified.
please remove this from univention-run-join-scripts 51200 fbotner if [ "$samba_role" = "memberserver" ]; then 51200 fbotner if [ -z "$DCACCOUNT" ] || [ -z "$DCPWD" ]; then 51200 fbotner ASK_PASS=1 51200 fbotner fi 51200 fbotner fi At the moment UMC does not support join credentials on the master, so we can't ask for the account during univention-run-join-scripts.
fixed
Ok, univention-run-join-scripts doesn't require credentials any longer in AD member mode. The only joinscript which requires credentials checks for credentials itself and if it didn't obtain them it aborts complaining to the corresponding log file: ================================================================================ RUNNING 26univention-samba.inst INFO: Cannot run joinscript in memberserver mode without join credentials. Please run: univention-run-join-scripts --ask-pass to complete the domain join. ================================================================================ The UMC module for AD member mode setup explicitly provides credentials to the script, so that's ok. Advisory: OK.
http://errata.univention.de/ucs/3.2/161.html