Comment 1 Felix Botner 2014-07-24 10:20:07 CEST

during join, univention-join checks for member mode in domain and activates member mode on the system (if ad/member is false) or deactivates ad member mode (if ad/member is true and domain ist not in ad member mode).

YAML: 2014-06-19-univention-join.yaml

Comment 2 Stefan Gohmann 2014-07-29 07:42:59 CEST

YAML: Please add a description about the change, for example:
 univention-join now checks for the AD member mode during the join. If the domain is in the AD member mode, univention-join configures the local system as part of the AD domain.

Code review: OK, just a small thing: The function check_ad_member_mode() does not only check the state it also configures the AD member mode. Maybe a different name would be better, for example check_and_configure_ad_member_mode().

The message "Not updating kerberos/adminserver" is new during the join:

Sync time                                                  done
Join Computer Account:                                     done
Sync ldap-backup.secret:                                   done
Check TLS connection                                       done
Download host certificate                                  done
Restart LDAP Server:                                       done
Sync Kerberos settings:                                    done
Not updating kerberos/adminserver
Configure 01univention-ldap-server-init.inst               done

Comment 3 Felix Botner 2014-07-29 09:23:41 CEST

*** Bug 35094 has been marked as a duplicate of this bug. ***

Comment 4 Felix Botner 2014-07-29 09:48:40 CEST

(In reply to Stefan Gohmann from comment #2)
> YAML: Please add a description about the change, for example:
>  univention-join now checks for the AD member mode during the join. If the
> domain is in the AD member mode, univention-join configures the local system
> as part of the AD domain.

OK 

> Code review: OK, just a small thing: The function check_ad_member_mode()
> does not only check the state it also configures the AD member mode. Maybe a
> different name would be better, for example
> check_and_configure_ad_member_mode().

OK
 
> The message "Not updating kerberos/adminserver" is new during the join:

OK, univention-join now sets kerberos/adminserver only if ! is_domain_in_admember_mode

Comment 5 Stefan Gohmann 2014-07-30 21:31:10 CEST

YAML: OK

Tests: OK (Join of backup, slave and member)

(In reply to Felix Botner from comment #4)
> OK, univention-join now sets kerberos/adminserver only if !
> is_domain_in_admember_mode

OK, what I meant was the redirection to the log file. But that is currently not so important.

→ Verified.

Comment 6 Felix Botner 2014-08-04 11:45:34 CEST

please remove this from univention-run-join-scripts

 51200    fbotner if [ "$samba_role" = "memberserver" ]; then
 51200    fbotner       if [ -z "$DCACCOUNT" ] || [ -z "$DCPWD" ]; then
 51200    fbotner               ASK_PASS=1
 51200    fbotner       fi
 51200    fbotner fi

At the moment UMC does not support join credentials on the master, so we can't ask for the account during univention-run-join-scripts.

Comment 7 Felix Botner 2014-08-04 11:48:45 CEST

fixed

Comment 8 Arvid Requate 2014-08-04 12:07:22 CEST

Ok, univention-run-join-scripts doesn't require credentials any longer in AD member mode. The only joinscript which requires credentials checks for credentials itself and if it didn't obtain them it aborts complaining to the corresponding log file:

================================================================================
RUNNING 26univention-samba.inst
INFO: Cannot run joinscript in memberserver mode without join credentials. Please run:
        univention-run-join-scripts --ask-pass
to complete the domain join.
================================================================================

The UMC module for AD member mode setup explicitly provides credentials to the script, so that's ok.

Advisory: OK.

Comment 9 Janek Walkenhorst 2014-08-07 17:43:47 CEST

http://errata.univention.de/ucs/3.2/161.html