Univention Bugzilla – Bug 35446
support ad member mode in univention-join
Last modified: 2014-08-07 17:43:47 CEST
during join, univention-join checks for member mode in domain and activates member mode on the system (if ad/member is false) or deactivates ad member mode (if ad/member is true and domain ist not in ad member mode).
YAML: Please add a description about the change, for example:
univention-join now checks for the AD member mode during the join. If the domain is in the AD member mode, univention-join configures the local system as part of the AD domain.
Code review: OK, just a small thing: The function check_ad_member_mode() does not only check the state it also configures the AD member mode. Maybe a different name would be better, for example check_and_configure_ad_member_mode().
The message "Not updating kerberos/adminserver" is new during the join:
Sync time done
Join Computer Account: done
Sync ldap-backup.secret: done
Check TLS connection done
Download host certificate done
Restart LDAP Server: done
Sync Kerberos settings: done
Not updating kerberos/adminserver
Configure 01univention-ldap-server-init.inst done
*** Bug 35094 has been marked as a duplicate of this bug. ***
(In reply to Stefan Gohmann from comment #2)
> YAML: Please add a description about the change, for example:
> univention-join now checks for the AD member mode during the join. If the
> domain is in the AD member mode, univention-join configures the local system
> as part of the AD domain.
> Code review: OK, just a small thing: The function check_ad_member_mode()
> does not only check the state it also configures the AD member mode. Maybe a
> different name would be better, for example
> The message "Not updating kerberos/adminserver" is new during the join:
OK, univention-join now sets kerberos/adminserver only if ! is_domain_in_admember_mode
Tests: OK (Join of backup, slave and member)
(In reply to Felix Botner from comment #4)
> OK, univention-join now sets kerberos/adminserver only if !
OK, what I meant was the redirection to the log file. But that is currently not so important.
please remove this from univention-run-join-scripts
51200 fbotner if [ "$samba_role" = "memberserver" ]; then
51200 fbotner if [ -z "$DCACCOUNT" ] || [ -z "$DCPWD" ]; then
51200 fbotner ASK_PASS=1
51200 fbotner fi
51200 fbotner fi
At the moment UMC does not support join credentials on the master, so we can't ask for the account during univention-run-join-scripts.
Ok, univention-run-join-scripts doesn't require credentials any longer in AD member mode. The only joinscript which requires credentials checks for credentials itself and if it didn't obtain them it aborts complaining to the corresponding log file:
INFO: Cannot run joinscript in memberserver mode without join credentials. Please run:
to complete the domain join.
The UMC module for AD member mode setup explicitly provides credentials to the script, so that's ok.