Bug 35446 - support ad member mode in univention-join
support ad member mode in univention-join
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
: 35094 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-23 11:32 CEST by Felix Botner
Modified: 2014-08-07 17:43 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-07-23 11:32:45 CEST
support ad member mode in univention-join
Comment 1 Felix Botner univentionstaff 2014-07-24 10:20:07 CEST
during join, univention-join checks for member mode in domain and activates member mode on the system (if ad/member is false) or deactivates ad member mode (if ad/member is true and domain ist not in ad member mode).

YAML: 2014-06-19-univention-join.yaml
Comment 2 Stefan Gohmann univentionstaff 2014-07-29 07:42:59 CEST
YAML: Please add a description about the change, for example:
 univention-join now checks for the AD member mode during the join. If the domain is in the AD member mode, univention-join configures the local system as part of the AD domain.

Code review: OK, just a small thing: The function check_ad_member_mode() does not only check the state it also configures the AD member mode. Maybe a different name would be better, for example check_and_configure_ad_member_mode().

The message "Not updating kerberos/adminserver" is new during the join:

Sync time                                                  done
Join Computer Account:                                     done
Sync ldap-backup.secret:                                   done
Check TLS connection                                       done
Download host certificate                                  done
Restart LDAP Server:                                       done
Sync Kerberos settings:                                    done
Not updating kerberos/adminserver
Configure 01univention-ldap-server-init.inst               done
Comment 3 Felix Botner univentionstaff 2014-07-29 09:23:41 CEST
*** Bug 35094 has been marked as a duplicate of this bug. ***
Comment 4 Felix Botner univentionstaff 2014-07-29 09:48:40 CEST
(In reply to Stefan Gohmann from comment #2)
> YAML: Please add a description about the change, for example:
>  univention-join now checks for the AD member mode during the join. If the
> domain is in the AD member mode, univention-join configures the local system
> as part of the AD domain.

OK 

> Code review: OK, just a small thing: The function check_ad_member_mode()
> does not only check the state it also configures the AD member mode. Maybe a
> different name would be better, for example
> check_and_configure_ad_member_mode().

OK
 
> The message "Not updating kerberos/adminserver" is new during the join:

OK, univention-join now sets kerberos/adminserver only if ! is_domain_in_admember_mode
Comment 5 Stefan Gohmann univentionstaff 2014-07-30 21:31:10 CEST
YAML: OK

Tests: OK (Join of backup, slave and member)

(In reply to Felix Botner from comment #4)
> OK, univention-join now sets kerberos/adminserver only if !
> is_domain_in_admember_mode

OK, what I meant was the redirection to the log file. But that is currently not so important.

→ Verified.
Comment 6 Felix Botner univentionstaff 2014-08-04 11:45:34 CEST
please remove this from univention-run-join-scripts

 51200    fbotner if [ "$samba_role" = "memberserver" ]; then
 51200    fbotner       if [ -z "$DCACCOUNT" ] || [ -z "$DCPWD" ]; then
 51200    fbotner               ASK_PASS=1
 51200    fbotner       fi
 51200    fbotner fi

At the moment UMC does not support join credentials on the master, so we can't ask for the account during univention-run-join-scripts.
Comment 7 Felix Botner univentionstaff 2014-08-04 11:48:45 CEST
fixed
Comment 8 Arvid Requate univentionstaff 2014-08-04 12:07:22 CEST
Ok, univention-run-join-scripts doesn't require credentials any longer in AD member mode. The only joinscript which requires credentials checks for credentials itself and if it didn't obtain them it aborts complaining to the corresponding log file:

================================================================================
RUNNING 26univention-samba.inst
INFO: Cannot run joinscript in memberserver mode without join credentials. Please run:
        univention-run-join-scripts --ask-pass
to complete the domain join.
================================================================================

The UMC module for AD member mode setup explicitly provides credentials to the script, so that's ok.

Advisory: OK.
Comment 9 Janek Walkenhorst univentionstaff 2014-08-07 17:43:47 CEST
http://errata.univention.de/ucs/3.2/161.html