Univention Bugzilla – Bug 35981
Program to join an Ubuntu client
Last modified: 2018-05-02 15:41:43 CEST
We should create and distribute a graphical tool to join an Ubuntu client into a UCS domain. The tool should ask for the domain name and the admin credentials.
This tool should replace this documentation: http://docs.univention.de/domain-3.2.html#ext-dom-ubuntu
demanded from a customer (Ticket#2016011221000504)
Requested here: Ticket #2016053021000661
An older approach (2013) from Jan Christoph: https://github.com/jceb/ucs-domjoin
I reimplemented and improved the existing scripts in a python-tool which can be found here: https://git.knut.univention.de/rulmer/univention-domain-join The tool is not packaged yet so dependencies need to be installed manually via: `DEBIAN_FRONTEND=noninteractive apt-get install -y sssd libnss-sss libpam-sss libsss-sudo auth-client-config heimdal-clients ntpdate sshpass` The tool can then be run via: `python cli.py $MASTER_IP`
The tool has been updated to find the DC master via DNS on it's own, support the GDM login manager and not offer the --force parameter. Also first attempts with packaging for Debian have been made. See Bug #45801 for this.
Ok, basically this works. I suggest logging tracebacks and actions into a logfile. This gives people the opportuinity to report meaningful information in case errors happen.
Created attachment 9321 [details] ubuntu1710_configure_systemd_resolver_and_lookup_domainctontroller_master.sh Now for the fine tuning of the user experience: I think the goal should be that the script works in 100% of the cases we can test here. Now, with by Ubuntu 17.10 client I have the issue that I first need to configure /etc/hosts manually to make dnsdomainname return the domain I want to join to. My idea of use experience would be, that the new join tool should configure things as much "hands off" as possible and precisely ask the user to do things in cases where automatising thins is hard (or error prone). With regard to the dnsdomainname I would see two options: A) make the domainname an explicit mandatory argument of the script. This makes it clear to the user that his is something that (s)he has to provide. Maybe you even can ignore the output dnsdomainname if not strictly required for some technical reason. Try to lookup the _domaincontroller_master._tcp SRV record (as your code currently does) and if that fails report to the user that that exact record cannot be resolved and manual DNS configuration is therefore required before running the tool again. B) Solve the problem for the user, if a stable approach can be found for this. The attached bash script e.g. takes an IP and, similar to univention-join, asks the user for ssh credentials to look up all required information. Then it (1) configures the local DNS resolver (in the case of Ubuntu 17.10 that is systemd-resolved) and checks that the _domaincontroller_master._tcp SRV record is resolvable. (2) It optionally sets dnsdomainname by adjusting /etc/hosts, don't know if that is required. I don't known how stable this approach is and what steps are required for other Ubuntu versions, but it seems possible from my point of view.
I've adapted the tool to address the problem mentioned in Comment #8. The tool now requires the masters IP address as a parameter. It then fetches the domain name and nameservers from the masters UCR and configures the name servers automatically. The tool will automatically detect if it has to use `systemd-resolved` or `resolvconf` to configure DNS. I've tested it for Ubuntu 14.04, 16.04, 17.10 and Kubuntu 14.04, 16.04 (doesn't work, which is expected). The only problem that occurred to me is that you will get a rather hard to understand traceback, when you configured a name server (which is not the DC master) manually before using the tool. I think this is acceptable for now, because I assume this will rarely occur and because fixing this would require messing around with the Ubuntu network manager. Also tracebacks are now logged to a log-file.
Stefan Gohmann requested that the join client asks the user name of the domain administrator, which should be used for the join. Also giving the IP of the DC master must not be a requirement. Instead the user should enter the domain name and the DC master should be determined using the _domaincontroller_master._tcp.DOMAINNAME DNS entry.
(In reply to Richard Ulmer from comment #10) > Stefan Gohmann requested that the join client asks the user name of the > domain administrator, which should be used for the join. Also giving the IP > of the DC master must not be a requirement. Instead the user should enter > the domain name and the DC master should be determined using the > _domaincontroller_master._tcp.DOMAINNAME DNS entry. I think it should be allowed to enter the IP address _or_ the domain name.
Yes, as I recommended: it should be comparable in functionality and usage with the regular univention-join. (It doesn't need to have the exact same option names though.)
Well, in Comment #8 you suggested that the tool should work hands off in 100% of the cases. That's why I removed the automatic discovery of the DC master via _domaincontroller_master._tcp.DOMAINNAME; it required the DNS server and domainname of the client to be set correctly. I will re-introduce this feature and change it, so that it requires the domainname as a parameter now. If the tool then cannot resolve _domaincontroller_master._tcp.DOMAINNAME it will exit and ask the user to either configure the DNS server correctly (must be the DC master) or use the tool with the masters IP instead. This way the tool can be used similar to the join process in Windows clients. I haven't yet compared the tool to the 'regular univention-join', because I don't know where to find this tool / what it does.
The tool now takes user credentials as an input, instead of using root. Also the tool now tries to determine the domain name automatically. If that doesn't work the user can either give the domain name or the IP address of the DC master to the tool.
The tool now also got a GUI, which can be started via the start menu. It can be found in the "gui" branch and is already packaged in the "debian_packaging" branch at https://git.knut.univention.de/rulmer/univention-domain-join .
Created attachment 9346 [details] Screenshot of the GUI's main window on Ubuntu 16.04
Created attachment 9352 [details] New design After talking to the marketing team the GUI-Design has been updated.
Created attachment 9353 [details] .deb package of the base tool
Created attachment 9354 [details] .deb package of the gui (depends on the base tool)
The join client removes the Ubuntu client before joining. In addition, it works only if the client is located below cn=computers. If the client doesn't exist, it should be created below cn=computers. If it exists, it should be modified.
Currently, we have the tools univention-domain-join and univention-domain-join-gui. I think the GUI tool should be univention-domain-join and the none GUI tool should be univention-domain-join-cli or something similar.
It looks like \n are added to the OS and OS version fields: root@master421:~# univention-ldapsearch cn=stefan-Standard-PC-i440FX-PIIX-1996 univentionOperatingSystemVersion univentionOperatingSystem -LLL dn: cn=stefan-Standard-PC-i440FX-PIIX-1996,cn=computers,dc=deadlock42,dc=intra net univentionOperatingSystemVersion:: MTYuMDQK univentionOperatingSystem:: VWJ1bnR1Cg== root@master421:~# univention-ldapsearch cn=stefan-Standard-PC-i440FX-PIIX-1996 univentionOperatingSystemVersion univentionOperatingSystem -LLL | ldapsearch-decode64 dn: cn=stefan-Standard-PC-i440FX-PIIX-1996,cn=computers,dc=deadlock42,dc=intra net univentionOperatingSystemVersion: 16.04 univentionOperatingSystem: Ubuntu root@master421:~#
The newline characters are now stripped from the release name and version before writing to the LDAP. Also the command line tool is now callable with the command univention-domain-join-cli. The GUI is callable with the command univention-domain-join (or univention-domain-join-sudo-wrapper). Existing LDAP machine-objects won't be replaced anymore, but will be modified. Even if they aren't located in cn=computers. The current code can now be found under the master branch at https://git.knut.univention.de/rulmer/univention-domain-join .
The GitHub repository does not include license information. Same for the source files. They are missing the usual header about the copyright and the license. Please add a LICENSE file to the project and also the copyright header to the source files.
In detail: README.md should either point to a LICENSE file or (more ugly) to https://github.com/univention/univention-domain-join/blob/master/debian/copyright Run ucs-lint on the on the package to check ucs policy conformance (copyright headers etc).
I've added a LICENSE file, added a reference to it in the README.md and added license information to all files ucslint asked me to. In git/univention-domain-join: 1b3274e20510 | Bug #35981: Fix license notes
8d6fe8d799cf | Bug #35981: Add missing license notes
While testing bug #33214 i tested the ubuntu joinclient. Some points i found: There are errors while writing the krb5.conf, variable substitution does not work in some cases because of typos: '%(kerberos_realm)s = {\n' \ ' kdc = %(master_ip)s $(ldap_master)s\n' \ ' admin_server = %(master_ip)s %(ldap_master)s\n' \ ' kpasswd_server = %(master_ip) %(ldap_master)s\n' \ results in the following beeing written into krb5.conf UCS.LOCAL = { kdc = 10.200.29.95 $(ldap_master)s admin_server = 10.200.29.95 master.ucs.local kpasswd_server = %(ldap_master)s == I think the installation documentation could be improved. Currently, when installing, a debconf question about the kerberos realm is shown. This is irrelevant and confusing for the user, as the domain join tool will overwrite these settings anyway
I've fixed the problems mentioned in Comment #28. ef403abb8b74 | Bug #35981: Update changelog 68c822066c8f | Bug #35981: Improve installation instructions a2daba998cc4 | Bug #35981: Fix bug with string formatting
Reopened due to Bug(s) / Feature request(s): #46655 #46658 #46659
Regarding the "dhcp" issue reported in the forum, Eric just suggested that the /etc/nsswitch-conf line: hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 needs to be adjusted to have "dns" before the "[NOTFOUND=return]". That seemed to help. Regarding Bug #46659 is an enhancement bug and should not block the first release.
Hmm, I cannot reproduce the "dhcp" issue currently with 17.10, so I cannot confirm that the suggestion from comment 31 really helps. Anyway, I've commited some changes to the ubuntu17.10 branch and cherrypicked them to the other three: 6988926 Bug #35981: Focus password field if domain dection worked c61303f Bug #35981: Properly handle SSH "No route to host" fd9cd5c Bug #35981: Make log file path copyable via mouse 95effa5 Bug #46178: connect enter to join button I didn't commit new changelog versions yet.
I've also commited this feature: 47aa10c | Adjust nsswitch.conf when joining a .local domain I'll do QA for Bug #46737 now, after that we need to update the changelogs.
Updates for Bug #46202, Bug #46866 and Bug #46737 are pushed to git, new source packages have been generated, signed and uploaded to launchpad. Launchpad has successfully built the packages for bionic, artful, xenial and trusty. Setting back to resolved.
OK: 18.04, 17.10, 16.04, 14.04 OK: Updates networkmanager config correctly OK: Available via ppa
Published as version 1.0-11: https://launchpad.net/~univention-dev/+archive/ubuntu/ppa