From 52acb1c900e9ab05a23f103247a1c1e0996067ee Mon Sep 17 00:00:00 2001 Message-Id: From: Philipp Hahn Date: Thu, 12 Dec 2013 09:13:25 +0100 Subject: [PATCH 00/22] *** SUBJECT HERE *** Organization: Univention GmbH, Bremen, Germany *** BLURB HERE *** Philipp Hahn (22): Bug #31926: join: Timeout SSL download Bug #33727: join: Fix indirect variable Bug #28562: join: Fix UDM search failure detection Bug #28562: join: Register all interfaces Bug #28562: join: Fix output width Bug #28562: join: Fix version comparison Bug #28562: join: Refacture cache invalidation Bug #28562: join: Refacture common secret code Bug #28562: join: Refacture join script code Bug #28562: join: Refacture listener reset Bug #28562: join: Refacture SSL CA copying Bug #28562: join: Refacture LDAP stop code Bug #28562: join: Refacture Kerberos sync Bug #28562: join: Refacture DNS SRV lookup Bug #28562: join: Refacture join script calling code Bug #28562: join: Harmonize UDM calling code Bug #28562: join: Simplify to "ucr get" Bug #28562: join: Use exit status directly Bug #28562: join: Remove upper-case DN handling Bug #28562: join: Cleanup redundant UCR set Bug #28562: join: Remove password from commandline Bug #28562: join: Misc cleanups .../management/univention-join/univention-join | 589 +++++++++------------ .../univention-join/univention-run-join-scripts | 15 +- .../univention-join/univention-server-join | 116 ++-- 3 files changed, 312 insertions(+), 408 deletions(-) -- 1.8.4.rc3 From ba14c128123ca2191ebdda80b32e69c2a90c367f Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:29:24 +0100 Subject: [PATCH 01/22] Bug #31926: join: Timeout SSL download Organization: Univention GmbH, Bremen, Germany Limit SSL host certificate download to 5 minutes. If no certificates exists, something is very wrong with the listener and/or replication schema. --- .../management/univention-join/univention-join | 24 ++++++++++------------ 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 203c31f..967bce0 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -121,20 +121,27 @@ download_host_certificate () { echo -n "Download host certificate " local HOSTPWD="/etc/machine.secret" local HOSTACCOUNT="$hostname\$" - while true + local i delay=20 + for ((i=0;i<300;i+=delay)) # max 5 minutes do univention-scp "$HOSTPWD" -q -r \ "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \ "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \ /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 - [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ] && break + if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ] + then + echo -e "\033[60Gdone" + return + fi echo -n "." - sleep 20 + sleep $delay done - echo -e "\033[60Gdone" + echo "failed" + failed_message "failed to get host certificate" } + check_ldap_tls_connection () { echo -n "Check TLS connection " @@ -668,11 +675,6 @@ if [ "$server_role" = "domaincontroller_backup" ]; then download_host_certificate - if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then - echo "failed to get host certificate" - failed_message "failed to get host certificate" - fi - echo -n "Sync SSL settings: " eval "$(univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/common ssl/email)" univention-config-registry set \ @@ -752,10 +754,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then download_host_certificate - if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then - failed_message "failed to get host certificate" - fi - echo -n "Restart LDAP Server: " /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 echo -e "\033[60Gdone" -- 1.8.4.rc3 From fc2311eb89a18cb0b61c07afa982803016399383 Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:35:08 +0100 Subject: [PATCH 02/22] Bug #33727: join: Fix indirect variable Organization: Univention GmbH, Bremen, Germany The name of the variable is built dynamically, which can not be resolved in one step using bash. Calculate the variable name first and then de-reference it using the bash indirect variable reference feature. (`eval` would have required adding one additional round of quotes.) --- .../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 5 +++-- .../ucs-3.2-0/management/univention-join/univention-server-join | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 967bce0..27e13c3 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -873,8 +873,9 @@ if [ -d /etc/runit/univention-directory-listener ]; then /etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 fi -if [ "$interfaces_${interfaces_primary:-eth0}_type" != "dhcp" ]; then - univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1 +varname="interfaces_${interfaces_primary:-eth0}_type" +if [ "${!varname}" != "dhcp" ]; then + univention-config-registry commit /etc/resolv.conf >>"$LOGFILE" 2>&1 fi exit 0 diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index 2af2c1e..89a0b6e 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -316,7 +316,8 @@ if [ -n "$IP" ]; then subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)" else # Fallback - subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$interfaces_${interfaces_primary:-eth0}_netmask" --output reverse --calcdns)" + varname="interfaces_${interfaces_primary:-eth0}_netmask" + subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)" fi log 0 " Calculated subnet = $subnet" -- 1.8.4.rc3 From fadcb91d788dd8d68b4da213eb4c19c54f125a51 Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:41:56 +0100 Subject: [PATCH 03/22] Bug #28562: join: Fix UDM search failure detection Organization: Univention GmbH, Bremen, Germany From man bash: > The return status of a pipeline is the exit status of the last > command, unless the pipefail option is enabled. Do that to detect a search failure. --- .../ucs-3.2-0/management/univention-join/univention-server-join | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index 89a0b6e..72417ee 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -209,8 +209,8 @@ create_entry () { local group="$5" log 0 "Join $desc" - old_dn="$(univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")" - if [ $? -gt 0 ]; then + if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")" + then log 1 "E: failed search $desc [$old_dn]" exit 1 fi -- 1.8.4.rc3 From 824ef5e80e81a068752d47230f668b6097437d2d Mon Sep 17 00:00:00 2001 Message-Id: <824ef5e80e81a068752d47230f668b6097437d2d.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:39:45 +0100 Subject: [PATCH 04/22] Bug #28562: join: Register all interfaces Organization: Univention GmbH, Bremen, Germany Register all MAC and IP addresses on domain-join. DNS entries are added for all IP addresses in the forward and reverse DNS zone. Unused code for handling the DHCP entries is removed completely. --- .../management/univention-join/univention-join | 24 ++---- .../univention-join/univention-server-join | 97 +++++++++------------- 2 files changed, 49 insertions(+), 72 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 27e13c3..418171c 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -487,21 +487,15 @@ else args+=(-binddn "$binddn") fi -# TODO: Support multiple network interfaces -# Search for the standard IP: -IP="$(get_default_ip_address)" -if [ -n "$IP" ]; then - args+=(-ip "$IP") - if [ "${master_version:0:1}" -ge 3 ]; then - NETMASK="$(get_default_netmask)" - # Since UCS 3.0 it is possible to append the netmask - args+=(-netmask "$NETMASK") - fi -fi -mac_addr="$(LC_ALL=C ip link show | sed -rne 's|.*link/ether ([0-9a-fA-F:]+) brd .*|\1|p' | head -n1)" -if [ -n "$mac_addr" ]; then - args+=(-mac "$mac_addr") -fi +for ip in $(ip addr show scope global | sed -rne '/\/s|.*\.*|\1|p') +do + args+=(-ip "$ip") +done +for iface in /sys/class/net/* +do + [ -L "${iface}/device" ] || continue + args+=(-mac "$(cat "${iface}/address")") +done # invalidate the nscd hosts cache # https://forge.univention.org/bugzilla/show_bug.cgi?id=30886 diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index 72417ee..4c44087 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -94,7 +94,8 @@ log() { fi } -MAC="" +MAC=() +IP=() BINDDN="" BINDPWFILE="" DOMAINNAME="" @@ -117,7 +118,7 @@ do shift 2 || exit 2 ;; "-ip") - IP="${2:?missing IP address}" + IP+=("${2:?missing IP address}") shift 2 || exit 2 ;; "-netmask") @@ -129,7 +130,7 @@ do shift 2 || exit 2 ;; "-mac") - MAC="${2:?missing ethernet MAC address}" + MAC+=("${2:?missing ethernet MAC address}") shift 2 || exit 2 ;; "-bindaccount") @@ -208,6 +209,7 @@ create_entry () { local primaryGroup="$4" local group="$5" log 0 "Join $desc" + local mac ip if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")" then @@ -215,32 +217,44 @@ create_entry () { exit 1 fi - args=() + declare -a args=() + + for mac in "${MAC[@]}" + do + args+=(--set mac="$MAC") + done + + for ip in "${IP[@]}" + do + args+=(--set ip="${ip%/*}") + done + + # DNS + if [ -n "$IP" ] + then + forwardZone="$(univention-directory-manager dns/forward_zone list \ + --filter zone="$DOMAINNAME" \ + "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" + log 0 " forwardZone $forwardZone" + fi + for addr in "${IP[@]}" + do + local ip="${addr%/*}" prefix="${addr#*/}" + : "${prefix:=NETMASK}" + : "${prefix:=$(. /usr/share/univention-lib/base.sh && get_default_netmask)}" + local subnet="$(univention-ipcalc6 --ip "$ip" --netmask "$prefix" --calcdns --output reverse)" + local reverseZone="$(univention-directory-manager dns/reverse_zone list \ + --filter subnet="$subnet" \ + "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" + log 0 " reverseZone $reverseZone" + # UDM BUG: multiple --set don't work; --apend only prints a warning for modify; ignore old entries for now + [ -n "$reverseZone" ] && args+=(--append dnsEntryZoneReverse="$reverseZone $ip") + [ -n "$forwardZone" ] && args+=(--append dnsEntryZoneForward="$forwardZone $ip") + done + if [ -z "$old_dn" ]; then log 0 " Create new $desc " - if [ -n "$IP" ]; then - args+=(--set ip="$IP") - # DNS - if [ -n "$forwardZone" ]; then - args+=(--set dnsEntryZoneForward="$forwardZone") - if [ -n "$reverseZone" ]; then - args+=(--set dnsEntryZoneReverse="$reverseZone") - fi - fi - fi - if [ -n "$MAC" ]; then - args+=(--set mac="$MAC") - fi - # DHCP - case "$module" in - computers/managedclient|computers/mobileclient) - if [ -n "$dhcpEntry" ] && [ -n "$IP" ] && [ -n "$MAC" ]; then - args+=(--set dhcpEntryZone="$dhcpEntry $IP $MAC") - fi - ;; - esac - cmd=(univention-directory-manager "$module" create \ --position "$position" \ --set name="$NEWHOSTNAME" \ @@ -283,12 +297,6 @@ create_entry () { else log 0 "Modify $desc [$old_dn]" - if [ -n "$MAC" ]; then - args+=(--set mac="$MAC") - fi - if [ -n "$IP" ]; then - args+=(--set ip="$IP") - fi rc="$(univention-directory-manager "$module" modify \ --dn "$old_dn" \ --set password="$computerPassword" \ @@ -311,31 +319,6 @@ create_entry () { fi } -if [ -n "$IP" ]; then - if [ -n "$NETMASK" ]; then - subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)" - else - # Fallback - varname="interfaces_${interfaces_primary:-eth0}_netmask" - subnet="$(univention-ipcalc6 --ip "$IP" --netmask "${!varname}" --output reverse --calcdns)" - fi - log 0 " Calculated subnet = $subnet" - - forwardZone="$(univention-directory-manager dns/forward_zone list \ - --filter zone="$DOMAINNAME" \ - "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" - reverseZone="$(univention-directory-manager dns/reverse_zone list \ - --filter subnet="$subnet" \ - "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" - dhcpEntry="$(univention-directory-manager dhcp/service list \ - --filter name="$DOMAINNAME" \ - "${ADMINOPTIONS[@]}" | sed -ne 's/^DN: //p')" - - log 0 " forwardZone $forwardZone" - log 0 " reverseZone $reverseZone" - log 0 " dhcpEntry $dhcpEntry" -fi - computerPassword="$(create_machine_password)" case "$ROLE" in -- 1.8.4.rc3 From bfa8274683e55dd8afde9c29e56b055087c5a178 Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:24:06 +0100 Subject: [PATCH 05/22] Bug #28562: join: Fix output width Organization: Univention GmbH, Bremen, Germany Declare log file name as global constant. Extend width to 80 columns to better handle long join script names.. Right-align done and failure messages to column 80. Add time stamp to log messages. --- .../management/univention-join/univention-join | 127 +++++++++++---------- .../univention-join/univention-run-join-scripts | 15 ++- 2 files changed, 78 insertions(+), 64 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 418171c..a7ebb09 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -45,14 +45,23 @@ DCPWD="$USERTMP/dcpwd" VERSION_CHECK=true VERBOSE=false +LOGFILE="/var/log/univention/join.log" +log () { + echo "$(LC_ALL=C date): $*" >>"$LOGFILE" +} +echo_right () { + local text="$*" + echo -e "\033[$((${COLUMNS:-80}-${#text}))G${text}" +} + trapOnExit() { rm -rf "$USERTMP" if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then if [ -n "$old_listener_debug_level" ]; then - ucr set listener/debug/level="$old_listener_debug_level" >>/var/log/univention/join.log 2>&1 + ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1 fi fi - echo "$(LC_ALL=C date): finish $0" >>/var/log/univention/join.log 2>&1 + log "finish $0" } trap trapOnExit EXIT @@ -72,7 +81,7 @@ display_help() { -realm : Kerberos realm, e.g. TEST.LOCAL -windom : Name of the windows (samba) domain -disableVersionCheck Disable version check against _dcname_ - -verbose Enable verbose logging (/var/log/univention/join.log) + -verbose Enable verbose logging ($LOGFILE) -h | --help | -?: Print this usage message and exit program --version: Print version information and exit program @@ -127,17 +136,17 @@ download_host_certificate () { univention-scp "$HOSTPWD" -q -r \ "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \ "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \ - /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 + /etc/univention/ssl/ >>"$LOGFILE" 2>&1 if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ] then - echo -e "\033[60Gdone" + echo_right "done" return fi echo -n "." sleep $delay done - echo "failed" + echo_right "failed" failed_message "failed to get host certificate" } @@ -152,7 +161,7 @@ check_ldap_tls_connection () { failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." fi - echo -e "\033[60Gdone" + echo_right "done" } run_join_scripts () { @@ -163,17 +172,17 @@ run_join_scripts () { test -e "$i" || continue echo -n "Configure $(basename "$i") " [ -n "$SIMPLEGUI" ] && echo - echo "Configure $(basename "$i") $(LC_ALL=C date)" >>/var/log/univention/join.log + log "Configure $(basename "$i")" bashVerbose="" if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then bashVerbose="bash -x" fi - $bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 + $bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1 if [ $? -ne 0 ]; then - echo -e "\033[60Gfailed" + echo_right "failed" failed_message "FAILED: $(basename "$i")" else - echo -e "\033[60Gdone" + echo_right "done" delete_unjoinscript "$(basename "$i")" fi if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then @@ -216,7 +225,7 @@ run_join_scripts () { } # log univention-join call -echo "$(LC_ALL=C date): starting $0 $*" >>/var/log/univention/join.log 2>&1 +log "starting $0 $*" while [ $# -gt 0 ] do @@ -280,14 +289,14 @@ done # verbose logging for univention-join and listener if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then - exec 2>>/var/log/univention/join.log + exec 2>>"$LOGFILE" set -x if [ -n "$listener_debug_level" ]; then old_listener_debug_level="$listener_debug_level" else old_listener_debug_level="2" fi - ucr set listener/debug/level=4 >>/var/log/univention/join.log 2>&1 + ucr set listener/debug/level=4 >&2 listener_debug_level=4 fi @@ -325,13 +334,13 @@ if [ -z "$DCNAME" ]; then echo -n "Search DC Master: " DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" if [ -n "$DCNAME" ]; then - echo -e "\033[60Gdone" + echo_right "done" else for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do if [ -z "$i" ]; then continue; fi DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" if [ -n "$DCNAME" ]; then - echo -e "\033[60Gdone" + echo_right "done" echo "domain $domainname" >/etc/resolv.conf echo "nameserver $i" >>/etc/resolv.conf test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1 @@ -352,7 +361,7 @@ if ! ping -c 1 "$DCNAME" >/dev/null 2>&1 && ! ping6 -c 1 "$DCNAME" >/dev/null 2> failed_message "ping to $DCNAME failed" fi -if ! univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check +if ! univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" echo ssh-check 2>>"$LOGFILE" | grep -qs ssh-check then failed_message "ssh-login for ${DCACCOUNT}@${DCNAME} failed. Maybe you entered a wrong password." fi @@ -380,7 +389,7 @@ done IFS=$OLDIFS # check join constraints -echo "running version check" >>/var/log/univention/join.log +log "running version check" mystatus="no" if [ -n "$master_version" -a -n "$master_patchlevel" ]; then @@ -395,28 +404,28 @@ if [ "no" = "$mystatus" ]; then if $VERSION_CHECK; then failed_message "$vmsg" else - echo "$vmsg Continuing anyway as requested with option (-disableVersionCheck)." >>/var/log/univention/join.log + log "$vmsg Continuing anyway as requested with option (-disableVersionCheck)." fi else - echo "OK: UCS version on ${DCNAME} is higher or equal ($vmaster) to the local version ($vmyself)." >>/var/log/univention/join.log + log "OK: UCS version on ${DCNAME} is higher or equal ($vmaster) to the local version ($vmyself)." fi -echo -e "\033[60Gdone" +echo_right "done" if [ -x /etc/init.d/slapd ]; then echo -n "Stop LDAP Server: " - /etc/init.d/slapd stop >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + /etc/init.d/slapd stop >>"$LOGFILE" 2>&1 + echo_right "done" fi if [ -x /etc/init.d/samba4 ]; then echo -n "Stop Samba 4 Server: " if [ "$dns_backend" = "samba4" ]; then - ucr set dns/backend=ldap >>/var/log/univention/join.log 2>&1 - /etc/init.d/bind9 restart >>/var/log/univention/join.log 2>&1 + ucr set dns/backend=ldap >>"$LOGFILE" 2>&1 + /etc/init.d/bind9 restart >>"$LOGFILE" 2>&1 fi - /etc/init.d/samba4 stop >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + /etc/init.d/samba4 stop >>"$LOGFILE" 2>&1 + echo_right "done" fi if [ -z "$LDAPBASE" ]; then @@ -428,15 +437,15 @@ fi if [ -n "$ldap_base" ]; then univention-config-registry set ldap/base="$ldap_base" >/dev/null 2>&1 - echo -e "\033[60Gdone" + echo_right "done" else failed_message "Failed to determine ldap/base." fi if [ -x /etc/init.d/slapd ]; then echo -n "Start LDAP Server: " - /etc/init.d/slapd start >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + /etc/init.d/slapd start >>"$LOGFILE" 2>&1 + echo_right "done" fi echo -n "Search LDAP binddn " @@ -460,7 +469,7 @@ fi if [ -z "$binddn" ]; then failed_message "binddn for user $DCACCOUNT not found. " else - echo -e "\033[60Gdone" + echo_right "done" fi if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then @@ -470,7 +479,7 @@ fi if [ -x /usr/bin/rdate ]; then echo -n "Sync time " /usr/bin/rdate "$DCNAME" >/dev/null 2>&1 - echo -e "\033[60Gdone" + echo_right "done" fi args=() @@ -506,15 +515,15 @@ args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") # Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \ - "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>/var/log/univention/join.log + "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE" res_message="$(sed -n '/^E:/ { s/^E:\s*// p }' "$USERTMP/log")" if [ -z "$res_message" ]; then - echo -e "\033[60Gdone" + echo_right "done" fi if [ -s "$USERTMP/log" ] then - echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log + echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>"$LOGFILE" #try to get password kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")" @@ -540,7 +549,7 @@ then ldap_dn="$(sed -ne 's|^ldap_dn="\(.*\)" *|\1|p' <"$USERTMP/log")" if [ -n "$ldap_dn" ]; then - univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1 + univention-config-registry set ldap/hostdn="$ldap_dn" >>"$LOGFILE" 2>&1 else failed_message "No LDAP Host DN returned" fi @@ -602,13 +611,13 @@ set_kerberos_realm () { local DCNAME="$3" local realm="$4" if [ -z "$realm" ]; then - realm="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" '/usr/sbin/univention-config-registry get kerberos/realm')" >>/var/log/univention/join.log 2>&1 + realm="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" '/usr/sbin/univention-config-registry get kerberos/realm')" >>"$LOGFILE" 2>&1 if [ $? != 0 -o -z "$realm" ]; then echo "Unable to retrieve the kerberos realm. Try to use option -realm " exit 1 fi fi - univention-config-registry set kerberos/realm="$realm" >>/var/log/univention/join.log 2>&1 + univention-config-registry set kerberos/realm="$realm" >>"$LOGFILE" 2>&1 } set_windows_domain () { @@ -619,13 +628,13 @@ set_windows_domain () { local windom="$4" if [ -z "$windom" ]; then - windom="$(univention-ssh "$dcpwd" "${dcaccount}@${dcname}" '/usr/sbin/univention-config-registry get windows/domain')" >>/var/log/univention/join.log 2>&1 + windom="$(univention-ssh "$dcpwd" "${dcaccount}@${dcname}" '/usr/sbin/univention-config-registry get windows/domain')" >>"$LOGFILE" 2>&1 if [ $? != 0 -o -z "$windom" ]; then echo "Unable to retrieve the windows/domain. Try to use option -windom " exit 1 fi fi - univention-config-registry set windows/domain="$windom" >>/var/log/univention/join.log 2>&1 + univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1 } if [ "$server_role" = "domaincontroller_backup" ]; then @@ -638,14 +647,14 @@ if [ "$server_role" = "domaincontroller_backup" ]; then if [ ! -e "/etc/ldap.secret" ]; then failed_message "/etc/ldap.secret not found" fi - echo -e "\033[60Gdone" + echo_right "done" echo -n "Sync ldap-backup.secret: " univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 if [ ! -e "/etc/ldap-backup.secret" ]; then failed_message "/etc/ldap-backup.secret not found" fi - echo -e "\033[60Gdone" + echo_right "done" univention-config-registry set \ ldap/server/name="$hostname.$domainname" \ @@ -654,11 +663,11 @@ if [ "$server_role" = "domaincontroller_backup" ]; then ldap/master="$DCNAME" \ ldap/master/port?7389 \ ldap/server/type=slave \ - >>/var/log/univention/join.log 2>&1 + >>"$LOGFILE" 2>&1 echo -n "Sync SSL directory: " - univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1 + echo_right "done" # prevent join from failing if umask is modified (Bug #21587) chmod 755 /etc/univention/ssl @@ -679,17 +688,17 @@ if [ "$server_role" = "domaincontroller_backup" ]; then ssl/organizationalunit="$ssl_organizationalunit" \ ssl/common="$ssl_common" \ ssl/email="$ssl_email" \ - >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + >>"$LOGFILE" 2>&1 + echo_right "done" echo -n "Restart LDAP Server: " /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + echo_right "done" #TODO: implement a real sync echo -n "Sync Kerberos settings: " univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + echo_right "done" # invalidate the nscd hosts cache @@ -699,7 +708,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then ldap/server/name?"$DCNAME" \ ldap/master?"$DCNAME" \ kerberos/adminserver?"$DCNAME" \ - >>/var/log/univention/join.log 2>&1 + >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" eval "$(univention-config-registry shell)" @@ -722,7 +731,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + echo_right "done" univention-config-registry set \ ldap/server/name="$hostname.$domainname" \ @@ -731,7 +740,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then ldap/master="$DCNAME" \ ldap/master/port?7389 \ ldap/server/type=slave \ - >>/var/log/univention/join.log 2>&1 + >>"$LOGFILE" 2>&1 mkdir -p /etc/univention/ssl/ucsCA univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 @@ -750,11 +759,11 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then echo -n "Restart LDAP Server: " /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + echo_right "done" echo -n "Sync Kerberos settings: " univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 - echo -e "\033[60Gdone" + echo_right "done" mkdir -p /var/lib/univention-ldap/notify/ @@ -765,7 +774,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then ldap/server/name?"$DCNAME" \ ldap/master?"$DCNAME" \ kerberos/adminserver?"$DCNAME" \ - >>/var/log/univention/join.log 2>&1 + >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" echo -n "0" >/var/lib/univention-ldap/schema/id/id @@ -807,7 +816,7 @@ elif [ "$server_role" = "memberserver" ]; then ldap/master?"$DCNAME" \ ldap/master/port?7389 \ kerberos/adminserver?"$DCNAME" \ - >>/var/log/univention/join.log 2>&1 + >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" touch /var/univention-join/joined @@ -845,7 +854,7 @@ else ldap/master/port?7389 \ kerberos/adminserver="$DCNAME" \ nsswitch/ldap=yes \ - >>/var/log/univention/join.log 2>&1 + >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf @@ -859,12 +868,12 @@ else fi if [ -d /etc/runit/univention-directory-notifier ]; then - /etc/init.d/univention-directory-notifier restart >>/var/log/univention/join.log 2>&1 + /etc/init.d/univention-directory-notifier restart >>"$LOGFILE" 2>&1 sleep 3 fi if [ -d /etc/runit/univention-directory-listener ]; then - /etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 + /etc/init.d/univention-directory-listener restart >>"$LOGFILE" 2>&1 fi varname="interfaces_${interfaces_primary:-eth0}_type" diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts index 462c1dd..0fc06e2 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-run-join-scripts @@ -79,6 +79,11 @@ failed_message () { exit 1 } +echo_right () { + local text="$*" + echo -e "\033[$((${COLUMNS:-80}-${#text}))G${text}" +} + while [ $# -gt 0 ] do case "$1" in @@ -177,7 +182,7 @@ if [ ! "$server_role" = "domaincontroller_master" ] || [ -n "$ASK_PASS" ] ; then then failed_message "Invalid credentials" else - echo -e "\033[60Gdone" + echo_right "done" fi fi fi @@ -222,12 +227,12 @@ then echo "RUNNING $(basename "$i")" if ! joinscript_extern_init "$i"; then - echo -e "\033[60Gskipped (invalid joinscript)" >&3 + echo_right "skipped (invalid joinscript)" >&3 echo "EXITCODE=invalid_joinscript" continue fi if joinscript_check_already_executed && [ -z "$JOIN_FORCE" ]; then - echo -e "\033[60Gskipped (already executed)" >&3 + echo_right "skipped (already executed)" >&3 echo "EXITCODE=already_executed" continue fi @@ -240,9 +245,9 @@ then RET=$? echo "EXITCODE=$RET" if [ $RET != 0 ]; then - echo -e "\033[60Gfailed (exitcode: $RET)" >&3 + echo_right "failed (exitcode: $RET)" >&3 else - echo -e "\033[60Gdone" >&3 + echo_right "done" >&3 delete_unjoinscript "$(basename "$i")" fi done -- 1.8.4.rc3 From c71716a99f40d457e02e2cd69f7faf58f6463590 Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:12:27 +0100 Subject: [PATCH 06/22] Bug #28562: join: Fix version comparison Organization: Univention GmbH, Bremen, Germany Fix bug in version comparison, where "version/version" is concatenated with "version/patchlevel" without a separater, which makes "3.1-10" less than "3.10-0". Removed unused release name fetch. --- .../management/univention-join/univention-join | 26 +++++----------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index a7ebb09..67e77b2 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -367,27 +367,11 @@ then fi -# get master versions -versions="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^version/)" -OLDIFS=$IFS -IFS=$'\n' -for i in $versions; do - key=${i%%: *} - value=${i#*: } - case "$key" in - "version/version") - master_version="$value" - ;; - "version/patchlevel") - master_patchlevel="$value" - ;; - "version/releasename") - master_releasename="$value" - ;; - esac -done -IFS=$OLDIFS - +get_master_version () { + local version_version version_patchlevel + eval "$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr shell version/version version/patchlevel)" + echo "${version_version}.${version_patchlevel}" +} # check join constraints log "running version check" -- 1.8.4.rc3 From 0a4a3286420d6d170544ce562422ae28f37ae95c Mon Sep 17 00:00:00 2001 Message-Id: <0a4a3286420d6d170544ce562422ae28f37ae95c.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:46:21 +0100 Subject: [PATCH 07/22] Bug #28562: join: Refacture cache invalidation Organization: Univention GmbH, Bremen, Germany Just implement NSCD cache invalidation once. --- .../management/univention-join/univention-join | 28 ++++++++-------------- 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 67e77b2..d2dcf42 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -150,6 +150,11 @@ download_host_certificate () { failed_message "failed to get host certificate" } +invalidate_nscd_cache () { + # + nscd -i hosts +} + check_ldap_tls_connection () { echo -n "Check TLS connection " @@ -490,13 +495,10 @@ do args+=(-mac "$(cat "${iface}/address")") done -# invalidate the nscd hosts cache -# https://forge.univention.org/bugzilla/show_bug.cgi?id=30886 -nscd -i hosts - echo -n "Join Computer Account: " args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") # Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely +invalidate_nscd_cache univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \ "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE" @@ -684,10 +686,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 echo_right "done" - - # invalidate the nscd hosts cache - nscd -i hosts - + invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ ldap/master?"$DCNAME" \ @@ -751,9 +750,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then mkdir -p /var/lib/univention-ldap/notify/ - # invalidate the nscd hosts cache - nscd -i hosts - + invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ ldap/master?"$DCNAME" \ @@ -791,9 +788,7 @@ elif [ "$server_role" = "memberserver" ]; then >>/var/log/univention/join.log 2>&1 grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf - # invalidate the nscd hosts cache - nscd -i hosts - + invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ ldap/server/port?7389 \ @@ -827,10 +822,7 @@ else check_ldap_tls_connection download_host_certificate - - # invalidate the nscd hosts cache - nscd -i hosts - + invalidate_nscd_cache univention-config-registry set \ ldap/server/name="$DCNAME" \ ldap/server/port?7389 \ -- 1.8.4.rc3 From 4b30a111f0edda14de95c38ce47097615e148792 Mon Sep 17 00:00:00 2001 Message-Id: <4b30a111f0edda14de95c38ce47097615e148792.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:50:23 +0100 Subject: [PATCH 08/22] Bug #28562: join: Refacture common secret code Organization: Univention GmbH, Bremen, Germany Use common function to backup and download /etc/*.secret files. Add error handling to detect download failures. --- .../management/univention-join/univention-join | 60 ++++++++++------------ 1 file changed, 26 insertions(+), 34 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index d2dcf42..b1b6aa2 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -126,6 +126,28 @@ bashquote () { # quote arguments for eval echo -n "${escaped[@]}" } +fetch_secret () { + local name="/etc/${1}.secret" + backup_secret "$1" + echo -n "Sync ${name}: " + if univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:${name} ${name}" >>"$LOGIFLE" 2>&1 && + [ -s "${name}" ] + then + echo_right "done" + else + echo_right "failed" + failed_message "${name} not found" + fi +} +backup_secret () { + local name="/etc/${1}.secret" + if [ -e "${name}" ] + then + cat "${name}" >>"${name}.SAVE" + chmod 0600 "${name}.SAVE" + fi +} + download_host_certificate () { echo -n "Download host certificate " local HOSTPWD="/etc/machine.secret" @@ -515,16 +537,10 @@ then kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")" if [ -n "$kpwd" ]; then - if [ -e /etc/machine.secret ]; then - cat /etc/machine.secret >>/etc/machine.secret.SAVE - fi - + backup_secret "machine" echo -n "$kpwd" >/etc/machine.secret fromdos /etc/machine.secret chmod 600 /etc/machine.secret - if [ -e /etc/machine.secret.SAVE ]; then - chmod 600 /etc/machine.secret.SAVE - fi else if [ -n "$res_message" ]; then failed_message "$res_message" @@ -624,24 +640,8 @@ set_windows_domain () { } if [ "$server_role" = "domaincontroller_backup" ]; then - - if [ -e "/etc/ldap.secret" ]; then cat /etc/ldap.secret >>/etc/ldap.secret.SAVE; fi - if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi - - echo -n "Sync ldap.secret: " - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1 - if [ ! -e "/etc/ldap.secret" ]; then - failed_message "/etc/ldap.secret not found" - fi - echo_right "done" - - echo -n "Sync ldap-backup.secret: " - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 - if [ ! -e "/etc/ldap-backup.secret" ]; then - failed_message "/etc/ldap-backup.secret not found" - fi - echo_right "done" - + fetch_secret "ldap" + fetch_secret "ldap-backup" univention-config-registry set \ ldap/server/name="$hostname.$domainname" \ ldap/server/ip="$IP" \ @@ -707,15 +707,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then run_join_scripts elif [ "$server_role" = "domaincontroller_slave" ]; then - - echo -n "Sync ldap-backup.secret: " - - if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi - - univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1 - - echo_right "done" - + fetch_secret "ldap-backup" univention-config-registry set \ ldap/server/name="$hostname.$domainname" \ ldap/server/ip="$IP" \ -- 1.8.4.rc3 From 13a94ab98d8e382cc4f9fb9f1f64bc0bee41e551 Mon Sep 17 00:00:00 2001 Message-Id: <13a94ab98d8e382cc4f9fb9f1f64bc0bee41e551.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:53:43 +0100 Subject: [PATCH 09/22] Bug #28562: join: Refacture join script code Organization: Univention GmbH, Bremen, Germany Move resetting the join status into common function to reduce code duplication. --- .../management/univention-join/univention-join | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index b1b6aa2..085e157 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -192,6 +192,10 @@ check_ldap_tls_connection () { } run_join_scripts () { + eval "$(univention-config-registry shell)" + + : > /var/univention-join/joined + ln -sf /var/univention-join/joined /usr/share/univention-join/.joined LC_COLLATE="C" if test -d "/usr/lib/univention-install/"; then @@ -694,13 +698,8 @@ if [ "$server_role" = "domaincontroller_backup" ]; then >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" - eval "$(univention-config-registry shell)" - mkdir -p /var/lib/univention-ldap/notify/ - touch /var/univention-join/joined - ln -sf /var/univention-join/joined /usr/share/univention-join/.joined - echo -n "0" >/var/lib/univention-ldap/schema/id/id chown listener /var/lib/univention-ldap/schema/id/id @@ -752,10 +751,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" echo -n "0" >/var/lib/univention-ldap/schema/id/id chown listener /var/lib/univention-ldap/schema/id/id - - touch /var/univention-join/joined - ln -sf /var/univention-join/joined /usr/share/univention-join/.joined - run_join_scripts elif [ "$server_role" = "memberserver" ]; then @@ -790,9 +785,6 @@ elif [ "$server_role" = "memberserver" ]; then >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" - touch /var/univention-join/joined - ln -sf /var/univention-join/joined /usr/share/univention-join/.joined - run_join_scripts else @@ -826,12 +818,6 @@ else set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf - - touch /var/univention-join/joined - ln -sf /var/univention-join/joined /usr/share/univention-join/.joined - - eval "$(univention-config-registry shell)" - run_join_scripts fi -- 1.8.4.rc3 From eff1b6b015f2dfc948a25ca5d8fabee3749f327a Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:54:44 +0100 Subject: [PATCH 10/22] Bug #28562: join: Refacture listener reset Organization: Univention GmbH, Bremen, Germany Implement function to reset listener LDAP schema once. --- .../ucs-3.2-0/management/univention-join/univention-join | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 085e157..d6d5206 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -177,6 +177,11 @@ invalidate_nscd_cache () { nscd -i hosts } +reset_listener_schema () { + mkdir -p /var/lib/univention-ldap/notify/ + echo -n "0" >/var/lib/univention-ldap/schema/id/id + chown listener /var/lib/univention-ldap/schema/id/id +} check_ldap_tls_connection () { echo -n "Check TLS connection " @@ -698,11 +703,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" - mkdir -p /var/lib/univention-ldap/notify/ - - echo -n "0" >/var/lib/univention-ldap/schema/id/id - chown listener /var/lib/univention-ldap/schema/id/id - + reset_listener_schema run_join_scripts elif [ "$server_role" = "domaincontroller_slave" ]; then @@ -739,8 +740,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 echo_right "done" - mkdir -p /var/lib/univention-ldap/notify/ - invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ @@ -749,8 +748,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" - echo -n "0" >/var/lib/univention-ldap/schema/id/id - chown listener /var/lib/univention-ldap/schema/id/id + reset_listener_schema run_join_scripts elif [ "$server_role" = "memberserver" ]; then -- 1.8.4.rc3 From f2e917bb65e735557b66f5974bc1051ae156188b Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:56:58 +0100 Subject: [PATCH 11/22] Bug #28562: join: Refacture SSL CA copying Organization: Univention GmbH, Bremen, Germany Move function to copy CA certificate and fixing file permissions into common function. --- .../management/univention-join/univention-join | 63 ++++++++-------------- 1 file changed, 21 insertions(+), 42 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index d6d5206..ff7d6cb 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -648,6 +648,23 @@ set_windows_domain () { univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1 } +copy_ucs_ca () { + mkdir -p /etc/univention/ssl/ucsCA + + univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1 + if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then + univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>"$LOGFILE" 2>&1 + fi + fix_ssl_permissions +} + +fix_ssl_permissions () { + # prevent join from failing if umask is modified (Bug #21587) + chmod 755 /etc/univention/ssl + chmod 755 /etc/univention/ssl/ucsCA + chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem +} + if [ "$server_role" = "domaincontroller_backup" ]; then fetch_secret "ldap" fetch_secret "ldap-backup" @@ -664,11 +681,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1 echo_right "done" - # prevent join from failing if umask is modified (Bug #21587) - chmod 755 /etc/univention/ssl - chmod 755 /etc/univention/ssl/ucsCA - chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem - + fix_ssl_permissions check_ldap_tls_connection download_host_certificate @@ -716,18 +729,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then ldap/master/port?7389 \ ldap/server/type=slave \ >>"$LOGFILE" 2>&1 - - mkdir -p /etc/univention/ssl/ucsCA - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 - if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 - fi - - # prevent join from failing if umask is modified (Bug #21587) - chmod 755 /etc/univention/ssl - chmod 755 /etc/univention/ssl/ucsCA - chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem - + copy_ucs_ca check_ldap_tls_connection download_host_certificate @@ -752,17 +754,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then run_join_scripts elif [ "$server_role" = "memberserver" ]; then - mkdir -p /etc/univention/ssl/ucsCA - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 - if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 - fi - - # prevent join from failing if umask is modified (Bug #21587) - chmod 755 /etc/univention/ssl - chmod 755 /etc/univention/ssl/ucsCA - chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem - + copy_ucs_ca check_ldap_tls_connection download_host_certificate @@ -787,20 +779,7 @@ elif [ "$server_role" = "memberserver" ]; then else # Client and Mobile Client - - - mkdir -p /etc/univention/ssl/ucsCA - - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 - if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then - univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 - fi - - # prevent join from failing if umask is modified (Bug #21587) - chmod 755 /etc/univention/ssl - chmod 755 /etc/univention/ssl/ucsCA - chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem - + copy_ucs_ca check_ldap_tls_connection download_host_certificate -- 1.8.4.rc3 From 71812f1285fe823188611a21ce83b7c5d46ab16e Mon Sep 17 00:00:00 2001 Message-Id: <71812f1285fe823188611a21ce83b7c5d46ab16e.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 19:58:42 +0100 Subject: [PATCH 12/22] Bug #28562: join: Refacture LDAP stop code Organization: Univention GmbH, Bremen, Germany Move code to stop LDAP server into one function. --- .../ucs-3.2-0/management/univention-join/univention-join | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index ff7d6cb..ddb2784 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -665,6 +665,12 @@ fix_ssl_permissions () { chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem } +restart_ldap_server () { + echo -n "Restart LDAP Server: " + /etc/init.d/slapd restart >>"$LOGFILE" 2>&1 + echo_right "done" +} + if [ "$server_role" = "domaincontroller_backup" ]; then fetch_secret "ldap" fetch_secret "ldap-backup" @@ -699,9 +705,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then >>"$LOGFILE" 2>&1 echo_right "done" - echo -n "Restart LDAP Server: " - /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 - echo_right "done" + restart_ldap_server #TODO: implement a real sync echo -n "Sync Kerberos settings: " @@ -733,10 +737,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then check_ldap_tls_connection download_host_certificate - - echo -n "Restart LDAP Server: " - /etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1 - echo_right "done" + restart_ldap_server echo -n "Sync Kerberos settings: " univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 -- 1.8.4.rc3 From 24294316e99aeb9b3a6e91de68d4f0ae6b1edfe6 Mon Sep 17 00:00:00 2001 Message-Id: <24294316e99aeb9b3a6e91de68d4f0ae6b1edfe6.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:00:10 +0100 Subject: [PATCH 13/22] Bug #28562: join: Refacture Kerberos sync Organization: Univention GmbH, Bremen, Germany Move shared code to download Kerberos tickets into common function. --- .../management/univention-join/univention-join | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index ddb2784..bfadbba 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -671,6 +671,13 @@ restart_ldap_server () { echo_right "done" } +sync_kerberos_setting () { + #TODO: implement a real sync + echo -n "Sync Kerberos settings: " + univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>"$LOGFILE" 2>&1 + echo_right "done" +} + if [ "$server_role" = "domaincontroller_backup" ]; then fetch_secret "ldap" fetch_secret "ldap-backup" @@ -706,12 +713,7 @@ if [ "$server_role" = "domaincontroller_backup" ]; then echo_right "done" restart_ldap_server - - #TODO: implement a real sync - echo -n "Sync Kerberos settings: " - univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 - echo_right "done" - + sync_kerberos_setting invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ @@ -738,11 +740,7 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then download_host_certificate restart_ldap_server - - echo -n "Sync Kerberos settings: " - univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 - echo_right "done" - + sync_kerberos_setting invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ -- 1.8.4.rc3 From 76f8913a05afdfa781324dd092037887eb383b18 Mon Sep 17 00:00:00 2001 Message-Id: <76f8913a05afdfa781324dd092037887eb383b18.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:14:33 +0100 Subject: [PATCH 14/22] Bug #28562: join: Refacture DNS SRV lookup Organization: Univention GmbH, Bremen, Germany Move code into function to improve code for readability. Extract common function to lookup DNS SRV RR. --- .../management/univention-join/univention-join | 42 ++++++++++++---------- 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index bfadbba..f1db354 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -366,30 +366,36 @@ if [ -z "$server_role" ]; then fi -if [ -z "$DCNAME" ]; then +find_dc () { + [ -n "$DCNAME" ] && return + echo -n "Search DC Master: " - DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" + DCNAME="$(lookup_dns_srv)" if [ -n "$DCNAME" ]; then echo_right "done" - else - for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do - if [ -z "$i" ]; then continue; fi - DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" - if [ -n "$DCNAME" ]; then - echo_right "done" - echo "domain $domainname" >/etc/resolv.conf - echo "nameserver $i" >>/etc/resolv.conf - test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1 - break - fi - done + return fi -fi -if [ -z "$DCNAME" ]; then - failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname" -fi + for ns in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3" + do + [ -n "$i" ] || continue + DCNAME="$(lookup_dns_srv "$ns")" + [ -n "$DCNAME" ] || continue + + echo_right "done" + echo "domain $domainname" >/etc/resolv.conf + echo "nameserver $ns" >>/etc/resolv.conf + [ -x /etc/init.d/nscd ] && /etc/init.d/nscd restart >>"$LOGFILE" 2>&1 + return + done + failed_message "missing dns service record for _domaincontroller_master._tcp.$domainname" +} +lookup_dns_srv () { + host -t SRV "_domaincontroller_master._tcp.$domainname" ${1:+"$1"} | + sed -ne '$s/.* \([^ ]\+\)\.$/\1/p' +} +find_dc echo -n "Check DC Master: " -- 1.8.4.rc3 From 6cfcb6359de32b3a5339e40691f16a9d3fbf259f Mon Sep 17 00:00:00 2001 Message-Id: <6cfcb6359de32b3a5339e40691f16a9d3fbf259f.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:16:16 +0100 Subject: [PATCH 15/22] Bug #28562: join: Refacture join script calling code Organization: Univention GmbH, Bremen, Germany Extract the basename once and strip the suffix. Move common code for backup and slave to its own function to reduce code duplication. Drop redundant "test -n" as as the VERBOSE variable is also compared to a constant. Also initialize with empty value to simplify calling the join scripts in bash verbose mode. Simplify new-line handling for SIMPLE-GUI mode. --- .../management/univention-join/univention-join | 101 +++++++++------------ 1 file changed, 45 insertions(+), 56 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index f1db354..9fb48a4 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -38,12 +38,12 @@ eval "$(univention-config-registry shell)" . /usr/share/univention-lib/all.sh -SIMPLEGUI="" +SIMPLEGUI="-n" TYPE= USERTMP="$(mktemp -d)" DCPWD="$USERTMP/dcpwd" VERSION_CHECK=true -VERBOSE=false +VERBOSE= LOGFILE="/var/log/univention/join.log" log () { @@ -56,7 +56,7 @@ echo_right () { trapOnExit() { rm -rf "$USERTMP" - if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then + if [ "$VERBOSE" = "true" ]; then if [ -n "$old_listener_debug_level" ]; then ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1 fi @@ -202,62 +202,51 @@ run_join_scripts () { : > /var/univention-join/joined ln -sf /var/univention-join/joined /usr/share/univention-join/.joined + [ -d "/usr/lib/univention-install/" ] || return LC_COLLATE="C" - if test -d "/usr/lib/univention-install/"; then - for i in /usr/lib/univention-install/*.{inst,uinst}; do - test -e "$i" || continue - echo -n "Configure $(basename "$i") " - [ -n "$SIMPLEGUI" ] && echo - log "Configure $(basename "$i")" - bashVerbose="" - if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then - bashVerbose="bash -x" - fi - $bashVerbose "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1 - if [ $? -ne 0 ]; then - echo_right "failed" - failed_message "FAILED: $(basename "$i")" - else - echo_right "done" - delete_unjoinscript "$(basename "$i")" + for i in /usr/lib/univention-install/*.{inst,uinst}; do + [ -e "$i" ] || continue + local basename="$(basename "${i%.*}")" + echo $SIMPLEGUI "Configure $basename " + log "Configure $basename" + if ! ${VERBOSE+bash -x} "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>"$LOGFILE" 2>&1 + then + echo_right "failed" + failed_message "FAILED: $basename" + else + echo_right "done" + delete_unjoinscript "$basename" + fi + if [ "$basename" = "03univention-directory-listener.inst" ]; then + # check failed.ldif + if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then + failed_message "FAILED: failed.ldif exists." fi - if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then - - # check failed.ldif - if [ "$(basename "$i")" = "03univention-directory-listener.inst" ]; then - if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then - failed_message "FAILED: failed.ldif exists." - fi - - # backup - if [ "$server_role" = "domaincontroller_backup" ]; then - univention-scp "$DCPWD" -r \ - "${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \ - "$USERTMP/tlog" >/dev/null 2>&1 - if [ ! -e "$USERTMP/tlog" ]; then - failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." - fi - - id="$(/var/lib/univention-ldap/notify/transaction - fi - - # slave - if [ "$server_role" = "domaincontroller_slave" ]; then - if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then - univention-scp "$DCPWD" -q \ - "${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \ - "$USERTMP/tlog" >/dev/null 2>&1 - id="$(/var/lib/univention-ldap/notify/transaction - fi - - fi + case "$server_role" in + domaincontroller_backup) + copy_transaction_log + ;; + domaincontroller_slave) + if [ "$listener_supply_notifier" = "yes" ]; then + copy_transaction_log fi - fi - done + ;; + esac + fi + done +} + +copy_transaction_log () { + univention-scp "$DCPWD" -r \ + "${DCACCOUNT}@${DCNAME}:/var/lib/univention-ldap/notify/transaction" \ + "$USERTMP/tlog" >/dev/null 2>&1 + if [ ! -e "$USERTMP/tlog" ]; then + failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." fi + local id + read id /var/lib/univention-ldap/notify/transaction } # log univention-join call @@ -298,7 +287,7 @@ do "-simplegui") # output simpler gui for univention-installer to be able to parse output shift - SIMPLEGUI="yes" + SIMPLEGUI= ;; "-disableVersionCheck") shift @@ -324,7 +313,7 @@ do done # verbose logging for univention-join and listener -if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then +if [ "$VERBOSE" = "true" ]; then exec 2>>"$LOGFILE" set -x if [ -n "$listener_debug_level" ]; then -- 1.8.4.rc3 From 257da8a37327a317e6d62c68a32b7594f3d8a84a Mon Sep 17 00:00:00 2001 Message-Id: <257da8a37327a317e6d62c68a32b7594f3d8a84a.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:19:30 +0100 Subject: [PATCH 16/22] Bug #28562: join: Harmonize UDM calling code Organization: Univention GmbH, Bremen, Germany Build the command first, then execute it. This helped in debugging. --- .../ucs-3.2-0/management/univention-join/univention-server-join | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index 4c44087..9a5073b 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -297,12 +297,14 @@ create_entry () { else log 0 "Modify $desc [$old_dn]" - rc="$(univention-directory-manager "$module" modify \ + cmd=(univention-directory-manager "$module" modify \ --dn "$old_dn" \ --set password="$computerPassword" \ --set domain="$DOMAINNAME" \ - "${args[@]}" "${ADMINOPTIONS[@]}")" - if [ $? -gt 0 ]; then + "${args[@]}" "${ADMINOPTIONS[@]}") + #log 0 "${cmd[@]}" + if ! rc="$("${cmd[@]}")" + then log 1 "E: failed to modify $desc $old_dn [$rc]" exit 1 fi -- 1.8.4.rc3 From 5c9fa0e891015a11a64d32e81186c4671045e5fa Mon Sep 17 00:00:00 2001 Message-Id: <5c9fa0e891015a11a64d32e81186c4671045e5fa.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:23:20 +0100 Subject: [PATCH 17/22] Bug #28562: join: Simplify to "ucr get" Organization: Univention GmbH, Bremen, Germany Use "ucr get" instead of "ucr search | sed". --- branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 9fb48a4..d692996 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -445,7 +445,7 @@ fi if [ -z "$LDAPBASE" ]; then echo -n "Search ldap/base" - ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^ldap/base$ | sed -ne 's|^ldap/base: ||p')" + ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr get ldap/base)" else ldap_base="$LDAPBASE" fi -- 1.8.4.rc3 From dc0c1e0db60a12f049e743125c0b6772a5ac652c Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:22:28 +0100 Subject: [PATCH 18/22] Bug #28562: join: Use exit status directly Organization: Univention GmbH, Bremen, Germany Directly use the command in the if statement instead of evaluating $?. --- branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 4 ++-- .../ucs-3.2-0/management/univention-join/univention-server-join | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index d692996..3fd89ec 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -188,8 +188,8 @@ check_ldap_tls_connection () { eval "$(ucr shell ldap/master/port)" - ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null - if [ $? != 0 ]; then + if ! ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null + then failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." fi diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index 9a5073b..58f87cd 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -285,11 +285,11 @@ create_entry () { echo "ldap_dn=\"$ldap_dn\"" if [ -n "$group" ]; then - rc="$(univention-directory-manager groups/group modify \ + if ! rc="$(univention-directory-manager groups/group modify \ --dn="$group" \ --append users="$ldap_dn" \ "${ADMINOPTIONS[@]}")" - if [ $? -gt 0 ]; then + then log 1 "E: failed to modify groups/group for $desc [$rc]" exit 1 fi -- 1.8.4.rc3 From ffda22cb5a8a437dd57b04fa8bfc077d14eed0ac Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:27:38 +0100 Subject: [PATCH 19/22] Bug #28562: join: Remove upper-case DN handling Organization: Univention GmbH, Bremen, Germany ldapsearch does never return an uppercase DN, so drop the variant. --- branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index 3fd89ec..db14f7c 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -472,13 +472,13 @@ binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ if [ -z "$binddn" ]; then # Next check is the local ldapi interface binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ - ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')" + ldapsearch -x -LLL -H ldapi:/// "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p')" fi if [ -z "$binddn" ]; then # Check with anonymous bind binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ - ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')" + ldapsearch -x -LLL "\'(&(uid=$DCACCOUNT)(objectClass=person))\'" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p')" fi if [ -z "$binddn" ]; then -- 1.8.4.rc3 From e344a6f6bf9e3305b4828fa4155924094ae76f7b Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:32:14 +0100 Subject: [PATCH 20/22] Bug #28562: join: Cleanup redundant UCR set Organization: Univention GmbH, Bremen, Germany The UCR variables are overwritten directly after that again, so drop the first set. Move adding the UCS CA certificate to the ldap.conf file. --- .../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index db14f7c..b92437c 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -752,13 +752,6 @@ elif [ "$server_role" = "memberserver" ]; then check_ldap_tls_connection download_host_certificate - - univention-config-registry set \ - ldap/master="$DCNAME" \ - ldap/master/port?7389 \ - >>/var/log/univention/join.log 2>&1 - grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf - invalidate_nscd_cache univention-config-registry set \ ldap/server/name?"$DCNAME" \ @@ -769,6 +762,7 @@ elif [ "$server_role" = "memberserver" ]; then >>"$LOGFILE" 2>&1 set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" + grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf run_join_scripts else -- 1.8.4.rc3 From c2315f63991779e5d3a9c536f7c3d0b22d24249a Mon Sep 17 00:00:00 2001 Message-Id: In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 20:26:16 +0100 Subject: [PATCH 21/22] Bug #28562: join: Remove password from commandline Organization: Univention GmbH, Bremen, Germany We verified, that the UCS version of the server is newer than the current system, so the script can safely pass the password via a file instead of the command line, where is is visible to other users. --- .../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join | 9 +-------- .../ucs-3.2-0/management/univention-join/univention-server-join | 2 +- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index b92437c..c6b8814 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -502,14 +502,7 @@ args=() if [ -n "$ldap_position" ]; then args+=(-position "$ldap_position") fi - - -if [ "${master_version:0:1}" -lt 3 ]; then - # UCS 2.x does not support the -binddn parameter - args+=(-bindaccount "$DCACCOUNT") -else - args+=(-binddn "$binddn") -fi +args+=(-binddn "$binddn") for ip in $(ip addr show scope global | sed -rne '/\/s|.*\.*|\1|p') do diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index 58f87cd..ac1f6f2 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -181,7 +181,7 @@ if [ -n "$BINDDN" ]; then ADMINOPTIONS+=(--binddn "$BINDDN") fi if [ -n "$BINDPWFILE" ]; then - ADMINOPTIONS+=(--bindpwd "$(<"$BINDPWFILE")") + ADMINOPTIONS+=(--bindpwdfile "$BINDPWFILE") fi -- 1.8.4.rc3 From 52acb1c900e9ab05a23f103247a1c1e0996067ee Mon Sep 17 00:00:00 2001 Message-Id: <52acb1c900e9ab05a23f103247a1c1e0996067ee.1386836005.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Wed, 11 Dec 2013 22:51:59 +0100 Subject: [PATCH 22/22] Bug #28562: join: Misc cleanups Organization: Univention GmbH, Bremen, Germany Convert if-elif-else on server/role into switch statement. Use printf instead of "echo -n", which has issues. Remove un-needed "fromdos" calls. Remove several empty lines. --- .../management/univention-join/univention-join | 27 +++++++++++----------- .../univention-join/univention-server-join | 2 +- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join index c6b8814..6adb183 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-join @@ -514,8 +514,9 @@ do args+=(-mac "$(cat "${iface}/address")") done -echo -n "Join Computer Account: " args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") + +echo -n "Join Computer Account: " # Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely invalidate_nscd_cache univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \ @@ -535,8 +536,7 @@ then if [ -n "$kpwd" ]; then backup_secret "machine" - echo -n "$kpwd" >/etc/machine.secret - fromdos /etc/machine.secret + printf "%s" "$kpwd" >/etc/machine.secret chmod 600 /etc/machine.secret else if [ -n "$res_message" ]; then @@ -620,7 +620,6 @@ set_kerberos_realm () { } set_windows_domain () { - local dcpwd="$1" local dcaccount="$2" local dcname="$3" @@ -666,7 +665,8 @@ sync_kerberos_setting () { echo_right "done" } -if [ "$server_role" = "domaincontroller_backup" ]; then +case "$server_role" in +domaincontroller_backup) fetch_secret "ldap" fetch_secret "ldap-backup" univention-config-registry set \ @@ -684,7 +684,6 @@ if [ "$server_role" = "domaincontroller_backup" ]; then fix_ssl_permissions check_ldap_tls_connection - download_host_certificate echo -n "Sync SSL settings: " @@ -712,8 +711,9 @@ if [ "$server_role" = "domaincontroller_backup" ]; then set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" reset_listener_schema run_join_scripts + ;; -elif [ "$server_role" = "domaincontroller_slave" ]; then +domaincontroller_slave) fetch_secret "ldap-backup" univention-config-registry set \ ldap/server/name="$hostname.$domainname" \ @@ -725,7 +725,6 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then >>"$LOGFILE" 2>&1 copy_ucs_ca check_ldap_tls_connection - download_host_certificate restart_ldap_server sync_kerberos_setting @@ -739,11 +738,11 @@ elif [ "$server_role" = "domaincontroller_slave" ]; then set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" reset_listener_schema run_join_scripts + ;; -elif [ "$server_role" = "memberserver" ]; then +memberserver) copy_ucs_ca check_ldap_tls_connection - download_host_certificate invalidate_nscd_cache univention-config-registry set \ @@ -757,12 +756,11 @@ elif [ "$server_role" = "memberserver" ]; then set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf run_join_scripts + ;; -else -# Client and Mobile Client +*) # Client and Mobile Client copy_ucs_ca check_ldap_tls_connection - download_host_certificate invalidate_nscd_cache univention-config-registry set \ @@ -777,7 +775,8 @@ else set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM" grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf run_join_scripts -fi + ;; +esac if [ -d /etc/runit/univention-directory-notifier ]; then /etc/init.d/univention-directory-notifier restart >>"$LOGFILE" 2>&1 diff --git a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join index ac1f6f2..3bc9bc7 100755 --- a/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join +++ b/branches/ucs-3.2/ucs-3.2-0/management/univention-join/univention-server-join @@ -286,7 +286,7 @@ create_entry () { if [ -n "$group" ]; then if ! rc="$(univention-directory-manager groups/group modify \ - --dn="$group" \ + --dn "$group" \ --append users="$ldap_dn" \ "${ADMINOPTIONS[@]}")" then -- 1.8.4.rc3