echo -n "Download host certificate "

	echo -n "Download host certificate "

	local HOSTPWD="/etc/machine.secret"

	local HOSTPWD="/etc/machine.secret"

	local HOSTACCOUNT="$hostname\$"

	local HOSTACCOUNT="$hostname\$"

	do

	do

		univention-scp "$HOSTPWD" -q -r \

		univention-scp "$HOSTPWD" -q -r \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \

			/etc/univention/ssl/ >>/var/log/univention/join.log 2>&1

			/etc/univention/ssl/ >>/var/log/univention/join.log 2>&1

		echo -n "."

		echo -n "."

	done

	done

}

}

check_ldap_tls_connection () {

check_ldap_tls_connection () {

	echo -n "Check TLS connection "

	echo -n "Check TLS connection "

	download_host_certificate

	download_host_certificate

	echo -n "Sync SSL settings: "

	echo -n "Sync SSL settings: "

	eval "$(univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/common ssl/email)"

	eval "$(univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/common ssl/email)"

	univention-config-registry set \

	univention-config-registry set \

	download_host_certificate

	download_host_certificate

	echo -n "Restart LDAP Server: "

	echo -n "Restart LDAP Server: "

	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1

	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1

	echo -e "\033[60Gdone"

	echo -e "\033[60Gdone"

.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join     | 5 +++--

.../ucs-3.2/ucs-3.2-0/management/univention-join/univention-join     | 5 +++--

.../ucs-3.2-0/management/univention-join/univention-server-join      | 3 ++-

.../ucs-3.2-0/management/univention-join/univention-server-join      | 3 ++-

2 files changed, 5 insertions(+), 3 deletions(-)

2 files changed, 5 insertions(+), 3 deletions(-)

	/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1

	/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1

fi

fi

fi

fi

exit 0

exit 0

		subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"

		subnet="$(univention-ipcalc6 --ip "$IP" --netmask "$NETMASK" --output reverse --calcdns)"

	else

	else

		# Fallback

		# Fallback

	fi

	fi

	log 0 "	Calculated subnet = $subnet"

	log 0 "	Calculated subnet = $subnet"

.../ucs-3.2-0/management/univention-join/univention-server-join       | 4 ++--

.../ucs-3.2-0/management/univention-join/univention-server-join       | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

1 file changed, 2 insertions(+), 2 deletions(-)

	local group="$5"

	local group="$5"

	log 0 "Join $desc"

	log 0 "Join $desc"

		log 1 "E: failed search $desc [$old_dn]"

		log 1 "E: failed search $desc [$old_dn]"

		exit 1

		exit 1

	fi

	fi

.../management/univention-join/univention-join     | 24 ++----

.../management/univention-join/univention-join     | 24 ++----

.../univention-join/univention-server-join         | 97 +++++++++-------------

.../univention-join/univention-server-join         | 97 +++++++++-------------

2 files changed, 49 insertions(+), 72 deletions(-)

2 files changed, 49 insertions(+), 72 deletions(-)

	args+=(-binddn "$binddn")

	args+=(-binddn "$binddn")

fi

fi

# invalidate the nscd hosts cache

# invalidate the nscd hosts cache

#  https://forge.univention.org/bugzilla/show_bug.cgi?id=30886

#  https://forge.univention.org/bugzilla/show_bug.cgi?id=30886

	fi

	fi

}

}

BINDDN=""

BINDDN=""

BINDPWFILE=""

BINDPWFILE=""

DOMAINNAME=""

DOMAINNAME=""

			shift 2 || exit 2

			shift 2 || exit 2

			;;

			;;

		"-ip")

		"-ip")

			shift 2 || exit 2

			shift 2 || exit 2

			;;

			;;

		"-netmask")

		"-netmask")

			shift 2 || exit 2

			shift 2 || exit 2

			;;

			;;

		"-mac")

		"-mac")

			shift 2 || exit 2

			shift 2 || exit 2

			;;

			;;

		"-bindaccount")

		"-bindaccount")

	local primaryGroup="$4"

	local primaryGroup="$4"

	local group="$5"

	local group="$5"

	log 0 "Join $desc"

	log 0 "Join $desc"

	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")"

	if ! old_dn="$(set -o pipefail ; univention-directory-manager "$module" list --filter name="$NEWHOSTNAME" "${ADMINOPTIONS[@]}" | sed -ne "s|^DN: ||p")"

	then

	then

		exit 1

		exit 1

	fi

	fi

	if [ -z "$old_dn" ]; then

	if [ -z "$old_dn" ]; then

		log 0 "	Create new $desc "

		log 0 "	Create new $desc "

		cmd=(univention-directory-manager "$module" create \

		cmd=(univention-directory-manager "$module" create \

			--position "$position" \

			--position "$position" \

			--set name="$NEWHOSTNAME" \

			--set name="$NEWHOSTNAME" \

	else

	else

		log 0 "Modify $desc [$old_dn]"

		log 0 "Modify $desc [$old_dn]"

		rc="$(univention-directory-manager "$module" modify \

		rc="$(univention-directory-manager "$module" modify \

			--dn "$old_dn" \

			--dn "$old_dn" \

			--set password="$computerPassword" \

			--set password="$computerPassword" \

	fi

	fi

}

}

computerPassword="$(create_machine_password)"

computerPassword="$(create_machine_password)"

case "$ROLE" in

case "$ROLE" in

.../management/univention-join/univention-join     | 127 +++++++++++----------

.../management/univention-join/univention-join     | 127 +++++++++++----------

.../univention-join/univention-run-join-scripts    |  15 ++-

.../univention-join/univention-run-join-scripts    |  15 ++-

2 files changed, 78 insertions(+), 64 deletions(-)

2 files changed, 78 insertions(+), 64 deletions(-)

VERSION_CHECK=true

VERSION_CHECK=true

VERBOSE=false

VERBOSE=false

trapOnExit() {

trapOnExit() {

	rm -rf "$USERTMP"

	rm -rf "$USERTMP"

	if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then

	if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then

		if [ -n "$old_listener_debug_level" ]; then

		if [ -n "$old_listener_debug_level" ]; then

		fi

		fi

	fi

	fi

}

}

trap trapOnExit EXIT

trap trapOnExit EXIT

	  -realm <kerberos realm>:       Kerberos realm, e.g. TEST.LOCAL

	  -realm <kerberos realm>:       Kerberos realm, e.g. TEST.LOCAL

	  -windom <windows domain name>: Name of the windows (samba) domain

	  -windom <windows domain name>: Name of the windows (samba) domain

	  -disableVersionCheck           Disable version check against _dcname_

	  -disableVersionCheck           Disable version check against _dcname_

	  -h | --help | -?:              Print this usage message and exit program

	  -h | --help | -?:              Print this usage message and exit program

	  --version:                     Print version information and exit program

	  --version:                     Print version information and exit program

		univention-scp "$HOSTPWD" -q -r \

		univention-scp "$HOSTPWD" -q -r \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \

			"$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" \

		if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ]

		if [ -d "/etc/univention/ssl/$hostname" ] && [ -d "/etc/univention/ssl/$hostname.$domainname" ]

		then

		then

			return

			return

		fi

		fi

		echo -n "."

		echo -n "."

		sleep $delay

		sleep $delay

	done

	done

	failed_message "failed to get host certificate"

	failed_message "failed to get host certificate"

}

}

 		failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."

 		failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."

	fi

	fi

}

}

run_join_scripts () {

run_join_scripts () {

			test -e "$i" || continue

			test -e "$i" || continue

			echo -n "Configure $(basename "$i") "

			echo -n "Configure $(basename "$i") "

			[ -n "$SIMPLEGUI" ] && echo

			[ -n "$SIMPLEGUI" ] && echo

			bashVerbose=""

			bashVerbose=""

			if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then

			if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then

				bashVerbose="bash -x"

				bashVerbose="bash -x"

			fi

			fi

			if [ $? -ne 0 ]; then

			if [ $? -ne 0 ]; then

				failed_message "FAILED: $(basename "$i")"

				failed_message "FAILED: $(basename "$i")"

			else

			else

				delete_unjoinscript "$(basename "$i")"

				delete_unjoinscript "$(basename "$i")"

			fi

			fi

			if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then

			if [ "$server_role" = "domaincontroller_slave" -o "$server_role" = "domaincontroller_backup" ]; then

}

}

# log univention-join call

# log univention-join call

while [ $# -gt 0 ]

while [ $# -gt 0 ]

do

do

# verbose logging for univention-join and listener

# verbose logging for univention-join and listener

if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then

if [ -n "$VERBOSE" -a "$VERBOSE" = "true" ]; then

	set -x

	set -x

	if [ -n "$listener_debug_level" ]; then

	if [ -n "$listener_debug_level" ]; then

		old_listener_debug_level="$listener_debug_level"

		old_listener_debug_level="$listener_debug_level"

	else

	else

		old_listener_debug_level="2"

		old_listener_debug_level="2"

	fi

	fi

	listener_debug_level=4

	listener_debug_level=4

fi

fi

	echo -n "Search DC Master: "

	echo -n "Search DC Master: "

	DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"

	DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"

	if [ -n "$DCNAME" ]; then

	if [ -n "$DCNAME" ]; then

	else

	else

		for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do

		for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do

			if [ -z "$i" ]; then continue; fi

			if [ -z "$i" ]; then continue; fi

			DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"

			DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"

			if [ -n "$DCNAME" ]; then

			if [ -n "$DCNAME" ]; then

				echo "domain $domainname" >/etc/resolv.conf

				echo "domain $domainname" >/etc/resolv.conf

				echo "nameserver $i" >>/etc/resolv.conf

				echo "nameserver $i" >>/etc/resolv.conf

				test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1

				test -x /etc/init.d/nscd && /etc/init.d/nscd restart >>/var/log/univention/join.log 2>&1

	failed_message "ping to $DCNAME failed"

	failed_message "ping to $DCNAME failed"

fi

fi

then

then

	failed_message "ssh-login for ${DCACCOUNT}@${DCNAME} failed. Maybe you entered a wrong password."

	failed_message "ssh-login for ${DCACCOUNT}@${DCNAME} failed. Maybe you entered a wrong password."

fi

fi

IFS=$OLDIFS

IFS=$OLDIFS

# check join constraints

# check join constraints

mystatus="no"

mystatus="no"

if [ -n "$master_version" -a -n "$master_patchlevel" ]; then

if [ -n "$master_version" -a -n "$master_patchlevel" ]; then

	if $VERSION_CHECK; then

	if $VERSION_CHECK; then

		failed_message "$vmsg"

		failed_message "$vmsg"

	else

	else

	fi

	fi

else

else

fi

fi

if [ -x /etc/init.d/slapd ]; then

if [ -x /etc/init.d/slapd ]; then

	echo -n "Stop LDAP Server: "

	echo -n "Stop LDAP Server: "

fi

fi

if [ -x /etc/init.d/samba4 ]; then

if [ -x /etc/init.d/samba4 ]; then

	echo -n "Stop Samba 4 Server: "

	echo -n "Stop Samba 4 Server: "

	if [ "$dns_backend" = "samba4" ]; then

	if [ "$dns_backend" = "samba4" ]; then

	fi

	fi

fi

fi

if [ -z "$LDAPBASE" ]; then

if [ -z "$LDAPBASE" ]; then

if [ -n "$ldap_base" ]; then

if [ -n "$ldap_base" ]; then

	univention-config-registry set ldap/base="$ldap_base" >/dev/null 2>&1

	univention-config-registry set ldap/base="$ldap_base" >/dev/null 2>&1

else

else

	failed_message "Failed to determine ldap/base."

	failed_message "Failed to determine ldap/base."

fi

fi

if [ -x /etc/init.d/slapd ]; then

if [ -x /etc/init.d/slapd ]; then

	echo -n "Start LDAP Server: "

	echo -n "Start LDAP Server: "

fi

fi

echo -n "Search LDAP binddn "

echo -n "Search LDAP binddn "

if [ -z "$binddn" ]; then

if [ -z "$binddn" ]; then

	failed_message "binddn for user $DCACCOUNT not found. "

	failed_message "binddn for user $DCACCOUNT not found. "

else

else

fi

fi

if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then

if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then

if [ -x /usr/bin/rdate ]; then

if [ -x /usr/bin/rdate ]; then

	echo -n "Sync time "

	echo -n "Sync time "

	/usr/bin/rdate "$DCNAME" >/dev/null 2>&1

	/usr/bin/rdate "$DCNAME" >/dev/null 2>&1

fi

fi

args=()

args=()

# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely

# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely

univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \

univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \

	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \

	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \

res_message="$(sed -n '/^E:/ { s/^E:\s*// p }' "$USERTMP/log")"

res_message="$(sed -n '/^E:/ { s/^E:\s*// p }' "$USERTMP/log")"

if [ -z "$res_message" ]; then

if [ -z "$res_message" ]; then

fi

fi

if [ -s "$USERTMP/log" ]

if [ -s "$USERTMP/log" ]

then

then

	#try to get password

	#try to get password

	kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")"

	kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")"

	ldap_dn="$(sed -ne 's|^ldap_dn="\(.*\)" *|\1|p' <"$USERTMP/log")"

	ldap_dn="$(sed -ne 's|^ldap_dn="\(.*\)" *|\1|p' <"$USERTMP/log")"

	if [ -n "$ldap_dn" ]; then

	if [ -n "$ldap_dn" ]; then

	else

	else

		failed_message "No LDAP Host DN returned"

		failed_message "No LDAP Host DN returned"

	fi

	fi

	local DCNAME="$3"

	local DCNAME="$3"

	local realm="$4"

	local realm="$4"

	if [ -z "$realm" ]; then

	if [ -z "$realm" ]; then

		if [ $? != 0 -o -z "$realm" ]; then

		if [ $? != 0 -o -z "$realm" ]; then

			echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>"

			echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>"

			exit 1

			exit 1

		fi

		fi

	fi

	fi

}

}

set_windows_domain () {

set_windows_domain () {

	local windom="$4"

	local windom="$4"

	if [ -z "$windom" ]; then

	if [ -z "$windom" ]; then

		if [ $? != 0 -o -z "$windom" ]; then

		if [ $? != 0 -o -z "$windom" ]; then

			echo "Unable to retrieve the windows/domain. Try to use option -windom <windows/domain>"

			echo "Unable to retrieve the windows/domain. Try to use option -windom <windows/domain>"

			exit 1

			exit 1

		fi

		fi

	fi

	fi

}

}

if [ "$server_role" = "domaincontroller_backup" ]; then

if [ "$server_role" = "domaincontroller_backup" ]; then

	if [ ! -e "/etc/ldap.secret" ]; then

	if [ ! -e "/etc/ldap.secret" ]; then

		failed_message "/etc/ldap.secret not found"

		failed_message "/etc/ldap.secret not found"

	fi

	fi

	echo -n "Sync ldap-backup.secret: "

	echo -n "Sync ldap-backup.secret: "

	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1

	if [ ! -e "/etc/ldap-backup.secret" ]; then

	if [ ! -e "/etc/ldap-backup.secret" ]; then

		failed_message "/etc/ldap-backup.secret not found"

		failed_message "/etc/ldap-backup.secret not found"

	fi

	fi

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name="$hostname.$domainname" \

		ldap/server/name="$hostname.$domainname" \

		ldap/master="$DCNAME" \

		ldap/master="$DCNAME" \

		ldap/master/port?7389 \

		ldap/master/port?7389 \

		ldap/server/type=slave \

		ldap/server/type=slave \

	echo -n "Sync SSL directory: "

	echo -n "Sync SSL directory: "

	# prevent join from failing if umask is modified (Bug #21587)

	# prevent join from failing if umask is modified (Bug #21587)

	chmod 755 /etc/univention/ssl

	chmod 755 /etc/univention/ssl

		ssl/organizationalunit="$ssl_organizationalunit" \

		ssl/organizationalunit="$ssl_organizationalunit" \

		ssl/common="$ssl_common" \

		ssl/common="$ssl_common" \

		ssl/email="$ssl_email" \

		ssl/email="$ssl_email" \

	echo -n "Restart LDAP Server: "

	echo -n "Restart LDAP Server: "

	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1

	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1

	#TODO: implement a real sync

	#TODO: implement a real sync

	echo -n "Sync Kerberos settings: "

	echo -n "Sync Kerberos settings: "

	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	# invalidate the nscd hosts cache

	# invalidate the nscd hosts cache

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

		ldap/master?"$DCNAME" \

		ldap/master?"$DCNAME" \

		kerberos/adminserver?"$DCNAME" \

		kerberos/adminserver?"$DCNAME" \

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	eval "$(univention-config-registry shell)"

	eval "$(univention-config-registry shell)"

	univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" "${DCACCOUNT}@${DCNAME}:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name="$hostname.$domainname" \

		ldap/server/name="$hostname.$domainname" \

		ldap/master="$DCNAME" \

		ldap/master="$DCNAME" \

		ldap/master/port?7389 \

		ldap/master/port?7389 \

		ldap/server/type=slave \

		ldap/server/type=slave \

	mkdir -p /etc/univention/ssl/ucsCA

	mkdir -p /etc/univention/ssl/ucsCA

	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -q "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1

	echo -n "Restart LDAP Server: "

	echo -n "Restart LDAP Server: "

	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1

	/etc/init.d/slapd restart >>/var/log/univention/join.log 2>&1

	echo -n "Sync Kerberos settings: "

	echo -n "Sync Kerberos settings: "

	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	mkdir -p /var/lib/univention-ldap/notify/

	mkdir -p /var/lib/univention-ldap/notify/

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

		ldap/master?"$DCNAME" \

		ldap/master?"$DCNAME" \

		kerberos/adminserver?"$DCNAME" \

		kerberos/adminserver?"$DCNAME" \

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	echo -n "0" >/var/lib/univention-ldap/schema/id/id

	echo -n "0" >/var/lib/univention-ldap/schema/id/id

		ldap/master?"$DCNAME" \

		ldap/master?"$DCNAME" \

		ldap/master/port?7389 \

		ldap/master/port?7389 \

		kerberos/adminserver?"$DCNAME" \

		kerberos/adminserver?"$DCNAME" \

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	touch /var/univention-join/joined

	touch /var/univention-join/joined

		ldap/master/port?7389 \

		ldap/master/port?7389 \

		kerberos/adminserver="$DCNAME" \

		kerberos/adminserver="$DCNAME" \

		nsswitch/ldap=yes \

		nsswitch/ldap=yes \

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

fi

fi

if [ -d /etc/runit/univention-directory-notifier ]; then

if [ -d /etc/runit/univention-directory-notifier ]; then

	sleep 3

	sleep 3

fi

fi

if [ -d /etc/runit/univention-directory-listener ]; then

if [ -d /etc/runit/univention-directory-listener ]; then

fi

fi

varname="interfaces_${interfaces_primary:-eth0}_type"

varname="interfaces_${interfaces_primary:-eth0}_type"

	exit 1

	exit 1

}

}

while [ $# -gt 0 ]

while [ $# -gt 0 ]

do

do

	case "$1" in

	case "$1" in

		then

		then

			failed_message "Invalid credentials"

			failed_message "Invalid credentials"

		else

		else

		fi

		fi

	fi

	fi

fi

fi

		echo "RUNNING $(basename "$i")"

		echo "RUNNING $(basename "$i")"

		if ! joinscript_extern_init "$i"; then

		if ! joinscript_extern_init "$i"; then

			echo "EXITCODE=invalid_joinscript"

			echo "EXITCODE=invalid_joinscript"

			continue

			continue

		fi

		fi

		if joinscript_check_already_executed && [ -z "$JOIN_FORCE" ]; then

		if joinscript_check_already_executed && [ -z "$JOIN_FORCE" ]; then

			echo "EXITCODE=already_executed"

			echo "EXITCODE=already_executed"

			continue

			continue

		fi

		fi

		RET=$?

		RET=$?

		echo "EXITCODE=$RET"

		echo "EXITCODE=$RET"

		if [ $RET != 0 ]; then

		if [ $RET != 0 ]; then

		else

		else

			delete_unjoinscript "$(basename "$i")"

			delete_unjoinscript "$(basename "$i")"

		fi

		fi

	done

	done

.../management/univention-join/univention-join     | 26 +++++-----------------

.../management/univention-join/univention-join     | 26 +++++-----------------

1 file changed, 5 insertions(+), 21 deletions(-)

1 file changed, 5 insertions(+), 21 deletions(-)

fi

fi

# check join constraints

# check join constraints

log "running version check"

log "running version check"

.../management/univention-join/univention-join     | 28 ++++++++--------------

.../management/univention-join/univention-join     | 28 ++++++++--------------

1 file changed, 10 insertions(+), 18 deletions(-)

1 file changed, 10 insertions(+), 18 deletions(-)

	failed_message "failed to get host certificate"

	failed_message "failed to get host certificate"

}

}

check_ldap_tls_connection () {

check_ldap_tls_connection () {

	echo -n "Check TLS connection "

	echo -n "Check TLS connection "

	args+=(-mac "$(cat "${iface}/address")")

	args+=(-mac "$(cat "${iface}/address")")

done

done

echo -n "Join Computer Account: "

echo -n "Join Computer Account: "

args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")

args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname")

# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely

# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely

univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \

univention-ssh --no-split "$DCPWD" "${DCACCOUNT}@${DCNAME}" \

	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \

	'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' \

	"$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE"

	"$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>"$LOGFILE"

	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	echo_right "done"

	echo_right "done"

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

		ldap/master?"$DCNAME" \

		ldap/master?"$DCNAME" \

	mkdir -p /var/lib/univention-ldap/notify/

	mkdir -p /var/lib/univention-ldap/notify/

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

		ldap/master?"$DCNAME" \

		ldap/master?"$DCNAME" \

		>>/var/log/univention/join.log 2>&1

		>>/var/log/univention/join.log 2>&1

	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

		ldap/server/port?7389 \

		ldap/server/port?7389 \

	check_ldap_tls_connection

	check_ldap_tls_connection

	download_host_certificate

	download_host_certificate

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name="$DCNAME" \

		ldap/server/name="$DCNAME" \

		ldap/server/port?7389 \

		ldap/server/port?7389 \

.../management/univention-join/univention-join     | 60 ++++++++++------------

.../management/univention-join/univention-join     | 60 ++++++++++------------

1 file changed, 26 insertions(+), 34 deletions(-)

1 file changed, 26 insertions(+), 34 deletions(-)

	echo -n "${escaped[@]}"

	echo -n "${escaped[@]}"

}

}

download_host_certificate () {

download_host_certificate () {

	echo -n "Download host certificate "

	echo -n "Download host certificate "

	local HOSTPWD="/etc/machine.secret"

	local HOSTPWD="/etc/machine.secret"

	kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")"

	kpwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")"

	if [ -n "$kpwd" ]; then

	if [ -n "$kpwd" ]; then

		echo -n "$kpwd" >/etc/machine.secret

		echo -n "$kpwd" >/etc/machine.secret

		fromdos /etc/machine.secret

		fromdos /etc/machine.secret

		chmod 600 /etc/machine.secret

		chmod 600 /etc/machine.secret

	else

	else

		if [ -n "$res_message" ]; then

		if [ -n "$res_message" ]; then

			failed_message "$res_message"

			failed_message "$res_message"

}

}

if [ "$server_role" = "domaincontroller_backup" ]; then

if [ "$server_role" = "domaincontroller_backup" ]; then

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name="$hostname.$domainname" \

		ldap/server/name="$hostname.$domainname" \

		ldap/server/ip="$IP" \

		ldap/server/ip="$IP" \

	run_join_scripts

	run_join_scripts

elif [ "$server_role" = "domaincontroller_slave" ]; then

elif [ "$server_role" = "domaincontroller_slave" ]; then

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name="$hostname.$domainname" \

		ldap/server/name="$hostname.$domainname" \

		ldap/server/ip="$IP" \

		ldap/server/ip="$IP" \

.../management/univention-join/univention-join     | 22 ++++------------------

.../management/univention-join/univention-join     | 22 ++++------------------

1 file changed, 4 insertions(+), 18 deletions(-)

1 file changed, 4 insertions(+), 18 deletions(-)

}

}

run_join_scripts () {

run_join_scripts () {

	LC_COLLATE="C"

	LC_COLLATE="C"

	if test -d "/usr/lib/univention-install/"; then

	if test -d "/usr/lib/univention-install/"; then

		>>"$LOGFILE" 2>&1

		>>"$LOGFILE" 2>&1

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	mkdir -p /var/lib/univention-ldap/notify/

	mkdir -p /var/lib/univention-ldap/notify/

	echo -n "0" >/var/lib/univention-ldap/schema/id/id

	echo -n "0" >/var/lib/univention-ldap/schema/id/id

	chown listener /var/lib/univention-ldap/schema/id/id

	chown listener /var/lib/univention-ldap/schema/id/id

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	echo -n "0" >/var/lib/univention-ldap/schema/id/id

	echo -n "0" >/var/lib/univention-ldap/schema/id/id

	chown listener /var/lib/univention-ldap/schema/id/id

	chown listener /var/lib/univention-ldap/schema/id/id

	run_join_scripts

	run_join_scripts

elif [ "$server_role" = "memberserver" ]; then

elif [ "$server_role" = "memberserver" ]; then

		>>"$LOGFILE" 2>&1

		>>"$LOGFILE" 2>&1

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	run_join_scripts

	run_join_scripts

else

else

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	grep -q '^TLS_CACERT' /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	run_join_scripts

	run_join_scripts

fi

fi

.../ucs-3.2-0/management/univention-join/univention-join | 16 +++++++---------

.../ucs-3.2-0/management/univention-join/univention-join | 16 +++++++---------

1 file changed, 7 insertions(+), 9 deletions(-)

1 file changed, 7 insertions(+), 9 deletions(-)

	nscd -i hosts

	nscd -i hosts

}

}

check_ldap_tls_connection () {

check_ldap_tls_connection () {

	echo -n "Check TLS connection "

	echo -n "Check TLS connection "

		>>"$LOGFILE" 2>&1

		>>"$LOGFILE" 2>&1

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	run_join_scripts

	run_join_scripts

elif [ "$server_role" = "domaincontroller_slave" ]; then

elif [ "$server_role" = "domaincontroller_slave" ]; then

	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	echo_right "done"

	echo_right "done"

	invalidate_nscd_cache

	invalidate_nscd_cache

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

		>>"$LOGFILE" 2>&1

		>>"$LOGFILE" 2>&1

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	set_windows_domain "$DCPWD" "$DCACCOUNT" "$DCNAME" "$WINDOM"

	run_join_scripts

	run_join_scripts

elif [ "$server_role" = "memberserver" ]; then

elif [ "$server_role" = "memberserver" ]; then

.../management/univention-join/univention-join     | 63 ++++++++--------------

.../management/univention-join/univention-join     | 63 ++++++++--------------

1 file changed, 21 insertions(+), 42 deletions(-)

1 file changed, 21 insertions(+), 42 deletions(-)

	univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1

	univention-config-registry set windows/domain="$windom" >>"$LOGFILE" 2>&1

}

}

if [ "$server_role" = "domaincontroller_backup" ]; then

if [ "$server_role" = "domaincontroller_backup" ]; then

	fetch_secret "ldap"

	fetch_secret "ldap"

	fetch_secret "ldap-backup"

	fetch_secret "ldap-backup"

	univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1

	univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>"$LOGFILE" 2>&1

	echo_right "done"

	echo_right "done"

	check_ldap_tls_connection

	check_ldap_tls_connection

	download_host_certificate

	download_host_certificate

		ldap/master/port?7389 \

		ldap/master/port?7389 \

		ldap/server/type=slave \

		ldap/server/type=slave \

		>>"$LOGFILE" 2>&1

		>>"$LOGFILE" 2>&1

	check_ldap_tls_connection

	check_ldap_tls_connection

	download_host_certificate

	download_host_certificate

	run_join_scripts

	run_join_scripts

elif [ "$server_role" = "memberserver" ]; then

elif [ "$server_role" = "memberserver" ]; then

	check_ldap_tls_connection

	check_ldap_tls_connection

	download_host_certificate

	download_host_certificate

else

else

# Client and Mobile Client

# Client and Mobile Client

	check_ldap_tls_connection

	check_ldap_tls_connection

	download_host_certificate

	download_host_certificate

.../ucs-3.2-0/management/univention-join/univention-join  | 15 ++++++++-------

.../ucs-3.2-0/management/univention-join/univention-join  | 15 ++++++++-------

1 file changed, 8 insertions(+), 7 deletions(-)

1 file changed, 8 insertions(+), 7 deletions(-)

	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem

	chmod 644 /etc/univention/ssl/ucsCA/CAcert.pem

}

}

if [ "$server_role" = "domaincontroller_backup" ]; then

if [ "$server_role" = "domaincontroller_backup" ]; then

	fetch_secret "ldap"

	fetch_secret "ldap"

	fetch_secret "ldap-backup"

	fetch_secret "ldap-backup"

		>>"$LOGFILE" 2>&1

		>>"$LOGFILE" 2>&1

	echo_right "done"

	echo_right "done"

	#TODO: implement a real sync

	#TODO: implement a real sync

	echo -n "Sync Kerberos settings: "

	echo -n "Sync Kerberos settings: "

	check_ldap_tls_connection

	check_ldap_tls_connection

	download_host_certificate

	download_host_certificate

	echo -n "Sync Kerberos settings: "

	echo -n "Sync Kerberos settings: "

	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

	univention-scp "$DCPWD" -q -r "${DCACCOUNT}@${DCNAME}:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1

.../management/univention-join/univention-join       | 20 +++++++++-----------

.../management/univention-join/univention-join       | 20 +++++++++-----------

1 file changed, 9 insertions(+), 11 deletions(-)

1 file changed, 9 insertions(+), 11 deletions(-)

	echo_right "done"

	echo_right "done"

}

}

if [ "$server_role" = "domaincontroller_backup" ]; then

if [ "$server_role" = "domaincontroller_backup" ]; then

	fetch_secret "ldap"

	fetch_secret "ldap"

	fetch_secret "ldap-backup"

	fetch_secret "ldap-backup"

	echo_right "done"

	echo_right "done"

	restart_ldap_server

	restart_ldap_server

	invalidate_nscd_cache

	invalidate_nscd_cache

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

	download_host_certificate

	download_host_certificate

	restart_ldap_server

	restart_ldap_server

	invalidate_nscd_cache

	invalidate_nscd_cache

	univention-config-registry set \

	univention-config-registry set \

		ldap/server/name?"$DCNAME" \

		ldap/server/name?"$DCNAME" \

.../management/univention-join/univention-join     | 42 ++++++++++++----------

.../management/univention-join/univention-join     | 42 ++++++++++++----------

1 file changed, 24 insertions(+), 18 deletions(-)

1 file changed, 24 insertions(+), 18 deletions(-)

fi

fi

	echo -n "Search DC Master: "

	echo -n "Search DC Master: "

	if [ -n "$DCNAME" ]; then

	if [ -n "$DCNAME" ]; then

		echo_right "done"

		echo_right "done"

	fi

	fi

echo -n "Check DC Master: "

echo -n "Check DC Master: "

.../management/univention-join/univention-join     | 101 +++++++++------------

.../management/univention-join/univention-join     | 101 +++++++++------------

1 file changed, 45 insertions(+), 56 deletions(-)

1 file changed, 45 insertions(+), 56 deletions(-)

. /usr/share/univention-lib/all.sh

. /usr/share/univention-lib/all.sh

TYPE=

TYPE=

USERTMP="$(mktemp -d)"

USERTMP="$(mktemp -d)"

DCPWD="$USERTMP/dcpwd"

DCPWD="$USERTMP/dcpwd"

VERSION_CHECK=true

VERSION_CHECK=true

LOGFILE="/var/log/univention/join.log"

LOGFILE="/var/log/univention/join.log"

log () {

log () {

trapOnExit() {

trapOnExit() {

	rm -rf "$USERTMP"

	rm -rf "$USERTMP"

		if [ -n "$old_listener_debug_level" ]; then

		if [ -n "$old_listener_debug_level" ]; then

			ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1

			ucr set listener/debug/level="$old_listener_debug_level" >>"$LOGFILE" 2>&1

		fi

		fi

	: > /var/univention-join/joined

	: > /var/univention-join/joined

	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined

	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined