Bug 34091

Summary: UCS in Active Directory domain
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: GeneralAssignee: Stefan Gohmann <gohmann>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: enhancement    
Priority: P5 CC: best, botner, gulden, klaeser, requate, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Release Goal
Max CVSS v3 score:
Bug Depends on: 34092, 34093, 35090, 35091, 35092, 35093, 35094, 35095, 35096, 35233, 35252, 35346, 35453, 35454, 35500, 35501, 35507, 35513, 35520, 35551, 35566    
Bug Blocks:    

Description Stefan Gohmann univentionstaff 2014-02-10 09:53:17 CET 
It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Arvid Requate univentionstaff 2014-02-27 21:53:00 CET 
We may want to generate a krb5.keytab for the UCS systems and any kerberized services they run (LDAP, Squid). Probably it's straight forward to derive that locally from the machine.secret via ktutil.

I guess we would need to modify univention-heimdal anyway to take case that the keytab* listeners don't do inappropriate things in this mode, like deleting the keytab and hoping for the UCS master to generate a new one. And then the joinscript of univention-heimdal should be adjusted as well as the joinscripts of the kerberized services.

Another point is the server password change.
Comment 2 Alexander Kläser univentionstaff 2014-03-06 11:29:36 CET 
In this mode, DNS is disabled and a warning should be prompted when opening the DNS UMC module (→ c.f. Bug 32313).
Comment 3 Stefan Gohmann univentionstaff 2014-07-02 07:51:38 CEST 
It shouldn't be allowed to install S4 as DC in this scenario. But UCS AD Takeover should be possible.
Comment 4 Stefan Gohmann univentionstaff 2014-07-23 12:15:41 CEST 
Several library calls for the admember mode have been added to univention-lib:
r52072 + r52080 + r52081 + r52090 + r52095

YAML: r52098
Comment 5 Stefan Gohmann univentionstaff 2014-07-29 06:42:20 CEST 
*** Bug 35458 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Gohmann univentionstaff 2014-07-31 07:20:13 CEST 
I've created a product test page:
 https://hutten.knut.univention.de/mediawiki/index.php/Produkttests_UCS_3.2-3_UCS-in-AD

YAML: 2014-07-23-univention-lib.yaml
Comment 7 Arvid Requate univentionstaff 2014-08-06 13:20:12 CEST 
Ok, these packages have been adjusted for this and it's dependent Bugs:

univention-lib
univention-heimdal
univention-ldap
univention-pam
univention-samba
univention-samba4
univention-s4-connector
univention-directory-manager-modules
univention-join
univention-ad-connector
univention-management-console-module-adtakeover
univention-management-console-module-udm
univention-management-console
univention-management-console-module-appcenter

All have been merged in SVN to the UCS 3.2-3 and UCS 4.0-0 branches.
Comment 8 Felix Botner univentionstaff 2014-08-07 10:01:15 CEST 
product test, see http://hutten/mediawiki/index.php/Produkttests_UCS_3.2_UCS-in-AD
Comment 9 Janek Walkenhorst univentionstaff 2014-08-07 17:45:37 CEST 
http://errata.univention.de/ucs/3.2/165.html