ucs domain is basic configured, up and running and works smoothly. almost all goals are reached. not i am focusing on automation and would love to get some input.
following is the situation
subnet 50.0, 16 x 28er subnets splitted, (50.0-50.15, 50.16-50.31, etc)
first subnet UCS Master and Slave, second other services, third subnet shared dbs
subnet 51.0, 16 x 28er subnets, splitted (51.0-51.15, 51.16-51.31, etc)
first three subnets Windows Servers, forth subnet nextcloud, fift subnet ucs fileserver, 15th subnet ucs email server
the structure of the 51 subnet goes on to 52 and counting, always the same.
i created the subnets in UCS Master. now i need autoamtion for
each subnet gets an own email, each user from subnet 51 gets domain1.com, each user from subnet 52 gets domain2.com - how to automate the email address creation of username@domainx.com
each server in subnet 15 gets email server installed - how to automate it ?
set homedrive. i couldnt figure it out how user connects to the homedrive automatically, or use the logon scripts (user physically only login to 2 server (one windows server the other email)
how can i automate: the email server only connects to nextcloud (there is an option to enter the servers allowed connection, but i want to automate it)
i want to assign the automationrules per subnet: means if a ucs server is installed in subnet 52/15, all servers should get automatied installed ucs email server
copy the ldap structure to a new customer. the 51 subnet is where i am working on and develop an automation in it (alls rules and settings are saved there. for example
ldab_base
customer
customername1
server
users
policy and setting
… etc
how can i copy the whole customername1 into customername2 and just change some parameters (like servername is cn1mail-v001, should copy it into cn2mail-v001). i guess custom scripting ?
is it possible to create GPOs for the windows server ? without the use of a WIndows domain ? as i read i need to install an windows server for it !
possible to install a base ucs (for users and groups) and install for example postgress sql and can access the users and groups over the local server ? or do i need to install a seperate ubuntu with sql and use sql ads auth modules ? (for webservices the same question)
common issues i still face
login to nextcloud takes more as 7 secounds
for any strage reason: if i move the nextcloud in the desired Container (customer, customername, servers, nextcloud) the login doesnt work anymore, if i move it back to memberserver it works. any ideas ?
next are performance tests, backup (btw: previous version is working), etc
soo, guys. thx for taking the time to read and maybe somebody out there has some good input.
The easiest way to do this would be using Templates. These allow you to set defaults at user creation time: Automation questions
To install packages automatically, place your subnet 15 servers in a separate OU or container and then create a package maintenance policy that sets univention-mail-server to be installed on the respective servers: Automation questions
The easiest way is to create a shell script and create the structures and policies via the command line. The only limit would be the ldap_base. That gets set during the installation of the UCS master.
Yes and No. Most GPOs can only be created from Windows and depend on the software running on the respective machine. For example, to create a GPO that affects Adobe Acrobat, the system must have the software installed. For Microsoft products, Windows clients include some of the GPOs for the server, but not all of them. Thus, the best way to create the GPOs would be from a Windows Server.
You can install Postgres on UCS and use the machine account for authentication. Whether that is the best scenario will depend on your end goal.
As for the issues:
that can have a variety of sources. First step would be to check the logs on Nextcloud for LDAP connection errors and the resource usage on the server. Those are the most common issues.
As in, you are moving the container between servers? Are you copying the Docker volumes? If you plan to move the Nextcloud container between servers, I recommend starting with a plain Nextcloud AIO container. That has likely fewer dependencies and greater setup flexibility compared to the version from the UCS Appcenter. Once you are done installing, you add it manually to the LDAP and Keycloak domain of your UCS server.
thx mate for the answer. my weekend is booked now with all your suggestion
update on the nextcloud issue (2): i figured why the login is not possible. i am not sure what the reason is for. but what happen: the nextcloud server
lets suppose is
192.168.1.100
and the nextcloud instance (docker) in it is registered as nextcloud-number in ldap.
in nextcloud ads configuration, it needs to be specified the object in ads/ldap. for any strage reason the name is changing and therefore the ads/ldap integraion doesnt work anymore.
it changes from nextcloud-12345 to nextcloud-67890.
i only move the ldap object from base/computer/memberserver
to
base/customer/customer1/server/gw/
but i am not sure if it have something to do with the move. still on it to figure it out why it renames itself.
Not sure, where the IPs come from, you should be able to delete them. Please note that you will also need to delete the DNS entries below. However, Nextcloud would be reachable under the name of the host system in any case.
If, after moving the Docker container, the IP addresses change, you will need to update the Nextcloud config. On UCS the respective two files would be:
/var/lib/univention-appcenter/apps/nextcloud/data/integration/config/config.php
Change trusted_domains to match the host IP and hostname, and change trusted_proxies to match the Docker internal host IP
var/lib/univention-appcenter/apps/nextcloud/data/integration/ucr
Change both entries to match the host IP and docker proxy ip
If your LDAP objects change, you may also need to update the settings within Nextcloud. The nextcloud super admin is nc_admin and the password can be found in /var/lib/univention-appcenter/apps/nextcloud/data/integration/admin.secret
one big issue is left:
a new installed ucs server will be created as LDAP Object in the standard Container: Computers > Memberserver
login to the Server on the Web possible
if i move the server to the finally destination: shared > customer01 > Servers > xx fileserver (for example)
login is not possible.
it looks like it affects all servers except for the DC Master and Slave (network 60)
the server i want to move are in the 61 network.
The easiest way to avoid this issue in the future is to create the server object before installing the server.
For the existing servers, rejoining them is the fastest way.
On the Web interface, log in as user root with the root password and user the module → Domain → Domain join
On the CLI, log in as user root and use the command univention-join
after hours of testing, this is the conclusion i got:
creating LDAP Object (Computer Memberserver) before joining the Domain, ends up that NO APPS can be installed. Error: Permission denied). moving the ldap object after install, NO APP install possible
i installed round about 15 times. nothing works except the servers stays in the original location: Computer > Memberserver.
no re-join worked
no moving around the ldap, forth and back,
just end up in all constellation (except the original LDAP Object location)
my fileserver is dead now (moved, rejoined - Shares gone, no auth possible anymore, as i figures, but can be wrong as well), my nextcloud server dead, my egroupware server dead. from my point of view, your suggestion doesnt work. now i can clean up the ldap (how to i remove the Apps in the server Apps overview, without the server, because deinstall didnt work as well)
it looks like a server without any install of additional apps works (didnt spend much time to check what is not working)
the ldap is not much configured, except the policy auto update and Policy ldap server
