Changing HOSTNAME on UCS


#1

HI,

Is there an easy way to change hostname on the system as well as on the certificate generated on UCS whitout compromising all the services being runned on the system by doing that?.

We have reached to this problem when upgrading to latest Samba 4 ( please see bellow message with exit code 1)
Installing univention-samba4 is exiting with code 1.

File: /etc/krb5.conf extract_rIDNextRID: Attribute rIDSetReferences not found ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: guess_names: Domain 'DOMAIN_NAME' must not be equal to short host name 'DOMAIN_NAME'! File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 401, in run use_rfc2307=use_rfc2307, skip_sysvolacl=False) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1988, in provision sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS)) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 616, in guess_names raise ProvisioningError("guess_names: Domain '%s' must not be equal to short host name '%s'!" % (domain, netbiosname)) Samba4 provision failed, exiting /usr/share/univention-samba4/scripts/setup-s4.sh Joinscript 96univention-samba4.inst finished with exitcode 1

*For security reasons DOMAIN_NAME was hidden but it is the same name as the hostname.

Changing the hostname via ucs set hostname , makes things worst since all the services stops when doing that.

We haven’t been able to use file sharing since on the UCS, we had to configure a regular wheezy/Debian linux to workaround the problem. Still, we are not able to upgrade / update the system.

It is the first time that I see so major problem on unix by just changing/resetting the name of the host.

Rolando Riley


ClearOS-PDC auf UCS migrieren
#2

Hi Rolando,

due to the deep integration of services in UCS, changing the hostname or other basic settings (which potentially affect the whole domain) is no trivial task.
The hostname is used in DNS, LDAP, Kerberos, Samba4, SSL certificates and much more services in various configs and directory services. All these occurences have to be adjusted.

I suppose that you can use the UCS applicance tools for this task:

echo "hostname=newhostname" > /var/cache/univention-system-setup/profile /usr/lib/univention-system-setup/scripts/setup-join.sh >>/var/log/univention/setup.log 2>&1
If this is not your DC Master please re-join the system afterwards. If it is your DC Master please re-join each other system.

I also described the whole procedure in Change base system settings - feel free to take a look!

Kind regards,
Tim Petersen


#3

Hi Rolando,

it seems like the appliance procedure erases the ldap (users/groups, which already were created). We need further work on the mentioned sdb article.
Pardon the inconvenience - I will update this the article is finished.

Kind regards,
Tim Petersen


#4

Hi Tim,
Your last post create me little confussion. Please let me know if by running this 2 commands; I will not have issues with any ldap, mysql, http or cyrus services.

    My main concern are those errors on services related to 
                  1) Hostname
                  2) Server certificate.  Specific  "TLS error for mismatching common name   cn  on certificate"

     Production server is quite large on users

Rolando


#5

Sorry for confusion! In fact these two commands will provision a completely new LDAP and delete each existing user, group, etc. So please do NOT use them.
I will come back to you with a more defense way oft changing the hostname soon.

Tim


#6

Hi Tim,
Any news for this process on UCS?

Rolando


#7

Hi Rolando,

no news to show yet. I will show my results and a way to go here, of course - but I cannot guarantee a timeframe for that, unfortunately.
Would a reinstallation of the system be a possible alternative? Just as a thought: if this system nerver worked like expected (samba shares, etc.) this would perhaps also be the better option? Depending on the count of user data, users, etc., of course.

Kind regards,
Tim


#8

Hi Tim,
The path of reinstalling system because of a “bad” hostname selection doesn’t make much sense as a sysadmin. It kind resembles MS OS approach which we truly don’t like.

         I invite you to consider on the other hand that this basic/simple UNIX question should be resolved as it is.  Very simple.  The way I see you guys developed  UCR; is the way a configuration should be changed.     ucr  set hostname="blah"       ... is  one simple way ( but it doesn't work).  UCR is the main difference I see of this distribution from others.

         Just my opinion.  I will wait your technical instruction to update it. 

Rolando Riley


#9

Dear Rolando,

I adopted an older system-setup-script for changing the hostname which we used in the past (/usr/lib/univention-system-setup/scripts/) to current needs.
You will find the script attached.

The script will do all relevant steps if changing a linux hostname on a system with kerberos/SSL chains/LDAP and things like that on a UCS dc master (this would be absolutely the same at every other linux I am aware of…).

The following steps are needed:

chmod +x changehostname ucr set newhostname=xyz ./changehostname
Afterwards you will have to re-provision the Samba 4 LDB - in you case, where Samba 4 never was provisioned successfully, this would’ve been necessary anyway:

[code]# UCS 4:
invoke-rc.d samba stop
invoke-rc.d univention-s4-connector stop

UCS 3:

invoke-rc.d samba4 stop
invoke-rc.d univention-s4-connector stop

mv /etc/univention/connector/s4internal.sqlite /etc/univention/connector/s4internal.sqlite.bak
mv /etc/univention/connector/lockingdb.sqlite /etc/univention/connector/lockingdb.sqlite.bak
mv /etc/univention/connector/s4cache.sqlite /etc/univention/connector/s4cache.sqlite.bak
rm /var/lib/univention-connector/s4/*
mv /var/lib/samba/private /var/lib/samba/private_bak

univention-remove univention-samba4 univention-s4-connector

ucr set connector/s4/mapping/group/grouptype=‘false’ connector/s4/mapping/sid_to_s4=‘true’ samba4/provision/primary=‘true’

univention-install univention-s4-connector univention-samba4

ucr unset samba4/provision/primary connector/s4/mapping/sid_to_s4[/code]

For further reference also have a look at:
Re-Provisioning Samba4 on a DC Master

Afterwards all UCS systems in the domain have to be rejoined to update their information about their master:

univention-join

I successfully did this procedure in two environments, consisting of a dc master and a dc backup, each. Please make sure to test everything if it fits your demand.

Kind regards,
Tim
changehostname.sh (22.4 KB)


LDAP Certificate and Hostname mismatch
#10

Hi ,
I forgot to give feedback. Script works very well, among other things it does update SSL certificate.

Rolando


#11

Hi,
is this script still working for UCS 4.2?

Stefan


#12

I would highly recommend to test stuff like this in a testingenvironment first. Furthermore I would not change the hostname at all, you do that on your own risk.