split uxconsole registration and discovery into separate options

Idea created by giuseppe.patania on Jun 20, 2016
  • Comment3
    New
    Score14

    It could be useful to get an uxconsole option (in example: -discover) which provides only site discovery and the already available -register option, which should provide only the registration and the possibility to use them both together and exclusively (only registration or only discovery).

     

    With the expression "site discovery"  I refer to a task that UNAB already does . Infact, the 'ad_site' parameter inside the uxauth.ini conf file:

     

    ...omissis

    ; Specifies the name of Windows domain site the Unix client belongs to.

    ; NOTE: This token is automatically set to the most appropriate value

    ; during UNAB registration.

    ad_site = none

    ...omissis

     

    as the comment explains, is set automatically to the discovered site after unab registration , when previously set to its default value (default =none) . Moreover the pool of discovered KDCs is appended at the uxauth.ini bottom by unab registration task:

     

    Example:

    ---omissis

    MYDOMAIN.COM = {

      master_kdc = hostyyy009.mydomain.com

    ; DCs specified here will be always tried by Kerberos first and at least

    ; one of them must be functional. The list can be pruned if desired.

      kdc = hostxx01.mydomain.com

    kdc = hostxx04.mydomain.com

    kdc = hostxx03.mydomain.com

    .

    .

    .

    kdc = hostxx0n.mydomain.com

    }

    ...omissis

     

    Actually the way  registration AND site discovery are performed , is through the following comand:

     

    /opt/CA/uxauth/bin/uxconsole -register -a P YYYYY -w ********* -d  my.example.domain.com -o OU=UnixAccounts,OU=SERVERS,OU=MYORGANIZATION -v 0 -n

     

     

    Many times, for a server, a site registration is not needed, while is  needed a new 'site discovery' . Actually this task can be only achieved within a new registration, because uxconsole does not provide  two separate options between registration fand site discovery, with the wrong result of increasing the key version number even when not needed, as the following message shows:

     

    the key version number of computer object for 'xxxx' has reached

    the maximum allowed for its data type (255). Please deregister this endpoint

    first, so that the version count starts again from 1, or delete this computer

    object directly on the Windows side, e.g., using the ADUC management console.

    InWe use that command for registration AND site discovery: