8.1. Management of computer accounts via Univention Management Console module#

All UCS, Linux and Windows systems within a UCS domain each have a computer domain account (also referred to as the host account) with which the systems can authenticate themselves among each other and with which they can access the LDAP directory.

The computer account is generally created automatically when the system joins the UCS domain (see Joining domains); however, the computer account can also be added prior to the domain join.

The password for the computer account is generated automatically during the domain join and saved in the /etc/machine.secret file. By default the password consists of 20 characters (can be configured via the Univention Configuration Registry Variable machine/password/length). The password is regenerated automatically at fixed intervals (default setting: 21 days; can be configured using the Univention Configuration Registry Variable server/password/interval). Password rotation can also be disabled using the variable server/password/change.

There is an different computer object type for every system role. Further information on the individual system roles can be found in UCS system roles.

Computer accounts are managed in the UMC module Computers.

By default a simplified wizard for creating a computer is shown, which only requests the most important settings. All attributes can be shown by clicking on Advanced. If there is a DNS forward zone and/or a DNS reverse zone (see Administration of DNS data with BIND) assigned to the selected network object (see Network objects), a host record and/or pointer record is automatically created for the host. If there is a DHCP service configured for the network object and a MAC address is configured, a DHCP host entry is created (see IP assignment via DHCP).

The simplified wizard can be disabled for all system roles by setting the Univention Configuration Registry Variable directory/manager/web/modules/computers/computer/wizard/disabled to true.

Creating a computer in the UMC module

Fig. 8.1 Creating a computer in the UMC module#

Advanced computer settings

Fig. 8.2 Advanced computer settings#

8.1.1. Computer management module - General tab#

Table 8.1 General tab#

Attribute

Description

Name

The name for the host should be entered in this input field.

To guarantee compatibility with different operating systems and services, computer names should only contain the lowercase letters a to z, numbers, hyphens and underscores. Umlauts and special characters are not permitted. The full stop is used as a separating mark between the individual components of a fully qualified domain name and must therefore not appear as part of the computer name. Computer names must begin with a letter.

Microsoft Windows accepts computer names with a maximum of 13 characters, so as a rule computer names should be limited to 13 characters if there is any chance that Microsoft Windows will be used.

After creation, the computer name can only be changed for the system roles Windows Workstation/Server, macOS Client and IP client.

Description

Any description can be entered for the host in this input field.

Inventory number

Inventory numbers for hosts can be stored here.

Network

The host can be assigned to an existing network object. Information on the IP configuration can be found in Network objects.

MAC address

The MAC address of the computer can be entered here, for example 2e:44:56:3f:12:32. If the computer is to receive a DHCP entry, the entry of the MAC address is essential.

IP address

Fixed IP addresses for the host can be given here. Further information on the IP configuration can be found in Network objects.

If a network was selected on the General tab, the IP address assigned to the host from the network will be shown here automatically.

An IP address entered here (i.e. in the LDAP directory) can only be transferred to the host via DHCP. If no DHCP is being used, the IP address must be configured locally, see Network configuration.

If the IP addresses entered for a host are changed without the DNS zones being changed, they are automatically changed in the computer object and - where they exist - in the DNS entries of the forward and reverse lookup zones. If the IP address of the host was entered at other places as well, these entries must be changed manually! For example, if the IP address was given in a DHCP boot policy instead of the name of the boot server, this IP address will need to be changed manually by editing the policy.

Forward zone for DNS entry

The DNS forward zone in which the computer is entered. The zone is used for the resolution of the computer name in the assigned IP address. Further information on the IP configuration can be found in Network objects.

Reverse zone for DNS entry

The DNS reverse zone in which the computer is entered. The zone is used to resolve the computer’s IP address in a computer name. Further information on the IP configuration can be found in Network objects.

DHCP service

If a computer is supposed to procure its IP address via DHCP, a DHCP service must be assigned here. Information on the IP configuration can be found in Network objects.

During assignment, it must be ensured that the DHCP servers of the DHCP service object are responsible for the physical network.

If a network is selected on the General tab an appropriate entry for the network will be added automatically. It can be adapted subsequently.

8.1.2. Computer management module - Account tab#

Table 8.2 Account tab (advanced settings)#

Attribute

Description

Password

The password for the computer account is usually automatically created and rotated. For special cases such as the integration of external systems it can also be explicitly configured in this field.

The same password must then also be entered locally on the computer in the /etc/machine.secret file.

Primary group

The primary group of the host can be selected in this selection field. This is only necessary when they deviate from the automatically created default values. The default value for a Primary Directory Node or Backup Directory Node is DC Backup Hosts, for a Replica Directory Node DC Slave Hosts and for Managed Nodes Computers.

8.1.3. Computer management module - Unix account tab#

Table 8.3 Unix account tab (advanced settings)#

Attribute

Description

Unix home directory (*)

A different input field for the host account can be entered here. The automatically created default value for the home directory is /dev/null.

Login shell

If a different login shell from the default value is to be used for the computer account, the login shell can be adapted manually in this input field. The automatically set default value assumes a login shell of /bin/sh.

8.1.4. Computer management module - Services tab#

Table 8.4 Services tab (advanced settings)#

Attribute

Description

Service

By means of a service object, applications or services can determine whether a service is available on a computer or generally in the domain.

Note

The tab Services is only displayed on UCS server system roles.

8.1.5. Computer management module - Deployment tab#

This Deployment tab is used for the Univention Net Installer, see Extended installation documentation [6].

8.1.6. Computer management module - DNS alias tab#

Table 8.5 DNS alias tab (advanced settings)#

Attribute

Description

Zone for DNS Alias

If a zone entry for forward mapping has been set up for the host in the Forward zone for DNS entry field, the additional alias entries via which the host can be reached can be configured here.

8.1.7. Computer management module - Alerts tab#

Table 8.6 Alerts tab (advanced settings)#

Attribute

Description

Assigned monitoring alerts

Specifies which Monitoring alert checks should be performed for this computer, see Configure monitoring alerts.

8.1.8. Computer management module - Groups tab#

The computer can be added into different groups in Groups tab.

8.1.9. Computer management module - Options alias tab#

The Options tab allows to disable LDAP object classes for host objects. The entry fields for attributes of disabled object classes are no longer shown. Not all object classes can be modified subsequently.

Table 8.7 (Options) tab#

Attribute

Description

Kerberos principal

If this checkbox is not selected the host does not receive the krb5Principal and krb5KDCEntry object classes.

POSIX account

If this checkbox is not selected the host does not receive the posixAccount object class.

Samba account

If this checkbox is not selected the host does not receive the sambaSamAccount object class.

8.1.10. Integration of Ubuntu clients#

Ubuntu clients can be managed in the UMC module Computers with their own system role. The network properties for DNS/DHCP can also be managed there.

The use of policies is not supported.

Some configuration adjustments need to be performed on Ubuntu systems; these are documented in Extended domain services documentation [2].