Giter Club home page Giter Club logo

ad_integration's People

Contributors

brakkio86 avatar chuckmilam avatar dependabot[bot] avatar jakub-vavra-cz avatar justin-stephenson avatar nhosoi avatar richm avatar seb2020 avatar spetrosi avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

justin-stephenson richm jakub-vavra-cz ukulekek nhosoi san-r-d jeremywinder dericcrago krsullivan-payments seb2020 dacoso-devops chuckmilam

ad_integration's Issues

Role not working on RHEL7.9

Hi guys, i'm trying to use the role to add a RHEL7 on Active Directory domain but it isn't working

Ansible version:

ansible [core 2.14.4]
  config file = /home/van/roles/insert_domain/ansible.cfg
  configured module search path = ['/home/van/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/van/.ansible/collections/ansible_collections
  executable location = /usr/bin/ansible
  python version = 3.9.10 (main, Sep 23 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

RHEL 7 info:

[root@node ~]# cat /etc/*release*
NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Red Hat Enterprise Linux"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.9"
Red Hat Enterprise Linux Server release 7.9 (Maipo)
Red Hat Enterprise Linux Server release 7.9 (Maipo)
cpe:/o:redhat:enterprise_linux:7.9:ga:server

Ansible execution output:

TASK [redhat.rhel_system_roles.ad_integration : Run realm join command] *****************************
fatal: [192.168.100.44]: FAILED! => {"changed": true, "cmd": ["realm", "join", "-U", "svc_ansible", "--membership-software", "adcli", "van.local"], "delta": "0:00:02.233292", "end": "2024-04-12 15:03:25.788493", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2024-04-12 15:03:23.555201", "stderr": "See: journalctl REALMD_OPERATION=r183.3675\nrealm: Não foi possível associar ao domínio: The following packages are not available for installation: sssd, adcli", "stderr_lines": ["See: journalctl REALMD_OPERATION=r183.3675", "realm: Não foi possível associar ao domínio: The following packages are not available for installation: sssd, adcli"], "stdout": "Senha para svc_ansible:", "stdout_lines": ["Senha para svc_ansible:"]}

PLAY RECAP ******************************************************************************************
192.168.100.44             : ok=10   changed=0    unreachable=0    failed=1    skipped=14   rescued=0    ignored=0

The role can't install the necessary packages

  • sssd
  • adcli

Any toughts or tips ?

Add support for Rocky

There are some conditonals that filter out Rocky distributions. Here and here for example.

Adding Rocky to these conditionals would suffice.

- name: Manage crypto policies
  include_role:
    name: fedora.linux_system_roles.crypto_policies
  vars:
    crypto_policies_policy: "DEFAULT:AD-SUPPORT"
  when:
    - ad_integration_manage_crypto_policies | bool
    # Fedora and RHEL8+
    - (ansible_distribution == "Fedora" or
      (ansible_distribution in ['CentOS', 'RedHat', 'Rocky'] and
       ansible_distribution_version is version('8', '>=')))

ad_integration_computer_ou variable doesn't actually do anything?

It appears the variable "ad_integration_computer_ou" does not do what I would expect it to do.

Per the README, it is:

"The distinguished name of an organizational unit to create the computer account."

As I painfully discovered over several days, setting this variable with an appropriate OU results in no change, and computers are joined to the domain in the default OU.

I looked through the code, and sure enough, "ad_integration_computer_ou" is only mentioned in the "realmd.conf.j2" file.

I've modified "tasks/main.yml" to correctly add the "--computer-ou" option to the "realm join" command, but before I jump through what appears to be pages of hoops setting up a Fedora VM and "tox-lsr" and whatnot, I figured I'd ask here to make sure I'm on the right track in believing the "ad_integration_computer_ou" variable should do more than just update a value in "sssd.conf."

ad_integration_sssd_custom_settings not required SSSD restart ?

Hi,

If I use the variable "ad_integration_sssd_custom_settings" and set additional parameters, the configuration file is correctly update. After the configuration, the handler "Handler for ad_integration to restart services" is called.

By default, the handler restart all services defined in "__ad_integration_services" : "realmd"

Is this normal that by default there is no "sssd" in the "__ad_integration_services" ?

Customized /etc/realmd.conf being overwritten

Hello!

I am trying to work around this issue, where "realm join" overwrites a hardened password-auth/system-auth with authselect:
https://issues.redhat.com/browse/RHEL-5101
https://access.redhat.com/solutions/5956991

A suggested workaround is to customize /etc/realmd.conf to include these:

[commands]
sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
sssd-disable-logins = sssd-disable-logins = /bin/true

However, realmd.conf gets overwritten when the template is applied. An alternative would be to edit /usr/lib/realmd/realmd-distro.conf directly, but it would be nice if the role could accommodate customization of realmd.conf.

Bad recommendation

It is never recommended to use the domain admin account to do anything. Least privileged access should always be utilized. Especially for service accounts.

ad_integration/README.md

Line 12 in 803ebb0

It is recommended to use the Administrator user to join with Active Directory. If the Administrator user cannot be used, the normal Active Directory user must have sufficient join permissions.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.