Skip to content

Instantly share code, notes, and snippets.

/adjoin.sls Secret

Created May 30, 2017 22:30
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save anonymous/977e3fcc221abccc9b8dc00beae80d27 to your computer and use it in GitHub Desktop.
# Verify if this system is currently joined to the domain
# FIXME: This is a weak test, see if we can do better
{% set isjoined = False if salt['cmd.retcode']('grep -E "^domains =.?$" /etc/sssd/sssd.conf') == 0 else True %}
{% set aduser = 'adjoin@DOMAIN.COM' %}
{% set keytabfile = '/root/adjoin.keytab' %}
{% if isjoined %}
System is already joined to AD:
test.configurable_test_state:
- changes: False
- result: True
- comment: Already joined to domain, nothing to do
{% else %}
Download keytab:
file.managed:
- name: {{ keytabfile }}
- user: root
- group: root
- mode: 0400
- source: salt://core/files/adjoin.keytab
- unless:
- test -f {{ keytabfile }}
# FIXME: Unless condition is weak. Need to verify that klist has a tgt for this exact user
Generate new ticket from keytab:
cmd.run:
- name: kinit {{ aduser }} -k -t {{ keytabfile }}
- require:
- file: Download keytab
- unless:
- klist
Join realm:
cmd.run:
- name: realm join --computer-ou="OU=Linux,OU=Domain Computers,DC=domain,DC=com" domain.com
- require:
- cmd: Generate new ticket from keytab
Remove keytab:
file.absent:
- name: {{ keytabfile }}
- order: last
Clear kerberos cache:
cmd.run:
- name: kdestroy
- order: last
{% endif %} #if isjoined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment