Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example of a puppet profile to automatically join a RHEL/CentOS system to Active Directory
class profile::adjoin(
$http_service_principal = false
) {
if !defined(Class['::profile::kerberos']) {
fail('::profile::kerberos needs to be defined for profile::adjoin to work')
}
$active_directory_domain = 'EXAMPLE.COM'
$join_account = 'puppet-adjoin'
$join_pwd = 'thepassword'
$join_ou = 'Servers/Linux'
validate_bool($http_service_principal)
validate_string($active_directory_domain)
validate_string($join_account)
validate_string($join_pwd)
validate_string($join_ou)
package { 'samba-common':
ensure => present,
}
file { '/etc/samba/adjoin.conf':
ensure => present,
owner => 'root',
group => 'root',
mode => '0640',
content => template('profile/adjoin/samba-join.conf.erb'),
require => Package['samba-common'],
}
exec { "adjoin to ${active_directory_domain}":
command => "echo \${KINIT_PWD} | kinit ${join_account}@${active_directory_domain} && net ads join -s /etc/samba/adjoin.conf -U ${join_account}@${active_directory_domain} -n ${::hostname} createcomputer='${join_ou}' osName='${::operatingsystem}' osVer=${::operatingsystemmajrelease} -k",
unless => "net ads testjoin -k -s /etc/samba/adjoin.conf | grep -q 'Join is OK'",
provider => shell,
user => 'root',
environment => "KINIT_PWD=${join_pwd}",
path => '/usr/sbin:/usr/bin:/sbin:/bin',
require => [
File['/etc/samba/adjoin.conf'],
Class['::profile::kerberos'],
],
before => Exec['destroy kerberos ticket'],
logoutput => true,
}
if $http_service_principal {
exec { "add HTTP service principal":
command => "echo \${KINIT_PWD} | kinit ${join_account}@${active_directory_domain} && net ads -s /etc/samba/adjoin.conf -k keytab add HTTP",
unless => [ "klist -kt /etc/krb5.keytab | grep -i HTTP/${::hostname}", "klist -kt /etc/krb5.keytab | grep -i HTTP/${::fqdn}", ],
provider => shell,
user => 'root',
environment => "KINIT_PWD=${join_pwd}",
path => '/usr/sbin:/usr/bin:/sbin:/bin',
require => [
File['/etc/samba/adjoin.conf'],
Class['::profile::kerberos'],
],
before => Exec['destroy kerberos ticket'],
logoutput => true,
}
}
exec { 'destroy kerberos ticket':
command => 'kdestroy',
onlyif => 'test -f /tmp/krb5cc_0',
path => '/usr/sbin:/usr/bin:/sbin:/bin',
}
}
class profile::kerberos {
# module Aethylred/kerberos
class { '::kerberos':
default_realm => 'EXAMPLE.COM',
}
kerberos::realm { 'EXAMPLE.COM':
kdc => [ 'dc1.example.com', 'dc2.example.com', 'dc3.example.com' ],
admin_server => 'dc1.example.com:749',
default_domain => 'example.com',
}
kerberos::domain_realm { '.example.com':
realm => 'EXAMPLE.COM',
}
kerberos::domain_realm { 'example.com':
realm => 'EXAMPLE.COM',
}
kerberos::logging { 'default':
key => 'default',
value => 'FILE:/var/log/krb5libs.log',
}
kerberos::logging { 'kdc':
key => 'kdc',
value => 'FILE:/var/log/krb5kdc.log',
}
kerberos::logging { 'admin_server':
key => 'admin_server',
value => 'FILE:/var/log/kadmind.log',
}
}
[global]
workgroup = EXAMPLE
server string = Samba Server Version %v
security = ads
realm = EXAMPLE.COM
kerberos method = system keytab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.