Puppet users - Feb 2010 - Join AD using Likewise

Hi All,

I''m reading the docs and various references available for Puppet but
can''t seem to find a better way of accomplishing my goal of binding my
Linux Servers to Active Directory. (Please don''t berate me for the
premise.)

Quick Background:
I''ve become enamored with likewise-open as a method and tool for
binding linux machines to AD. It''s clean and simple. (http://
anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-
authentication-in-ubuntu-804/)

But I can''t get past the command line requirement and being forced to
run an exec that stores a domain admin password in a text file. Here
is my recipe so far:

class likewise{
	file { likewise-preseed:
		path => "/var/cache/debconf/likewise.preseed"
		owner => root,
		group => root,
		mode => 400,
		source => "puppet:///likewise/likewise.preseed"
	}

	package{
		likewise-open: ensure => latest,
		responsefile => "/var/cache/debconf/likewise.preseed",
		require => file[likewise-preseed]
	}

	exec{ "domainjoin-cli join at.sfsu.edu svc_bind PASSWORD":
		path =>  ["/usr/bin", "/usr/sbin"]
}

That recipe is obviously not complete, but I''m hung at the exec
command. It doesn''t seem right to me from a philosophical perspective.
There should be a better way that doesn''t require me to store a
password in the recipe. Does anyone have a suggestion of a better way
of doing this? I''m sure I''m missing something obvious.

I did take a look at the NSSwitch LDAP recipe (http://
reductivelabs.com/trac/puppet/wiki/Recipes/LDAPClientNSSwitch) and
that might accomplish the same goal but seems more complex and
unnecessary when an elegant solution such as likewise-open exists.

Thanks for your thoughts.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I think we all end up using an exec somewhere to bind to AD. I  
personally use samba with LDAP  and kerberos instead of Likewise, but  
to each their own. What you can do is create a domain account that  
only has permissions to create and destroy computer objects in a  
specific OU in AD. I have one called joindomain (simple enough, huh?).  
I can be less protective about this user''s password since if it gets  
out, no real damage can be done. I''m interested in seeing how others  
deal with this.

On Feb 10, 2010, at 5:40 PM, Taylor <gray.race@gmail.com> wrote:
> Hi All,
>
> I''m reading the docs and various references available for Puppet
but
> can''t seem to find a better way of accomplishing my goal of
binding my
> Linux Servers to Active Directory. (Please don''t berate me for the
> premise.)
>
> Quick Background:
> I''ve become enamored with likewise-open as a method and tool for
> binding linux machines to AD. It''s clean and simple. (http://
> anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-
> authentication-in-ubuntu-804/)
>
> But I can''t get past the command line requirement and being forced
to
> run an exec that stores a domain admin password in a text file. Here
> is my recipe so far:
>
> class likewise{
>    file { likewise-preseed:
>        path => "/var/cache/debconf/likewise.preseed"
>        owner => root,
>        group => root,
>        mode => 400,
>        source => "puppet:///likewise/likewise.preseed"
>    }
>
>    package{
>        likewise-open: ensure => latest,
>        responsefile => "/var/cache/debconf/likewise.preseed",
>        require => file[likewise-preseed]
>    }
>
>    exec{ "domainjoin-cli join at.sfsu.edu svc_bind PASSWORD":
>        path =>  ["/usr/bin", "/usr/sbin"]
> }
>
> That recipe is obviously not complete, but I''m hung at the exec
> command. It doesn''t seem right to me from a philosophical
perspective.
> There should be a better way that doesn''t require me to store a
> password in the recipe. Does anyone have a suggestion of a better way
> of doing this? I''m sure I''m missing something obvious.
>
> I did take a look at the NSSwitch LDAP recipe (http://
> reductivelabs.com/trac/puppet/wiki/Recipes/LDAPClientNSSwitch) and
> that might accomplish the same goal but seems more complex and
> unnecessary when an elegant solution such as likewise-open exists.
>
> Thanks for your thoughts.
>
>
> -- 
> You received this message because you are subscribed to the Google  
> Groups "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> .
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> .
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Taylor wrote:
> Hi All,
> 
> I''m reading the docs and various references available for Puppet
but
> can''t seem to find a better way of accomplishing my goal of
binding my
> Linux Servers to Active Directory. (Please don''t berate me for the
> premise.)
> 
> Quick Background:
> I''ve become enamored with likewise-open as a method and tool for
> binding linux machines to AD. It''s clean and simple. (http://
> anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-
> authentication-in-ubuntu-804/)
> 
> But I can''t get past the command line requirement and being forced
to
> run an exec that stores a domain admin password in a text file. Here
> is my recipe so far:
> 
> class likewise{
> 	file { likewise-preseed:
> 		path => "/var/cache/debconf/likewise.preseed"
> 		owner => root,
> 		group => root,
> 		mode => 400,
> 		source => "puppet:///likewise/likewise.preseed"
> 	}
> 
> 	package{
> 		likewise-open: ensure => latest,
> 		responsefile => "/var/cache/debconf/likewise.preseed",
> 		require => file[likewise-preseed]
> 	}
> 
> 	exec{ "domainjoin-cli join at.sfsu.edu svc_bind PASSWORD":
> 		path =>  ["/usr/bin", "/usr/sbin"]
> }
> 
> That recipe is obviously not complete, but I''m hung at the exec
> command. It doesn''t seem right to me from a philosophical
perspective.
> There should be a better way that doesn''t require me to store a
> password in the recipe. Does anyone have a suggestion of a better way
> of doing this? I''m sure I''m missing something obvious.
> 
> I did take a look at the NSSwitch LDAP recipe (http://
> reductivelabs.com/trac/puppet/wiki/Recipes/LDAPClientNSSwitch) and
> that might accomplish the same goal but seems more complex and
> unnecessary when an elegant solution such as likewise-open exists.
> 
> Thanks for your thoughts.
> 
> 
You don''t need to be a domain admin to bind to AD- so the answer is
create an account that can only bind machines to AD.

- --
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
L''ennui est contre-révolutionnaire

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktzduoACgkQRkBieEaRmua1vgCeMQO+6uC2BrzFjms6VnMC8Tvr
dE4AniEZFWvesG9p521OBY8BzOkDvNrJ
=KO0b
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/10 23:40, Taylor wrote:
> Hi All,
> 
> I''m reading the docs and various references available for Puppet
but
> can''t seem to find a better way of accomplishing my goal of
binding my
> Linux Servers to Active Directory. (Please don''t berate me for the
> premise.)
> 
> class likewise{
> 	file { likewise-preseed:
> 		path => "/var/cache/debconf/likewise.preseed"
> 		owner => root,
> 		group => root,
> 		mode => 400,
> 		source => "puppet:///likewise/likewise.preseed"
> 	}
> 
> 	package{
> 		likewise-open: ensure => latest,
> 		responsefile => "/var/cache/debconf/likewise.preseed",
> 		require => file[likewise-preseed]
Hi,

Thanks for this manifest, I''m going to use this.

One quick question, What did you have in your likewise.preseed file as
debconf-show is telling me there are no preseedable options for it?

Thanks.

Regards,

Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvtib0ACgkQOZBvfQY8NVrvBQCgj8wWLS4StOXoRGSH1AuN+XWs
JF0An2He+5dZyHLoBuXTkJjRVVZMPX4x
=Jwa2
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Just to put my $0.02 in... the ''exec'' command is similar in my
setup -
but I do a little bit of maintenance as well (like a customized
lsassd.conf file) - Note I also unwrapped the .rpm files so I could
put them in a serviced repo... :


class likewise {

        $rpmlist = [ "likewise-lwio",
                        "likewise-pstore",
                        "likewise-domainjoin",
                        "likewise-lwreg",
                        "likewise-rpc",
                        "likewise-eventlog",
                        "likewise-mod-auth-kerb",
                        "likewise-sqlite",
                        "likewise-krb5",
                        "likewise-netlogon",
                        "likewise-srvsvc",
                        "likewise-libxml2",
                        "likewise-openldap",
                        "likewise-lsass",
                        "likewise-passwd",
                        "likewise-base"]


        package { $rpmlist :
                ensure => latest ,
                notify => Exec["joindomain"]
        }

        file { "/etc/likewise/lsassd.conf" :
                owner => "root",
                group => "root",
                mode => 444,
                source => "puppet:///modules/likewise/lsassd.conf",
                notify => Service["lsassd"]
        }

        exec { "joindomain" :
                path =>
"/usr/bin:/usr/sbin:/bin:/opt/likewise/bin",
                command => "domainjoin-cli join redacted.net
DOMAINADMIN DOMAINPASSWORD",
                refreshonly => true,
        }

        service { lsassd:
                ensure  => running
        }
}

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.