Coder Social home page Coder Social logo

newcastleuniversity / puppet_module_msktutil Goto Github PK

View Code? Open in Web Editor NEW
0.0 0.0 0.0 82 KB

Used by https://github.com/newcastleuniversity/computing_linux_puppet_controlrepo. Use Puppet to join a GNU/Linux system to Active Directory and keep it joined.

Dockerfile 1.20% Ruby 71.24% Puppet 23.22% HTML 2.60% Shell 1.74%
puppet-module active-directory

puppet_module_msktutil's Introduction

msktutil

Manages Kerberos keytabs on Linux systems in Active Directory environments. For how the msktutil binary works, see https://github.com/msktutil/msktutil

Authors

Helen Griffiths; John Snowdon.

Copyright

Copyright 2016-22 University of Newcastle

Usage

First, precreate the AD account object for the new PC.

If you use a managed Linux workstation:

# kinit tickets with an s-id.
kinit sabc123

# run this with modifications.
# wrap this in a loop to create many new machine accounts.
/usr/sbin/msktutil \
  --precreate \
  --computer-name $pi \
  --hostname $pi.ncl.ac.uk \
  --user-creds-only \
  --service host/$pi.ncl.ac.uk \
  --service host/$pi.campus.ncl.ac.uk \
  --service host/$pi \
  --no-reverse-lookups \
  --description 'Flat floor Pi. Raspbian Stretch, managed with Puppet 5.' \
  --base 'OU=Flat_Floor_Pis,OU=Linux,OU=Workstation,OU=D-COMP,OU=SAgE_Schools_and_Units,OU=SAgE_Faculty,OU=Departments'

Replace $pi and description and base.

If you use a Windows PC:

  1. Precreate the computer account in Active Directory and add to it any unusual service principals that you might need. You might also need to alter the FQDN of the host within AD to be yourmachine.ncl.ac.uk
  2. Reset the precreated computer account.
  3. Ensure you have the Advanced Mode active in the AD management console - right click on the computer object and select Attribute Editor
  4. Scroll to the dNSHostName attribute and enter the FQDN of the machine, e.g.: machinename99.ncl.ac.uk
  5. Scroll to the servicePrincipleName attribute and enter the FQDN of the machine prefixed by host/, e.g.: host/machinename99.ncl.ac.uk

Creating Powershell to do the above is left as an exercise for the reader.

Distribution-specific oddities

Redhat derivatives need to have the EPEL repository enabled.

New parameters

$ensure

  • whether to install and manage msktutil at all.
  • True or false, present or absent

$makekeytab

  • whether to make or remove the keytab.
  • True or false, present or absent

$cron

  • whether to manage keytab rotation.
  • True or false, present or absent

Parameters

Default values in param.pp

Parameter Type Purpose
$msktutilpath String Sets full path to msktutil binary.
$chmodpath String Sets full path to chmod binary.
$configpath String Sets full path to Kerberos config file.
$keytabpath String Sets full path to Kerberos machine keytab.
$keytabmode Octal as a string Sets Unix permissions over the keytab.
$user String Sets user owner of the keytab.
$group String Sets group owner of the keytab. Set to an override for use with usage step 4 above.
$packagename String Sets the package name according to your distribution.
$usereversedns Boolean Turns on or off the use of reverse DNS when obtaining tickets from the AD controller. Useful in environments where the AD controller and site DNS server don't agree on the FQDNs of Kerberos clients.
$ensure "present" or "absent" Whether to install msktutil or not. Removes the keytab as well as the package and cron job if set to absent.
$updatehour Integers 0-23 as a string When, each day, to check for imminent expiry of the keytab and update it accordingly.

puppet_module_msktutil's People

Contributors

njps avatar threepistons avatar

puppet_module_msktutil's Issues

One-shot service not managed properly, see IN1883760 Teams chat

In gitlab by @threepistons on Dec 8, 2021, 17:09

If a machine is an identical copy of another machine, e.g. a VM disk image is used as a template for several VMs, the one-shot service still has the template's principal name in it. The service file needs to be updated, either by template or programmatically by an OS command, to correct the old principal name.

Verbatim Teams chat follows.

[16:31] Helen Griffiths

root@csc2033-02:/etc# msktutil create --verbose --computer-name csc2033-02 --user-creds-only -N -n --server campusdc01.ncl.ac.uk

[args explained in order of appearance]

  • asks for domain join
  • we get logging of tasks as we go
  • to stop it from trying (and failing because too long) to join with the FQDN
  • use the kinit sid keytab you made before you ran msktutil
  • don't try to reverse lookup the DC
  • don't try to canonicalise the hostname of this machine
  • otherwise the DC will never be found and the join will fail

[16:33] Helen Griffiths

Erm, 02 is still saying htat it is using csc2033-00 to join, wtf? [I expected the journalctl output to say csc2033-02 after the msktutil above.]

[16:35] Helen Griffiths

[journalctl output]

Dec 08 16:32:57 csc2033-02 [sssd[ldap_child[5815]: Error processing keytab file [MEMORY:/etc/krb5.keytab]: Principal [[email protected]] was not found. Unable to create GSSAPI-encrypted LDAP connection.
Dec 08 16:32:57 csc2033-02 [sssd[ldap_child[5815]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Error writing to key table. Unable to create GSSAPI-encrypted LDAP connection.

[16:39] Helen Griffiths
we are not cloning machines in the future

[16:45] Helen Griffiths

root@csc2033-02:~# grep -rn --exclude-dir 'log' csc2033-00 / might shed some light

[16:46] Helen Griffiths

If I don't say --exclude-dir 'log' I get heaps of noise from /var/log and similar, which I don't care about because I'm interested in current state not past events.

[16:48] Helen Griffiths

OH HI

/lib/systemd/system/msktutil.service:7:ExecStart=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
/lib/systemd/system/msktutil.service:8:ExecReload=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00

[16:51] Helen Griffiths

[the above service file i]s not fixed by puppet run.

root@csc2033-02:~# /opt/puppetlabs/bin/puppet agent -t

Info: Using environment 'linux_refresh'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for csc2033-02.ncl.ac.uk
Info: Applying configuration version '1638982141'
Notice: /Stage[main]/Profiles::Securityupdates/Exec[dpkg--configure-a]/returns: executed successfully (corrective)
Notice: /Stage[main]/Profiles::Securityupdates/Exec[apt--f-install]/returns: executed successfully (corrective)
Notice: /Stage[main]/Msktutil::Keytab/Exec[chmod]/returns: executed successfully (corrective)
Notice: /Stage[main]/Main/Groupmembership[sudo]/members: members changed ['ncrr', 'ncsteam', 'nhg45', 'nsd123'] to ['nhg45', 'ncrr', 'nsd123', 'ncsteam', 'b9037154', 'b9064174', 'c0007411', 'c0027177', 'c0051068', 'c0052966'] (corrective)
Notice: /Stage[main]/Types/Types::Exec[dr_apparmor]/Exec[dr_apparmor]/returns: executed successfully (corrective)Notice: Applied catalog in 15.69 seconds

root@csc2033-02:~# cat /lib/systemd/system/msktutil.service

[Unit]
Description=Maintains domain trust for kerberised linux machines
After=network.target auditd.service network-manager.service
[Service]
Type=oneshotExecStart=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
ExecReload=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
[Install]
WantedBy=multi-user.target

Obey Debian method for altering flags for cronstub

In gitlab by @threepistons on Mar 22, 2019, 15:51

In Debian, the msktutil package contins this cronstub:

#!/bin/sh

test -x /usr/sbin/msktutil || exit 0

# These options are overridden in /etc/default/msktutil.
# Edit there, not here.
AUTOUPDATE_ENABLED="false"
AUTOUPDATE_OPTIONS=""

[ -r /etc/default/msktutil ] && . /etc/default/msktutil

[ "$AUTOUPDATE_ENABLED" = "true" ] || exit 0
exec /usr/sbin/msktutil --auto-update $AUTOUPDATE_OPTIONS

We currently replace this cronstub. We should probably do this the indicated way, by keeping the shipped cronstub and replacing /etc/default/msktutil.

In CentOS, we keep doing what we are already doing.

`exec` is causing msktutil cron job to fail on some machines 

root@redacted:~# exec /usr/sbin/msktutil --auto-update --no-reverse-lookups --computer-name redacted --hostname redacted.ncl.ac.uk --service host/redacted --service host/redacted.ncl.ac.uk --service host/redacted.campus.ncl.ac.uk
Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     "kinit"ing yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.
Connection to redacted.ncl.ac.uk closed.

# me @ mymachine in ~ [16:29:02] C:1
$ ssh redacted.ncl.ac.uk
[[snipped motd]]
root@redacted:~# /usr/sbin/msktutil --auto-update --no-reverse-lookups --computer-name redacted --hostname redacted.ncl.ac.uk --service host/redacted --service host/redacted.ncl.ac.uk --service host/redacted.campus.ncl.ac.uk

Removing the exec from the cron.d file should fix this.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.