AD for Debian with SaltStack – Part 1

SaltStack provides an easy, fast way to manage systems – from one to thousands. One of its key capabilities is configuration management – “make it look like this” – and this series of posts describes how to implement the AD join described in a previous post.

SaltStack Configuration Management

Configuration is stored in YAML files under /srv/salt with the extension .sls (for Salt State). There is a top.sls file that maps out where the other files go. This guide assumes you understand the basics.

File Structure

SaltStack allows easy reuse of configuration. I’ve got my ad configuration in the file /srv/salt/common/ad/ad.sls so I can use it for any machine that needs joining to AD. The YAML configuration below is all in the ad.sls file. Configuration files are shown at the bottom of the page.

State Configuration

Hostname and DNS

Make sure that the hosts file contains the main ip address mapped to the FQDN and the hostname.
We’re using grains to generate these values from the machine itself.

    - name: {{[0] }}
    - hostnames:
      - {{ salt.grains.get('fqdn') }}
      - {{ salt.grains.get('host') }}

NSCD Daemon

Stop the nscd as this should not be run at the same time as sssd:

    - name: unscd
    - enable: False

Delete the nscd socket to avoid sssd warnings:

    - name: /var/run/nscd/socket


Install kerberos for AD authentication:

    - pkgs:
      - krb5-user

Install kerberos config file:

    - name: /etc/krb5.conf
    - source: salt://common/ad/krb5.conf
    - user: root
    - group: root
    - mode: '0644'
    - template: jinja

The kerberos configuration file is located at /srv/salt/common/ad/krb5.conf and contains:

    # This relation identifies the default realm to be used in a client host's
    # Kerberos activity.
    default_realm = {{ pillar['ad_domain'] | upper }}

    # Indicate whether DNS TXT records should be used to determine the Kerberos
    # realm of a host. The default is not to use these records.
    dns_lookup_realm = false

    # Indicate whether DNS SRV records should be used to locate the KDCs
    # and other servers for a realm, if they are not listed in the information
    # for the realm. The default is to use these records.
    # We set this explicitly since we're setting the admin_server anyway.
    dns_lookup_kdc = false

    # The value of this tag is the default lifetime for initial tickets. The
    # default value for the tag is 1 day (1d).
    #ticket_lifetime = 24h

    # The value of this tag is the default renewable lifetime for initial
    # tickets. The default value for the tag is 0.
    renew_lifetime = 7d

    # If this flag is set, initial tickets by default will be forwardable.
    # The default value for this flag is false.
    # See for details.
    #forwardable = true

    {{ pillar['ad_domain'] | upper }} = {
        # This relation identifies the host where the administration server
        # is running. Typically this is the Master Kerberos server.
        # Required setting - cannot be looked up via DNS.
        admin_server = {{ pillar['ad_dc'] | upper }}

        # The name or address of a host running a KDC for that realm.
        # This could be looked up via DNS (dns_lookup_kdc) but we must
        # set the admin_server anyway, and this has the same value.
        kdc = {{ pillar['ad_dc'] | upper }}

    # The [domain_realm] section provides a translation from a hostname to
    # the Kerberos realm name for the services provided by that host.
    # The tag name can be a hostname, or a domain name, where domain names
    # are indicated by a prefix of a period ('.') character. The value of
    # the relation is the Kerberos realm name for that particular host or
    # domain. Host names and domain names should be in lower case.
    # If no translation entry applies, the host's realm is considered to
    # be the hostname's domain portion converted to upper case.
    .{{ pillar['ad_domain'] | lower }} = {{ pillar['ad_domain'] | upper }}

    # Log everything to syslog. Default is severity of ERR and facility of AUTH.
    default = SYSLOG

The bits in {{ ... }} are Jinja macros. Note the use of the filters to manipulate text – for example changing text to upper case. SaltStack includes extra filters.

You’ll need a pillar. Assuming we’re using the example values in the previous blog entry it will contain:

Next time we’ll continue with Samba configuration…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.