Joining Active Directory is currently a manual operation. There is no reason why it couldn’t be done by SaltStack – that is left as an exercise for the reader!
We copy the join script to the machine so the administrator can run it.
/root/bin/join-ad.sh: file.managed: - source: salt://common/ad/join-ad.sh - user: root - group: root - mode: '0755' - makedirs: True
The AD join script looks like this:
#!/bin/bash # Script to handle the process of joining the domain. # Run with username where: # username is the SAM name for the domain admins account. # # The script produces lots of output to help with debugging any issues. See # https://www.redhat.com/en/files/resources/en-rhel-intergrating-rhel-6-active-directory.pdf # for a full description of the process (albeit RedHat rather than Debian). # # Note that it is very important that the hostname of the machine is set up correctly! # The hostname command must return the FQDN of the host. if [ "$#" != 1 ] then echo "Usage: join-ad.sh username" exit 1 fi username=$1 domain=$(hostname --domain) echo "Using account ${username} to join domain ${domain}..." echo "" # Quit on error set -e # Uncomment to debug #set -x # Upper-case version of the domain name upper_domain=$(echo ${domain} | tr [a-z] [A-Z]) # Find the short hostname and get an upper-case version of it short_hostname=$(hostname --short) upper_short_hostname=$(echo ${short_hostname} | tr [a-z] [A-Z]) # Log into the domain as the administrator, asking user for password # The domain part must be in upper-case echo "Logging into domain as the administrator" /usr/bin/kinit "${username}@${upper_domain}" echo "" # List what kerberos sent back echo "Listing kerberos tickets for the domain administrator:" echo "------------------------------------------------------------------------" klist echo "" # Join AD and put the machine credentials in the krb5.keytab echo "Requesting domain join using administrator kerberos ticket" net ads join -k # List the machine credentials echo "Listing kerberos tickets for the machine:" echo "------------------------------------------------------------------------" klist -k echo "" # Wait for 5s to allow everything to catch up echo "Waiting for everything to catch up..." sleep 5 echo "" # Sign in using the machine credentials echo "Signing in using machine credentials ${upper_short_hostname}$" kinit -k ${upper_short_hostname}$ echo "" # Did it work? joinedAd=$? if [ $joinedAd -ne 0 ] then echo "Error: could not join the domain with machine credentials ${upper_short_hostname}$" exit 1 else echo "Joined the domain using machine credentials ${upper_short_hostname}$" echo "" echo "Listing kerberos machine ticket:" echo "------------------------------------------------------------------------" klist echo "" # Now restart SSSD and everything should be happy :-) echo "Enabling and restarting sssd" systemctl enable sssd systemctl restart sssd if [ $? -ne 0 ] then echo "Error: could not start the System Security Services Daemon (SSSD)" exit 1 else echo "System Security Services Daemon (SSSD) restarted and enabled." echo "AD should now be working!" fi fi exit 0
Given the delays inherent in AD the sleep 5
should be replaced by polling the kinit -k ${upper_short_hostname}$
line until the join works or 10 minutes has expired. Again, this is left as an exercise for the reader!