I think we all end up using an exec somewhere to bind to AD. I
personally use samba with LDAP and kerberos instead of Likewise, but
to each their own. What you can do is create a domain account that
only has permissions to create and destroy computer objects in a
specific OU in AD. I have one called joindomain (simple enough, huh?).
I can be less protective about this user's password since if it gets
out, no real damage can be done. I'm interested in seeing how others
deal with this.
On Feb 10, 2010, at 5:40 PM, Taylor <gray.r...@gmail.com> wrote:
Hi All,
I'm reading the docs and various references available for Puppet but
can't seem to find a better way of accomplishing my goal of binding my
Linux Servers to Active Directory. (Please don't berate me for the
premise.)
Quick Background:
I've become enamored with likewise-open as a method and tool for
binding linux machines to AD. It's clean and simple. (http://
anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-
authentication-in-ubuntu-804/)
But I can't get past the command line requirement and being forced to
run an exec that stores a domain admin password in a text file. Here
is my recipe so far:
class likewise{
file { likewise-preseed:
path => "/var/cache/debconf/likewise.preseed"
owner => root,
group => root,
mode => 400,
source => "puppet:///likewise/likewise.preseed"
}
package{
likewise-open: ensure => latest,
responsefile => "/var/cache/debconf/likewise.preseed",
require => file[likewise-preseed]
}
exec{ "domainjoin-cli join at.sfsu.edu svc_bind PASSWORD":
path => ["/usr/bin", "/usr/sbin"]
}
That recipe is obviously not complete, but I'm hung at the exec
command. It doesn't seem right to me from a philosophical perspective.
There should be a better way that doesn't require me to store a
password in the recipe. Does anyone have a suggestion of a better way
of doing this? I'm sure I'm missing something obvious.
I did take a look at the NSSwitch LDAP recipe (http://
reductivelabs.com/trac/puppet/wiki/Recipes/LDAPClientNSSwitch) and
that might accomplish the same goal but seems more complex and
unnecessary when an elegant solution such as likewise-open exists.
Thanks for your thoughts.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com
.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
