Join Active Directory (e.g. via kickstart file)

[recursion]

Hi!

I'm having troubles to setup a automativ Domain Join/authentication and authorisation against an MS Active Directory.

Obviously neither the authconfig command nor the auth configuration is executed or is executed properly.
Somehow it seems as if the network setup does not work properly as well - the network config screen is shown after the installation completes.

Our aim is to join the machine to enable automatic (DHCP based) network setup, join the domain and authenticate the users against the Active Directory. A central issue is to keep the UIDs and GIDs synchronized over all linux workstations - so obviously there has to happen something with RID/IDMAP.
Is anybody out there who can give adivice (ideally with working code examples)?
Is there any known way (beside configuring via %post) to setup idmap in the kickstart file? If not with a simple config line, do you know working code examples to set up the idmap lines in smb.cnf? Is that enough or should there be additional modifications on krb5.cnf, nss.cnf etc.?

We want to also setup automatic NFS share usage, is there any known way (beside configuring via %post) to setup autofs-scripts in the kickstarter?

Is it possible to set a hostname or a hostname template within the kickstart file?
Or should that be done in %post or %pre?

We're trying to build workstations via a kickstart file. The basic installation is working quite nice but the post installation part doesn't seem to be executed properly:

Code: Select all

#platform=x86, AMD64 oder Intel EM64T
#version=DEVEL
# Install OS instead of upgrade
install
logging --level=debug

# Use graphical or text install
#graphical
text
# Accept EULA 
eula --agreed
# Reboot after installation
reboot
# Open SSH during installation
sshpw --username=install install --plaintext
# Use CDROM installation media
cdrom

# Root password
rootpw --iscrypted XXXXXXXXXXXX
# System language
lang de_DE.UTF-8 --addsupport=en_UK,fr_FR
# System timezone
timezone Europe/Berlin --isUtc
# Keyboard layouts
keyboard 'de'
keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'

# ignore all disks but sda
ignoredisk --only-use=sda
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --drives=sda  --all --initlabel
# System bootloader configuration
bootloader --location=mbr --boot-drive=sda
# Create standard partitioning
reqpart --add-boot
part /boot --fstype xfs --size=200
part pv.01 --size=10240 --grow
volgroup vg01 pv.01
logvol / --name=LV_ROOT --fstype=ext4 --vgname=vg01 --size=10240 --grow
logvol swap --name=LV_SWAP --fstype=swap --vgname=vg01 --recommended

# Firewall configuration
firewall --disabled

# Domain join
realm join domain.loc
# System authorization information
auth  --useshadow  --passalgo=sha512 --enablesmbauth --smbservers=pdc1.domain.loc,dc2.domain.loc --smbworkgroup=DOMAIN-NT --enablecache

# Run the Setup Agent on first boot
firstboot --enable
# SELinux configuration
selinux --enforcing

# Network information
network  --bootproto=dhcp --device=eth0

# Xwindow set up 
xconfig --defaultdesktop=GNOME --startxonboot

%packages
@^gnome-desktop-environment
@base
@core
@desktop-debugging
@dial-up
@directory-client
@fonts
@gnome-apps
@gnome-desktop
@guest-agents
@guest-desktop-agents
@input-methods
@internet-browser
@java-platform
@multimedia
@network-file-system-client
@networkmanager-submodules
@print-client
@security-tools
@x11
chrony
kexec-tools
samba
samba-common
samba-libs
samba-winbind
samba-python
samba-krb5-printing

%end


%addon com_redhat_kdump --enable --reserve-mb='auto'
%end


%post

authconfig --enableshadow --update --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=DOMAIN-NT --smbrealm=domain.loc, dc2.domain.loc" --winbindjoin=myuser --enablewinbindusedefaultdomain --enablelocauthorize --enablerfc2307bis --enablewins --smbidmaprange="500-99999"

%end

Can you find any problematic issues within the kickstart configuration?

Thanks a lot,

JR

[yubby]

I can relate to what you're attempting to achieve, and can provide info that 'may' be relevant (though, it would be different in the ID service (AD !) you're going to use).

First, only use the Kickstart 'host-config' file to provide the 'proprietary' required entries for the kickstart process.

Use the %pre and %post sections to 'leave' the 'proprietary' Kickstart process, and launch your external process/scripts to configure your O/S installation (including installing YUM groups of packages that are specific to the O/S version/release).

The %post process launches your external process in the 'chroot' environment, such that, you can enable/start any services you require, as if you're on a running system.

For IDM (as apposed to AD) I configure the /etc/auto.* files and startup NFS and the automounter, providing access to the scripts and software repositories needed to install and configure the Identity service you'll be using. The scripts 'I' use, have the server 'join' the IDM domain (similiar to the 'host join' to AD ?) such that, after 'first boot', users who have permission to access 'that' O/S instance, can log on immediately...

If the scripts are written properly, they can be used in both the Kickstart 'postinstall' process, or to any O/S instance that is running, but not yet 'joined' (so you can test outside of Kickstart).

This technique can also be used for 'updating' or 'configuring' the O/S prior to 'first boot', such as executing Puppy (not the 'real' name, but more descriptive for a 'not ready for prime-time' app) to execute the appropriate 'manifesto'...

If interested, I can provide the 'snippets' I've used...

[PJSnugglebun]

I had a lot of issues getting realm commands to work within kickstart environment, so I instructed kickstart to built a bash script that does the join, and then add the script to cron @reboot.

The end result is that about 2 minutes after the reboot from the kickstart install, it will be joined to the domain

The following works with CentOS 7.5.

This is a snippet of my %post section

%post
##### Run updates
yum update -y

##### Install packages for AD integration
yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

##### Hostname
echo 'testmachine' > '/etc/hostname'

##### Network Adapter
## manually setting here because Anaconda can't set search domain - on reboot NetworkManager will use these settings
ethzero='/etc/sysconfig/network-scripts/ifcfg-eth0'
NetUUID=$(grep 'UUID' $ethzero)
rm $ethzero
cat << EOF > $ethzero
BOOTPROTO=none
BROWSER_ONLY=no
DEFROUTE=yes
DEVICE=eth0
DNS1=xxx.xxx.xxx.xxx
DNS2=xxx.xxx.xxx.xxx
DOMAIN=mydomain.local
GATEWAY=xxx.xxx.xxx.xxx
IPADDR=xxx.xxx.xxx.xxx
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=eth0
ONBOOT=yes
PREFIX=24
PROXY_METHOD=none
TYPE=Ethernet
$NetUUID
EOF

##### Create script to add computer to AD
## Links with info
## https://www.rootusers.com/how-to-join-c ... ry-domain/
## https://outsideit.net/realmd-sssd-ad-authentication/
## https://www.linuxtechi.com/integrate-rh ... directory/
## https://fedoraproject.org/wiki/QA:Testc ... _kickstart
## Adcli with one time pw is used because it accepts stdin password.
## Adcli expects computername to be in computername.domain and adds it as computername
## Realm adds the computer using the one time pw using the given hostname.
## So the hostname needs to match the computername in computername.domain that is passed to Adcli
joindomainscript='/tmp/joindomain'
touch $joindomainscript
chmod +x $joindomainscript

cat << EOF > $joindomainscript
#!/bin/bash

#adcli command is one in text editor line, but is broken up because of formatting
/sbin/adcli preset-computer --login-user=powershelljobs_svc --stdin-password --one-time-password=MyOneTimePassW --domain=mydomain.local testmachine.mydomain.local <<< 'SuperSecretPW'
/sbin/realm join --one-time-password=MyOneTimePassW mydomain.local

sleep 5

sssdconf='/etc/sssd/sssd.conf'
if [ -f "$sssdconf"]
then
sed -i s^'use_fully_qualified_names = True'^'use_fully_qualified_names = False'^ $sssdconf
sed -i s^'fallback_homedir = /home/%u@%d'^'fallback_homedir = /home/%u'^ $sssdconf
echo '%DOMAIN\\Domain\ Admins ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/domainsudoers
systemctl restart sssd
exitstatus=0
else
exitstatus=1
fi
exit $exitstatus
EOF

##### Set Crontab for root user to run script at reboot time
## If everything succeeds remove joindomainscript and remove crontab
rootcrontab='/var/spool/cron/root'
cat << EOF > $rootcrontab
@reboot sleep 120 && $joindomainscript && rm $joindomainscript && crontab -r
EOF

%end

[EnterpriseAdmin]

OK, would you be able to share the /etc/sssd/sssd.conf file content to allow Domain Admins group members to login to the Linux via SSH?

Thank you in advance.