Help to kickstart and realm join AD

General support questions
Post Reply
tran.v.allan
Posts: 1
Joined: 2016/05/03 23:44:20

Help to kickstart and realm join AD

Post by tran.v.allan » 2016/05/03 23:54:34

I am having issue joining our machines via kickstart script. I have this in the script:

Code: Select all

%post
echo "myPassword" | realm join mydomain.test.com -U Administrator
%end
The anaconda log shows it fails dependencies:

Code: Select all

INFO program: Password for Administrator: See: journalctl REALMD_OPERATION=r337.45689
INFO program: realm: Couldn't join realm: Necessary packages are not installed: oddjob, oddjob-mkhomedir, sssd, adcli
However, I have all the required packages installed earlier in the kickstart script. In fact I can run the exact same command after kickstart (when the server boot up) without any errors to successfully join the domain.

Does anyone know a way to work this out via non-interactive kickstart so I don't run the command manually? Thanks

Torsten
Posts: 1
Joined: 2019/02/21 13:12:05

Re: Help to kickstart and realm join AD

Post by Torsten » 2019/02/21 13:31:28

I know that's an old post, but maybe it helps others.

First, be sure that the computer account in the domain does not exist yet.

Next, create a computer account with a one-time-password from a computer that can access the domain using the following line.

Code: Select all

adcli preset-computer --domain=your.domain.com --one-time-password=yourOneTimePassword --login-user=userWithAdminPrivilegsInYourDomain computerName.your.domain.com
And in the %post section of your kickstart file use the following line (this works for Fedora29, but it should also work with CentOS)

Code: Select all

realm join --install=/ --one-time-password=yourOneTimePassword your.domain.com
Without the option "--install=/" the join will not work.

kvonblohn
Posts: 1
Joined: 2019/09/19 19:57:13

Re: Help to kickstart and realm join AD

Post by kvonblohn » 2019/09/19 20:10:29

If you run the adcli delete-computer before the preset-computer, you don't need to worry about whether the computer object already exits in AD. Also, If you have multiple DCs (which you should, for redundancy), be wary of your DC replication cycle. You may need to pause between commands to allow sufficient time for replication, as in the code below:

Code: Select all

adcli delete-computer -U <domain acct> --stdin-password --verbose --domain example.com host1 <<< <password>
sleep 1m
adcli preset-computer -U <domain acct> --verbose --stdin-password --domain example.com --one-time-password=<OneTimePassword> host1 <<< <password>
sleep 1m
realm join --verbose --one-time-password=<OneTimePassword> example.com

Post Reply