Library cookbook that will join an Active Directory domain
This cookbook is a library cookbook and is intended to be used by your own wrapper cookbook. See the test/cookbooks directory for examples. While the examples show running separate cookbooks for windows and linux, this isn't required. It is possible for one wrapper cookbook to manage both windows and linux hosts.
It contains a custom resource named domain_join
with the following properties
c:\\Windows\\chef-ad-join.txt
exists. Useful since timezone doesn't always sync after first reboot. )example:
domain_join 'foobar' do
domain 'example.com'
domain_user 'binduser'
domain_password 'correct-horse-battery-staple'
ou 'OU=US,OU=West,OU=Web,DC=example,DC=com'
server 'DC01'
update_hostname true
double_reboot true
visual_warning true
hide_sensitive true
action :join
end
visual_warning
The ou must be formatted with OU=
before each organizational unit and DC=
before each domain component. see test/cookbooks directory for an example of how to derive the OU from attributes.
If you bootstrapped the node with the name option; e.g.
knife bootstrap -N us-web01
Then that is the name that will be used to join the domain (not the hostname since windows randomly generates it on first boot)
The name cannot include control characters, leading or trailing spaces, or any of the following characters: / \ [ ].
In most cases, Windows hostnames must be 15 characters or less.
The cookbook creates a windows scheduled task that runs chef as soon as the VM is started. The scheduled task is deleted after all the reboots.
The cookbook will restart windows twice since some group policy objects (like the time zone) are not applied on first boot. You can change this behavior by changing the following attribute to false.
default['ad-join']['windows']['double_reboot'] = true
This cookbook basically runs this powershell command, then reboots
$adminname = "EXAMPLE.COM\\bob"
$password = 'correct-horse-battery-staple' | ConvertTo-SecureString -asPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($adminname,$password)
Add-computer -DomainName <EXAMPLE.COM> -OUPath <OU=FOO> -Server "<DC1.EXAMPLE.COM>'} -Credential $credential -force -Options JoinWithNewName,AccountCreate -PassThru
ad-join can join ubuntu machines to active directory. (experimental. Bug reports / pull requests encouraged) It does not reboot or manage any of the additional files that might be required for a complete ad join
domain_join 'foobar' do
domain 'EXAMPLE.COM'
domain_user 'binduser'
domain_password 'correct-horse-battery-staple'
ou 'OU=US,OU=West,OU=Web,DC=example,DC=com'
server 'DC01'
hide_sensitive true
action :join
end
Common pitfalls
'hide_sensitive' false
to get additional information. domain_password will be shown in plain text.The ad-join cookbook is as unopinionated as possible. It will not configure sudoers
file, /etc/pam.d
or /etc/krb5.conf
. Use the sudoers cookbook in your wrapper cookbook to manage those services. See test/cookbooks/ad-join-linux directory for examples on how to manage those files
This cookbook basically runs this bash command
echo "correct-horse-battery-staple" | sudo realm join --verbose EXAMPLE.COM --user bob@EXAMPLE.COM --computer-ou OU=foobar --install=/
realm: No such realm found
Realm is case sensitive. Try EXAMPLE.COM instead of example.com
realm: Not authorized to perform this action
Not all packages installed successfully. Verify adcli
and packagekit
are installed. Please open a github issue if you find missing packages.
! Couldn't get kerberos ticket for: foo@example.com: KDC reply did not match expectations
adcli: couldn't connect to example.com domain: Couldn't get kerberos ticket for: foo@example.com: KDC reply did not match expectations
The domain is case sensitive. Try changing example.com
to EXAMPLE.COM
DNS update failed: NT_STATUS_INVALID_PARAMETER
Make sure a fqdn is set up hostname -f
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members
Authors:
Volodymyr Babchynskyy vbabch@softserveinc.com
Spencer Owen sowen@netdocuments.com