search

ctf / puppet-pbis

Puppet module for deploying PowerBroker Identity Services (PBIS) Open Edition.
GNU General Public License v3.0
14 stars 28 forks source link

PBIS Enterprise #6

Open iamteedoh opened 10 years ago

iamteedoh commented 10 years ago

Hello @dionysius,

For PBIS Enterprise, the packages names are:

pbis-enterprise-8.0.1-2031.x86_64.rpm pbis-enterprise-devel-8.0.1-2031.x86_64.rpm pbis-enterprise-gui-8.0.1-2031.x86_64.rpm pbis-enterprise-legacy-8.0.1-2031.x86_64.rpm pbis-enterprise-upgrade-8.0.1-2031.x86_64.rpm

Also, when create a new class in init.pp, I have done the following:

class 'pbis_puppet' {
  class { 'pbis':
    ad_domain             => 'mydomain.com',
    bind_username         => 'admin',
    bind_password         => 'password',
    user_domain_prefix    => 'MYDOMAIN',
    ou                    => 'ou=Linux',
    package               => 'pbis-enterprise',
    package_prerequired   => 'pbis-enterprise-upgrade',
  }
}

However, puppet complains in the logs that it could not find class pbis and it gives me a 400 error. Not sure if this module needs something added to the class for it to detect it.

dionysius commented 10 years ago

Hey @unix4linux the class pbis should be automatically detected. Requirement for that is that the class folder is exactly called pbis.

This is an extract of my puppetmaster but updaded/changed/included things you need to insert (see comments) for your enterprise setup.

root@puppetmaster /etc/puppet # tree
.
[...]
├── manifests
│   ├── site.pp
├── modules
[...]
│   ├── pbis
│   │   ├── AUTHORS
│   │   ├── files
│   │   │   ├── pbis-enterprise.amd64.rpm
│   │   │   └── pbis-enterprise-upgrade.amd64.rpm
│   │   ├── lib
│   │   │   └── puppet
│   │   │       └── parser
│   │   │           └── functions
│   │   │               └── transform_ou.rb
│   │   ├── LICENSE
│   │   ├── manifests
│   │   │   ├── init.pp
│   │   │   └── params.pp
│   │   ├── Modulefile
│   │   ├── README.md
│   │   ├── templates
│   │   │   └── pbis.conf.erb
│   │   └── tests
│   │       └── init.pp
│   ├── my-implementation
│       └── manifests
│           └── init.pp
[...]
root@puppetmaster /etc/puppet # cat modules/my-implementation/manifests/init.pp 
class my-implementation {
[...]
    class { 'pbis':
        ad_domain => 'DIRECTORY.XXXXXXXXXX.XX',
        bind_username => 'domainjoin',
        bind_password => 'XXXXXXX',
        user_domain_prefix => 'DIRECTORY',    # you may not need that
        home_dir_template => '%H/%U',             # you may not need that
        login_shell_template => '/bin/zsh',           # you may not need that
        service_name => 'lwsmd',
                package => 'pbis-enterprise',                                        # your enterprise core package name
                package_prerequired => 'pbis-enterprise-upgrade'      # your enterprise upgrade package name
    }
[...]
}
root@puppetmaster /etc/puppet # cat manifests/site.pp
[...]
node 'host.directory.XXXXXXX.XX' {
[...]
    include my-implementation
}
[...]

While [...] is always a placeholder for other stuff you might have but it's not related to this issue.

But this should work seamlessly now if you adapt this correctly.

iamteedoh commented 10 years ago

Hello @dionysius

Everything looks good but I am getting an error for the params.pp on line 41 as follows:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Function 'fail' does not return a value at /etc/puppetlabs/env/development/modules/pbis/manifests/params.pp:41

When I look at the params.pp file for that line, here is the output (as expected from cloning it from github)

default           => fail("Unsupported operating system: ${::operatingsystem}."),

Any idea what is wrong here?

dionysius commented 10 years ago

Strange, can you tell me what following command outputs on your client machine (there where puppet agent is installed)

user@puppetclient ~ % facter --puppet | grep osfamily    
osfamily => Debian

It seems like your osfamily is currently not recognized. I will going to implement it shortly

iamteedoh commented 10 years ago

Here you go:

[root@hostname1 ~]# facter --puppet | grep osfamily
osfamily => RedHat
dionysius commented 10 years ago

Just committed a fix, it seems like the regex was not working as expected. See 3c97c583fcbfe547ffc317c9a6dead777de9c003

Pull from my repo and try again

iamteedoh commented 10 years ago

That fix worked but now it's getting stuck at another one:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Must pass ad_domain to Class[Pbis] on node

When looking at my ad_domain value in my class, it looks good:

class pbis_puppet {
  class { 'pbis':
    ad_domain             => 'mydomain.com',
    bind_username         => 'admin',
    bind_password         => 'password',
    user_domain_prefix    => 'MYDOMAIN',
    home_dir_template     => '%H/%U',
    login_shell_template  => '/bin/bash',
    service_name          => 'lwsmd',
    ou                    => 'ou=Linux',
            package               => 'pbis-enterprise',
            package_prerequired   => 'pbis-enterprise-upgrade',
  }
}
dionysius commented 10 years ago

I'm a bit confused by this error. it looks correctly.

just in case. can you send me your version of puppet?

localadmin@puppetmaster ~ % puppet --version
3.4.3
iamteedoh commented 10 years ago

Sure, here you go:

[root@hostname1 ~]$ puppet --version
3.4.3 (Puppet Enterprise 3.2.3)
iamteedoh commented 10 years ago

Hi @dionysius

This time I got a little closer but the update_dns portion is failing:

Notice: /Stage[main]/Pbis/Exec[update_DNS]/returns: Failed to update DNS. Error code [9554]
Error: update-dns returned 82 instead of one of [0,204]
Error: /Stage[main]/Pbis/Exec[update_DNS]/returns: change from notrun to 0 204 failed: update-dns returned 82 instead of one of [0,204]

So, when I run a "pbis-status" to check if it joined, it looks like it did but I get nothing back:

[root@hostname1 bin]# ./pbis-status
LSA Server Status:

Compiled daemon version: 8.0.1.2029
Packaged product version: 8.0.2031.67578
Uptime:        0 days 22 hours 43 minutes 22 seconds

[Authentication provider: lsa-activedirectory-provider]

        Status:        Unknown
        Mode:          Unknown

When I go into my AD server, I see the server added in the proper OU

iamteedoh commented 10 years ago

So here are more errors I am seeing with the module being ran:

Jun  5 16:03:13 hostname1 lsass: [lsass] Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 3332
Jun  5 16:03:14 hostname1 lsass: [lsass] A cell cannot be found, and unprov mode has been disabled by configuration. If you truly wish to use unprov mode, change the cell-support setting to full.
Jun  5 16:03:14 hostname1 lsass: [lsass] Error 40044 occurred while putting an ldap connection back in the domain free list.
Jun  5 16:03:14 hostname1 lsass: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40050, symbol = LW_ERROR_NO_SUCH_CELL, client pid = 3339
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[join_domain]/returns) Joining to AD Domain:   mydomain.com
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[join_domain]/returns) With Computer DNS Name: hostname1.mydomain.com
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[join_domain]/returns) Error: LW_ERROR_NO_SUCH_CELL [code 0x00009c72]
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[join_domain]/returns) Failed to find the Cell in Active Directory
Jun  5 16:03:14 hostname1 puppet-agent[2304]: domainjoin-cli join --ou Linux   mydomain.com admin password returned 1 instead of one of [0]
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[join_domain]/returns) change from notrun to 0 failed: domainjoin-cli join --ou Linux   mydomain.com admin password returned 1 instead of one of [0]
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/File[/etc/pbis/pbis.conf]) Dependency Exec[join_domain] has failures: true
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/File[/etc/pbis/pbis.conf]) Skipping because of failed dependencies
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[configure_pbis]) Dependency Exec[join_domain] has failures: true
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[configure_pbis]) Skipping because of failed dependencies
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[clear_ad_cache]) Dependency Exec[join_domain] has failures: true
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[clear_ad_cache]) Skipping because of failed dependencies
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[update_DNS]) Dependency Exec[join_domain] has failures: true
Jun  5 16:03:14 hostname1 puppet-agent[2304]: (/Stage[main]/Pbis/Exec[update_DNS]) Skipping because of failed dependencies
Jun  5 16:03:34 hostname1 puppet-agent[2304]: Finished catalog run in 52.09 seconds
dionysius commented 10 years ago

Ah, there are two possible reasons. I think it's something wrong with the join process, so it might be not a puppet-pbis error. Lets try to debug that. I see the error is called 'LW_ERROR_NO_SUCH_CELL', currently cannot understand what this should mean.

Or, domainjoin maybe hasn't worked because the user has not permission (or accidentally wrong credentials) to add a system (sounds strange to me, because on your AD the system is showing up - but maybe just not completely added).

Anyway what case it is, please try the domainjoin process completely by hand - for debugging purposes.

  1. Ensure you've left the AD: domainjoin-cli leave [username] [password] (if it says you're not joined yet, continue with 2)
  2. Join AD: domainjoin-cli join [--assumeDefaultDomain {yes|no}] [--userDomainPrefix <short domain name>] [--ou <organizationalUnit>] <domain name> <user name> [<password>]
  3. Show me your pbis status output or error output from commands above

And just in case, are on your system the pbis binaries located in /opt/pbis/bin/ too?

iamteedoh commented 10 years ago

Ok, so to answer your question, yep, my binaries are in that locations:

[root@hostname1 packages]# ls /opt/pbis/bin/
ad-cache   del-group       enum-members  find-group-by-id    get-dc-list  gp-admin      klist                 lsa                lwsm         query-member-of        sqlite3
add-group  del-user        enum-objects  find-group-by-name  get-dc-name  gporefresh    ktutil                lwautoenroll-test  mod-group    regshell               uninstall.sh
add-user   domainjoin-cli  enum-users    find-objects        get-dc-time  gprsrtmnt.sh  kvno                  lwcertd            mod-user     samba-interop-install  update-dns
adtool     edit-reg        eventlog-cli  find-user-by-id     get-metrics  kdestroy      ldapsearch            lwio-copy          passwd       setkey-cli             ypcat
config     enum-groups     find-by-sid   find-user-by-name   get-status   kinit         list-groups-for-user  lwio-driver        pbis-status  snmptrap               ypmatch

Here is the output when leaving the domain:

[root@hostname1 packages]# domainjoin-cli leave admin password
Leaving AD Domain:   MYDOMAIN.COM
SUCCESS

However, even if it says it was a success, if I go back to AD, the system is still there and I have to delete it from AD. If not, I can't join again and get the following error if the system already exist in AD:

[root@hostname1 packages]# domainjoin-cli join --assumeDefaultDomain yes --ou Linux mydomain.com admin password
Joining to AD Domain:   mydomain.com
With Computer DNS Name: hostname1.mydomain.com

Error: LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]

Once I delete the system from AD, I am able to join but this is the error I am getting:

[root@hostname1 packages]# domainjoin-cli join --assumeDefaultDomain yes --ou Linux mydomain.com admin password
Joining to AD Domain:   mydomain.com
With Computer DNS Name: hostname1.mydomain.com

Error: LW_ERROR_NO_SUCH_CELL [code 0x00009c72]

Failed to find the Cell in Active Directory

However, if I go to AD and check the Linux OU, I see the system added

dionysius commented 10 years ago

Ok, thats the point I've expected. The same error message appeared this way. So you need to sort out why you are getting this error, because I have no idea what this error means and a short googling didn't help. According to this Installation Guide:

Cell Manager A snap-in for the Microsoft Management Console to manage cells associated with Active Directory Organizational Units. There are many things related to 'cells' in this document. Maybe you find out what this means.

But actually I can't help you here anymore. You may now use your enterprise support and contact the vendor for help sorting this out. This issue is now not related to this module anymore.

dionysius commented 10 years ago

Hello @unix4linux Any progress on your issue? Did you managed to contact their support?

iamteedoh commented 10 years ago

Hi!! Yep, I am working out some issues with their support team. As soon as I get the issues resolved, I want to post my feedback on GitHub for those that use the enterprise version. I will let you know the outcome as soon as it gets resolved and thanks so much 😀 On Jun 13, 2014 9:15 AM, "dionysius" notifications@github.com wrote:

Hello @unix4linux https://github.com/unix4linux Any progress on your issue? Did you managed to contact their support?

— Reply to this email directly or view it on GitHub https://github.com/ctf/puppet-pbis/issues/6#issuecomment-46009287.

iamteedoh commented 10 years ago

How would I pass options to the domainjoin-cli command? For example, what if I wanted to use two options right before the --ou option such as:

domainjoin-cli join --notimesync --disable hostname --ou ou=Linux join_user_name join_user_passwd
Finchster commented 10 years ago

Hi @unix4linux

I'm having the exact same issue with PBIS Enterprise, I didnt have any problems with PBIS Open. What was your resolution?

Thanks.

iamteedoh commented 10 years ago

Hi @Finchster

I listed several issues on this thread. Which one are you actually having issues with?

jamesb78 commented 10 years ago

Hi

I have the exact same issue - with the server not joining AD with the same error of "Error: LW_ERROR_NO_SUCH_CELL [code 0x00009c72]" also i see the object in AD. Did you find a solution with support?

iamteedoh commented 10 years ago

Hi jamesb78,

Can I see what line you are using to join? I don't remember what I did to get it to work but perhaps doing a little debugging with you will help me remember so that I can help you :)

jamesb78 commented 10 years ago

Sure its:

./domainjoin-cli join --ou "AD OU" --disable hostname --assumeDefaultDomain yes

I have the same error even though we have had other systems joining the same OU (assuming that is the error) - The line above has been used numerous times previously on other servers.

docsmooth commented 7 years ago

https://github.com/ctf/puppet-pbis/pull/15 has some fixes for some of these issues.

The Cell error comes up because you haven't run configuration settings in Active Directory to create the cell. "/opt/pbis/bin/adtool -a new-cell" allows you to do so from Linux, but you'll need an account with appropriate rights in AD.