Add a `clean` State/Capability

plus3it / join-domain-formula

Salt formula to join systems to an Active Directory domain

Apache License 2.0

13 stars 19 forks source link

Add a `clean` State/Capability #205

Closed ferricoxide closed 1 year ago

ferricoxide commented 1 year ago

Use the SaltStack formulas-template project's TEMPLATES directory-contents to add a clean capability to the domain-join project (closes #204)

ferricoxide commented 1 year ago

With this morning's changes, the following clean options work:

salt-call -c /opt/watchmaker/salt state.sls join-domain.clean
salt-call -c /opt/watchmaker/salt state.sls join-domain.elx.clean
salt-call -c /opt/watchmaker/salt state.sls join-domain.elx.sssd.clean
salt-call -c /opt/watchmaker/salt state.sls join-domain.elx.sssd.{service,files,config}.clean

ferricoxide commented 1 year ago

One further thing to consider, is whether to delete the computer object from the directory?

I'd assumed the realm leave action did that, but reading the relevant IDm dox:

Note that when a client leaves a domain, the computer account is not deleted from the directory; the local client configuration is only removed. If you want to delete the computer account, run the command with the --remove option specified.

So, presumably, get similar results if update the realm leave state?

ferricoxide commented 1 year ago

One further thing to consider, is whether to delete the computer object from the directory?

I'd assumed the realm leave action did that, but reading the relevant IDm dox:

Note that when a client leaves a domain, the computer account is not deleted from the directory; the local client configuration is only removed. If you want to delete the computer account, run the command with the --remove option specified.

So, presumably, get similar results if update the realm leave state?

Dammit. Looking at the man page:


       --remove
           Remove or disable computer account from the directory while leaving the realm. This will usually prompt for a
           pasword.

lorengordon commented 1 year ago

Good thing this formula typically has access to credentials when executed! :D

Dammit. Looking at the man page:


       --remove
           Remove or disable computer account from the directory while leaving the realm. This will usually prompt for a
           pasword.

ferricoxide commented 1 year ago

Good thing this formula typically has access to credentials when executed! :D

Right, but the join is done with an external script (that allows the use of those credentials). Would need to write a similar leave script.

Ultimately, I'd rather take that as a separate Issue/item.

lorengordon commented 1 year ago

Right, but the join is done with an external script (that allows the use of those credentials). Would need to write a similar leave script.

Could probably reuse/repurpose the collision cleanup script?