Added ability to join Active Directory domain(s)

[acjohnson]

Added ability to join Active Directory domain(s)

• Created sssd::join_ad_domains defined type to join domains using the adcli join command when id_provider is set to 'ad'
• Updated documentation to show that domains is actually an array inside of the config hash
• Added documentation for new Active Directory join feature
• Added adcli package to RedHat and Debian $extra_packages lists

[acjohnson]

@sgnl05 or @edestecd let me know if you have any questions

[acjohnson]

I just tested the exec on Ubuntu 14.04 which required me to change the fully qualified path for adcli to /usr/sbin/adcli which is a valid path to the binary on both RHEL 7 and Ubuntu 14.04

[sgnl05]

I've testet your code, it works like a charm. It's so good that we're planning to implement it at my job asap. :)

However, I think your changes are better off in its own module. Best practice for modules is to make them do one thing, not several. "Your module should have one area of responsibility. For example, a good module addresses installing MySQL but does not address installing another program/service that requires MySQL." (from https://docs.puppetlabs.com/guides/module_guides/bgtm.html).

I'd be happy to recommend your module in the README.md file, if you chose to create your own. Please let me know what you think.

[adrenlinerush]

I don't think it should be in a separate module, it is part of SSSD to join a domain and interact with it as such. I think you should revisit this and reconsider merging into your module.

[sgnl05]

SSSD is a common framework that supports multiple auth/identification providers. Some examples are AD, IPA and LDAP. ADCLI is a tool for joining AD-domains only, while IPA-domains would require a different tool etc.

I'd rather not increase the complexity of this module by adding support for lots of 3rd party tools. Especially since these tools are not always included in the repos of a os distribution. For example, 'adcli' is not a package available in the RHEL5 repos. Also, it would be a nightmare to test everything. I'd have to have a crazy test rig with all kinds of authentication systems :)

I really hope @acjohnson considers making a separate module for adcli. I'd both support and contribute to such a project. In the same manner, I'm hoping to see separate modules for other tools such as "realmd", "freeipa-client" and so on.

[acjohnson]

I understand your reasoning but have not decided how to continue with my upstream contribution of this code.

On a side note, it sounds like you are using the AD provider for sssd, which is what my code was written to be used with. However, in my testing the AD provider for sssd has been difficult to work with, and seems to be slower than the LDAP provider...

Here is the configuration that I have been using, and was hoping you could share your sssd.conf config as well:

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
sbus_timeout = 30
reconnection_retries = 3
debug_level = 0
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0
[pam]
reconnection_retries = 3
debug_level = 0
[domain/example.com]
enumerate = true
cache_credentials = true
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_id_mapping = false
ldap_referrals = false
debug_level = 0

[sgnl05]

My sssd.conf is very much like the example in README.md. I've also used ldap earlier as provider, but I can't say I've noticed any difference in performance. The only issue has been limitations in the name of a computer account in AD (max 15 characters before the first dot in a fqdn).

[sssd]
config_file_version = 2
debug_level = 1
domains = ad.example.com
services = nss, pam, sudo

[domain/ad.example.com]
access_provider = simple
ad_domain = ad.example.com
ad_server = dc01.ad.example.com, dc02.ad.example.com
cache_credentials = true
debug_level = 1
default_shell = /bin/bash
fallback_homedir = /home/%u
id_provider= ad
krb5_realm = AD.EXAMPLE.COM
krb5_store_password_if_offline = true
ldap_id_mapping = false
realmd_tags = joined-with-samba
simple_allow_groups = users
use_fully_qualified_names = false

[acjohnson]

I have created a adcli puppet module located here in case anyone is interested in using it: https://github.com/acjohnson/puppet-adcli

[acjohnson]

It is on the forge as well: https://forge.puppet.com/acjohnson/adcli

[sgnl05]

That is awesome! I'm on vacation now, but I'll test your module as soon as I get back to work. :)