walkamongus / realmd

Puppet module for setting up realmd, SSSD, and a Kerberos client config
Apache License 2.0
12 stars 47 forks source link

Managing krb5.conf via smart parameters of foreman does not work for me. #75

Open leo21212121212 opened 3 years ago

leo21212121212 commented 3 years ago

Hi , Can you please help me with figuring out what I am doing wrong? I am trying to add default_tkt_enctypes = aes256-cts rc4-hmac default_tgs_enctypes = aes256-cts rc4-hmac to krb5.conf as otherwise it would not allow to talk to DC due to unsupported encryption type.

2021-02-18_19-14-52 2021-02-18_19-18-08

[root@puppet-lab ~]# puppet agent -t Warning: Setting 'pluginsync' is deprecated. (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/defaults.rb:1906:inblock in initialize_default_settings!') Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for puppet-lab.lakros.com Info: Applying configuration version 'puppet-production-5ee8da4a2f9' Notice: /Stage[main]/Realmd::Install/Package[krb5-workstation]/ensure: created Notice: /Stage[main]/Realmd::Install/Package[samba-common-tools]/ensure: created Notice: /Stage[main]/Realmd::Config/File[/etc/realmd.conf]/ensure: defined content as '{sha256}e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' Info: Class[Realmd::Config]: Scheduling refresh of Class[Realmd::Join] Info: Class[Realmd::Join]: Scheduling refresh of Class[Realmd::Join::Password] Info: Class[Realmd::Join::Password]: Scheduling refresh of Exec[realm_join_with_password] Notice: /Stage[main]/Realmd::Join::Password/File[/usr/libexec/realm_join_with_password]/ensure: defined content as '{sha256}e20763cd32aee0b4a245bc09c36e7bd05eec4f87f2ffbd9b42bf072b2cc067cb' Notice: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]/returns: Password for domain-joiner@LAKROS.COM: See: journalctl REALMD_OPERATION=r248.5716 Notice: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]/returns: realm: Couldn't join realm: Failed to join the domain Error: '/usr/libexec/realm_join_with_password realm join LAKROS.COM --unattended --user=domain-joiner@LAKROS.COM --computer-name=puppet-lab' returned 1 instead of one of [0] Error: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]/returns: change from 'notrun' to ['0'] failed: '/usr/libexec/realm_join_with_password realm join LAKROS.COM --unattended --user=domain-joiner@LAKROS.COM --computer-name=puppet-lab' returned 1 instead of one of [0] Notice: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]/returns: Password for domain-joiner@LAKROS.COM: See: journalctl REALMD_OPERATION=r249.6182 Notice: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]/returns: realm: Couldn't join realm: Failed to join the domain Error: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]: Failed to call refresh: '/usr/libexec/realm_join_with_password realm join LAKROS.COM --unattended --user=domain-joiner@LAKROS.COM --computer-name=puppet-lab' returned 1 instead of one of [0] Error: /Stage[main]/Realmd::Join::Password/Exec[realm_join_with_password]: '/usr/libexec/realm_join_with_password realm join LAKROS.COM --unattended --user=domain-joiner@LAKROS.COM --computer-name=puppet-lab' returned 1 instead of one of [0] Info: Class[Realmd::Join::Password]: Unscheduling all events on Class[Realmd::Join::Password] Notice: /Stage[main]/Realmd::Sssd::Config/File[/etc/sssd/sssd.conf]: Dependency Exec[realm_join_with_password] has failures: true Warning: /Stage[main]/Realmd::Sssd::Config/File[/etc/sssd/sssd.conf]: Skipping because of failed dependencies Warning: /Stage[main]/Realmd::Sssd::Config/Exec[force_config_cache_rebuild]: Skipping because of failed dependencies Warning: /Stage[main]/Realmd::Sssd::Service/Service[sssd]: Skipping because of failed dependencies Info: Stage[main]: Unscheduling all events on Stage[main] Notice: Applied catalog in 42.24 seconds `

[root@puppet-lab ~]# journalctl REALMD_OPERATION=r249.6182 -- Logs begin at Mon 2021-02-15 00:59:52 EST, end at Thu 2021-02-18 01:41:59 EST. -- Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Resolving: _ldap._tcp.lakros.com Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Performing LDAP DSE lookup on: 10.37.69.50 Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Performing LDAP DSE lookup on: 10.37.69.69 Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Successfully discovered: lakros.com Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Joining using a manual netbios name: puppet-lab Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * LANG=C /usr/sbin/adcli join --verbose --domain lakros.com --domain-realm LAKROS.COM --domain-controller 10.37.69.50 --computer-name puppet-lab --login-type user --login-user doma> Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Using domain name: lakros.com Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Using computer account name: puppet-lab Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Using domain realm: lakros.com Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Sending netlogon pings to domain controller: cldap://10.37.69.50 Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Received NetLogon info from: DFX-DC01.lakros.com Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-YlydTq/krb5.d/adcli-krb5-conf-BfXMuU Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: ! Couldn't authenticate as: domain-joiner@LAKROS.COM: KDC has no support for encryption type Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: adcli: couldn't connect to lakros.com domain: Couldn't authenticate as: domain-joiner@LAKROS.COM: KDC has no support for encryption type Feb 18 01:25:13 puppet-lab.lakros.com realmd[5780]: ! Failed to join the domain

1

As you see it doesn't apply conf from smart variables.

Thank you.

leo21212121212 commented 3 years ago

Had to d a fork and modify join/password.pp to add this:

$_krb_config_file = $::realmd::krb_config_file
$_krb_config = $::realmd::krb_config $_manage_krb_config = $::realmd::manage_krb_config

$_krb_config_final = deep_merge({'libdefaults' => {'default_realm' => upcase($::domain)}}, $_krb_config)

if $_manage_krb_config { file { 'krb_configuration': ensure => file, path => $_krb_config_file, owner => 'root', group => 'root', mode => '0644', content => template('realmd/krb5.conf.erb'), } }

brgerig commented 3 years ago

Thanks for this. Was exactly the fix I needed for my environment.