I have the following exec that joins a Linux (CentOS 6) host to an Active Directory domain. When run as root from the bash terminal, it runs successfully and the host is joined to the AD domain properly.
However, when run in puppet, the net ads join command fails with:
Failed to join domain: Failed to set password for machine account
(NT_STATUS_ACCESS_DENIED)
Here is the exec
exec { 'adjoin':
command => "kinit adjoin@AD.EXAMPLE.COM -k -t /etc/krb5.keytab && net ads join createcomputer='Machines/Servers/Linux Servers' osName='${operatingsystem}' osVer=${operatingsystemrelease} -k",
unless => "net ads testjoin -k | grep -q 'Join is OK'",
provider => shell,
user => root,
path => '/usr/sbin:/usr/bin:/sbin:/bin',
require => [
File['/etc/krb5.conf'],
File['/etc/krb5.keytab'],
],
logoutput => true,
}
I've tried with and without the provider and user parameters.
Answer
It turns out I had to explicitly set a few environment variables using the environment parameter in exec, specifically LOGNAME:
exec { 'adjoin':
command => "kinit adjoin@AD.EXAMPLE.COM -k -t /etc/krb5.keytab && net ads join createcomputer='Machines/Servers/Linux Servers' osName='${operatingsystem}' osVer=${operatingsystemrelease} -k",
unless => "net ads testjoin -k | grep -q 'Join is OK'",
provider => shell,
user => root,
path => '/usr/sbin:/usr/bin:/sbin:/bin',
require => [
File['/etc/krb5.conf'],
File['/etc/krb5.keytab'],
],
logoutput => true,
environment => [
'USER=root',
'LOGNAME=root',
'HOME=/root',
],
}
Two reasons for this:
LOGNAME, USER, and HOME are specifically unset by puppet during
an exec's run. It was a design choice that is detailed in the
ticket I linked to.
I also set USER and HOME for sanity's sake, though I'm not sure they are required by net ads.
No comments:
Post a Comment