Sunday, January 16, 2011

Puppet manifest for Centrify Express on Ubuntu

I've been really pleased with Canonical's new partnership with Centrify, one of the big names in Unix/Linux/Mac Active Directory integration. For the last month, I've started to replace Likewise Open on all of our machines at work.

Tonight, I took a moment to write a quick Puppet manifest for installing centrifydc and automatically joining the machine to our AD infrastructure.

Requirements
  • Have an AD user account with privileges to add more than 10 computers to your domain.
  • Enable the Canonical partner repository (I manage my /etc/apt/sources.list with Puppet)
This script is going to expose a user account password in a text file so make sure you lock it down at same time you delegate the computer object permissions. (If anyone has a better way, I'd appreciate a comment from you.)

class centrify {

        package { centrifydc :
                ensure => latest ,
                notify => Exec["adjoin"]
        }

        exec { "adjoin" :
                path => "/usr/bin:/usr/sbin:/bin",
                returns => 15,
                command => "adjoin -w -u domainjoiner -p passwordF00 my.company.net",
                refreshonly => true,
        }

        service { centrifydc:
                ensure  => running
        }

}

The domain join action is only executed when Puppet detects that the package has to be installed or updated. Successful AD joins return a "15" code instead of the normal "0".

4 comments:

  1. Hi Ninjix,
    There is another way to join a machine to AD. If you pre-create the computer account within AD from the Puppet Master, then you can use the adjoin command with "-w --selfserve my.company.net" parameters alone. You have to make sure that you pre-create the computer account with the same name, but you should be able to configure Puppet to set the name or simply specify on the adjoin command line with "--name computername".

    In order to pre-create the computer account on the Puppet Master, you will need to have that machine joined to AD. Then you can use the AD account that has permissions in AD to create computers to call the adjoin command (with -u and -p for this AD account) providing the name of the new computer with --name and using the --precreate parameter to tell adjoin to simply go create the new computer's account.

    I've been working on other similar scripts for other config management solutions such as Rightscale and this is the same model that we use in the Deployment Manager that you can also get from centrify.com/express.

    Hope this helps.
    -David
    david.mcneely@centrify.com

    ReplyDelete
  2. David,

    Thank you for taking the time to share your tip. I'm giving Centrify some additional cool points for your helpful comment. Looks like you guys were thinking ahead for us administrators. I like that.

    Using the pre-create method is definitely more elegant. I'll write a wrapper to pre-create the computer account on the puppetmaster at the same time the target's puppet certificate is signed. Look for an part II on this topic.

    ReplyDelete
  3. This may not be the place to ask this, but I am currently looking at likewise open and centrify express, and was curious as to why you are switching?

    Thanks,

    Dan

    ReplyDelete
  4. Oops, I found a quote from you on centrify's website explaining why. Thanks

    ReplyDelete