Wednesday, January 19, 2011

Puppet Module For Centrify Express [Reloaded]

I've expanded on my previous simple Puppet module for Centrify Express based on the helpful advice I received from David McNeely at Centrify. This latest version of my module does not expose domain username or passwords. It requires you to pre-create them from a machine already running Centrify Express as a domain member.

You can pre-create the account just before you sign the puppet client's certificate.
sudo adjoin -w -P -u  -n  your.domain.net
sudo puppetca -s new-hostname.your.domain.net

Download the latest code from GitHub. puppet-centrify

git clone git://github.com/ninjix/puppet-centrifydc.git

The new version of the module has the following features:
  • Installs the Centrify Express Ubuntu package
  • Automatically attempts to join the machine to the domain after install the apt package
  • Registers the machine name in Active Directory DNS
  • Restricts logins on Ubuntu servers to the "Domain Admins" user group
  • Allows additional logins for users and groups to be granted access
Note: Make sure you enable the Canonical partner repository.
deb http://archive.canonical.com/ubuntu lucid partner

Here are some examples of how you can configure your nodes using this module.
node    'deimos',
        'phobos' inherits default {

        $domain = "my.lab.net"
        include centrifydc
}
This is a basic method which provides the domain. The "Domain Admins" group will be granted access by default. You can set other defaults by editing the templates.

node    'callisto' inherits default {

        $domain = "my.lab.net"
        groups_allow = ["Astro Group","Physics Team"]

        include centrifydc
}
Example two allows members of the "Astro Group" and "Physics Team" domain groups to login in addition to members of the "Domain Admin" group.

node    'ganymede' inherits default {

        $domain = "my.lab.net"
        users_allow = ["carl.sagan"]
        groups_allow = ["Astro Group","Physics Team"]

        include centrifydc
}
The third example is similar to the second but also allows the user "carl.sagan" to login.

12 comments:

  1. Very very helpful, thank you. Out of curiousity, why did you choose to displace Likewise Open with Centrify Express? Stability, more features, etc.?

    ReplyDelete
  2. This is useful, I think our Express users will appreciate the work you did. On behalf of Centrify, thank you! BTW, any thoughts on publishing this on the puppet forge? http://forge.puppetlabs.com/

    Cheers, Tom

    ReplyDelete
  3. In short, the Likewise Open that was released for Ubuntu 10.04 LTS was buggy and caused disruptions for our users. It was not ready for an LTS release. User login cache expiry only lasting for four hours stopped my laptop users cold when they tried to work from home. There was also a security update released few months ago that failed to upgrade properly and fouled apt-get.

    Looking at the Launchpad site for likewise-open, I still see a lot of important bugs that remain open. It is my personal feeling that Likewise hasn't taken their Ubuntu partnership seriously with the community.

    Centrify Express has so far not let us down and "just works". I also like their Unix approach compared to Likewise's Windows registry syntax.

    ReplyDelete
  4. I would like to get more feedback from the Puppet user community before posting to Puppet Forge.

    ReplyDelete
  5. I'd like to echo the sentiments of others when I say "excellent work". I'm encountering a minor issue, however - every time I run puppet, it's trying to restart "centrifydc" because it think it's not running. I'm still learning puppet - what does puppet use to determine the status of a service?

    ReplyDelete
  6. Puppet uses the hasstatus attribute for determining the status of a service. Puppet reads the exit code of the init script to get this value.

    I just reviewed my posted code and realized that it's missing the /etc/default/puppet file. By default Ubuntu defaults puppet to a disabled state. Perhaps this is why puppet keeps trying to restart the service on your client machines. I'll update the Git repo in the next few days.

    ReplyDelete
  7. This is a great module. I ran into an issue where I've included centrifydc in the basenode configuration, but would like to override $groups_allow on a per-node basis (but this doesn't work because the variable is set AFTER the basenode has already included the centrifydc module). Can you point me in the right direction to correct my logic?

    In case anyone else runs into this by simply cutting and pasting, I believe users_allow and groups_allow need "$" symbols in front of them in the configs shown in this post in order to get them to work properly.

    ReplyDelete
  8. Have you considered using parametrized class instead of a global variable? I also think you have a typo in your default service, where you have defined 'require' twice.

    ReplyDelete
  9. Definitely, Jon. This module is do for some tune up and updates. Switching it over to a parametrized class is a good idea.

    ReplyDelete
  10. Finally got around to updating the module. :)

    ReplyDelete
  11. I finally got around to attempting to deploy this, i had to make a couple of tweaks to have it work with CentOS

    1) i had to create my own internal repo and define it within the manifest and the slightly different package name (CentrifyDC instead of all lowercase)
    2) update the params file to reference CentOS instead of Ubuntu

    Do note however that the latest version of express removes all ability to define ACL's that means that as soon as CentrifyDC is installed and active ANY AD user can login to that box!

    ReplyDelete
  12. Hi, I am looking for a solution which would allow me to join Zentyal PDC using Ubuntu Client...

    Any help would be appreciated (mubeen_kh@hotmail.com). - Thanks in advance

    ReplyDelete