Feature #4917

Smart-Proxy Realm Provider for Active Directory

Added by Stephen Benjamin over 3 years ago. Updated 11 months ago.

Status:Ready For Testing
Priority:Normal
Assigned To:-
Category:Realm
Target version:-
Difficulty: Bugzilla link:1216017
Found in release: Pull request:https://github.com/theforeman/smart-proxy/pull/480
Story points-
Velocity based estimate-

Description

Add realm provider to support generating one-time passwords for Active Directory membership (via adcli)

More info:
http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration
http://fedoraproject.org/wiki/Features/ActiveDirectory


Related issues

Related to Smart Proxy - Feature #1809: Smart-Proxy control of IPA Server Closed 08/06/2012
Related to Smart Proxy - Feature #17500: Introduce providers for realm module Closed 11/28/2016

History

#1 Updated by Stephen Benjamin over 3 years ago

  • Related to Feature #1809: Smart-Proxy control of IPA Server added

#2 Updated by Dominic Cleal over 3 years ago

  • Project changed from Foreman to Smart Proxy
  • Category changed from Smart proxies to Realm

#3 Updated by Dominic Cleal over 3 years ago

  • Tracker changed from Bug to Feature

#4 Updated by Philipp Wagner over 2 years ago

I have a need for this and gave it a try. See the code here: https://github.com/theforeman/smart-proxy/compare/develop...imphil:realm-ad?expand=1 It's an initial RFC showing the basic idea, and some of the problems.

What works:
- Precreate computer accounts in the directory
- Domain-specific settings for the account attributes

Missing features:
- Rebuilding computer accounts
- Deleting computer accounts

The most problematic part is currently the tool used to perform the AD operations. Essentially I know of two options: msktutil and adcli. Both have problems (at least in our setup). adcli does not work at all due to auth issues and does not allow to specify the computer name (netbios name) independently of the hostname (which is required in our setup). msktutil works great, but doesn't have the ability to delete or reset accounts (for rebuild). So currently I use msktutil to create the accounts, and everything else needs to be done manually. I have, however, bug reports open with msktutil and adcli to fix those problems, let's see how this goes.

Open questions at the moment are (it's a RFC after all :)):

a) Is the general approach OK with you?

b) You can see, there are some very specific settings required for our setup, and I'm sure others have similar ones. Do you think it makes sense to support all that directly in the smart proxy (as I've tried to do), or should we instead just call a 3rd-party script (and deliver a default one) which handles the account creation, which the admin can override?

c) Anything else?

#5 Updated by Stephen Benjamin about 2 years ago

  • Bugzilla link set to 1216017

#6 Updated by Stephen Benjamin about 2 years ago

Oh hi, sorry I missed this. This is great, thanks!

The best way to get comments would to get a PR open.

My personal preference would be adcli, as it supports the missing features you need, being able to rebuild is somewhat important, but we could discuss it on GitHub. We could always start with rudimentary support and improve it later, or end up using both utilities.

Do you have to have links to the issues you opened on the two projects?

#7 Updated by Dmitri Dolguikh 12 months ago

  • Related to Feature #17500: Introduce providers for realm module added

#8 Updated by The Foreman Bot 12 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/480 added

Also available in: Atom PDF