Feature #4917
Smart-Proxy Realm Provider for Active Directory
Description
Add realm provider to support generating one-time passwords for Active Directory membership (via adcli)
More info:
http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration
http://fedoraproject.org/wiki/Features/ActiveDirectory
Related issues
History
#1
Updated by Stephen Benjamin about 9 years ago
Updated by - Related to Feature #1809: Smart-Proxy control of IPA Server added
#2
Updated by Dominic Cleal about 9 years ago
Updated by - Project changed from Foreman to Smart Proxy
- Category changed from Smart Proxy to Realm
#3
Updated by Dominic Cleal about 9 years ago
- Tracker changed from Bug to Feature
#4
Updated by Philipp Wagner almost 8 years ago
Updated by I have a need for this and gave it a try. See the code here: https://github.com/theforeman/smart-proxy/compare/develop...imphil:realm-ad?expand=1 It's an initial RFC showing the basic idea, and some of the problems.
What works:
- Precreate computer accounts in the directory
- Domain-specific settings for the account attributes
Missing features:
- Rebuilding computer accounts
- Deleting computer accounts
The most problematic part is currently the tool used to perform the AD operations. Essentially I know of two options: msktutil and adcli. Both have problems (at least in our setup). adcli does not work at all due to auth issues and does not allow to specify the computer name (netbios name) independently of the hostname (which is required in our setup). msktutil works great, but doesn't have the ability to delete or reset accounts (for rebuild). So currently I use msktutil to create the accounts, and everything else needs to be done manually. I have, however, bug reports open with msktutil and adcli to fix those problems, let's see how this goes.
Open questions at the moment are (it's a RFC after all :)):
a) Is the general approach OK with you?
b) You can see, there are some very specific settings required for our setup, and I'm sure others have similar ones. Do you think it makes sense to support all that directly in the smart proxy (as I've tried to do), or should we instead just call a 3rd-party script (and deliver a default one) which handles the account creation, which the admin can override?
c) Anything else?
#5
Updated by Stephen Benjamin over 7 years ago
- Bugzilla link set to 1216017
#6
Updated by Stephen Benjamin over 7 years ago
Oh hi, sorry I missed this. This is great, thanks!
The best way to get comments would to get a PR open.
My personal preference would be adcli, as it supports the missing features you need, being able to rebuild is somewhat important, but we could discuss it on GitHub. We could always start with rudimentary support and improve it later, or end up using both utilities.
Do you have to have links to the issues you opened on the two projects?
#7
Updated by Anonymous over 6 years ago
- Related to Feature #17500: Introduce providers for realm module added
#8
Updated by The Foreman Bot over 6 years ago
Updated by - Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/480 added
#9
Updated by Timo Goebel over 5 years ago
Updated by - Status changed from Ready For Testing to New
- Pull request deleted (
https://github.com/theforeman/smart-proxy/pull/480)
PR was closed.
#10
Updated by The Foreman Bot over 5 years ago
- Assignee set to Timo Goebel
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/557 added
#11
Updated by The Foreman Bot over 5 years ago
- Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/396 added
#12
Updated by Ewoud Kohl van Wijngaarden over 5 years ago
Updated by Now that it's a plugin and integrated into the installer, can we consider this fixed?
#13
Updated by Ewoud Kohl van Wijngaarden over 5 years ago
- Status changed from Ready For Testing to Resolved
#14
Updated by Ondřej Ezr over 2 years ago
Updated by - Related to Feature #31610: Complete ActiveDirectory realm support added