Smart-Proxy Realm Provider for Active Directory
Add realm provider to support generating one-time passwords for Active Directory membership (via adcli)
#4 Updated by Philipp Wagner over 5 years ago
I have a need for this and gave it a try. See the code here: https://github.com/theforeman/smart-proxy/compare/develop...imphil:realm-ad?expand=1 It's an initial RFC showing the basic idea, and some of the problems.
- Precreate computer accounts in the directory
- Domain-specific settings for the account attributes
- Rebuilding computer accounts
- Deleting computer accounts
The most problematic part is currently the tool used to perform the AD operations. Essentially I know of two options: msktutil and adcli. Both have problems (at least in our setup). adcli does not work at all due to auth issues and does not allow to specify the computer name (netbios name) independently of the hostname (which is required in our setup). msktutil works great, but doesn't have the ability to delete or reset accounts (for rebuild). So currently I use msktutil to create the accounts, and everything else needs to be done manually. I have, however, bug reports open with msktutil and adcli to fix those problems, let's see how this goes.
Open questions at the moment are (it's a RFC after all :)):
a) Is the general approach OK with you?
b) You can see, there are some very specific settings required for our setup, and I'm sure others have similar ones. Do you think it makes sense to support all that directly in the smart proxy (as I've tried to do), or should we instead just call a 3rd-party script (and deliver a default one) which handles the account creation, which the admin can override?
c) Anything else?
#6 Updated by Stephen Benjamin about 5 years ago
Oh hi, sorry I missed this. This is great, thanks!
The best way to get comments would to get a PR open.
My personal preference would be adcli, as it supports the missing features you need, being able to rebuild is somewhat important, but we could discuss it on GitHub. We could always start with rudimentary support and improve it later, or end up using both utilities.
Do you have to have links to the issues you opened on the two projects?