Project

General

Profile

Actions

Feature #4917

closed

Smart-Proxy Realm Provider for Active Directory

Added by Stephen Benjamin about 10 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Realm
Target version:
-
Fixed in Releases:
Found in Releases:

Description

Add realm provider to support generating one-time passwords for Active Directory membership (via adcli)

More info:
http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration
http://fedoraproject.org/wiki/Features/ActiveDirectory


Related issues 3 (1 open2 closed)

Related to Smart Proxy - Feature #1809: Smart-Proxy control of IPA ServerClosedStephen Benjamin08/06/2012Actions
Related to Smart Proxy - Feature #17500: Introduce providers for realm moduleClosed11/28/2016Actions
Related to Foreman - Feature #31610: Complete ActiveDirectory realm supportNewActions
Actions #1

Updated by Stephen Benjamin about 10 years ago

  • Related to Feature #1809: Smart-Proxy control of IPA Server added
Actions #2

Updated by Dominic Cleal about 10 years ago

  • Project changed from Foreman to Smart Proxy
  • Category changed from Smart Proxy to Realm
Actions #3

Updated by Dominic Cleal almost 10 years ago

  • Tracker changed from Bug to Feature
Actions #4

Updated by Philipp Wagner over 8 years ago

I have a need for this and gave it a try. See the code here: https://github.com/theforeman/smart-proxy/compare/develop...imphil:realm-ad?expand=1 It's an initial RFC showing the basic idea, and some of the problems.

What works:
- Precreate computer accounts in the directory
- Domain-specific settings for the account attributes

Missing features:
- Rebuilding computer accounts
- Deleting computer accounts

The most problematic part is currently the tool used to perform the AD operations. Essentially I know of two options: msktutil and adcli. Both have problems (at least in our setup). adcli does not work at all due to auth issues and does not allow to specify the computer name (netbios name) independently of the hostname (which is required in our setup). msktutil works great, but doesn't have the ability to delete or reset accounts (for rebuild). So currently I use msktutil to create the accounts, and everything else needs to be done manually. I have, however, bug reports open with msktutil and adcli to fix those problems, let's see how this goes.

Open questions at the moment are (it's a RFC after all :)):

a) Is the general approach OK with you?

b) You can see, there are some very specific settings required for our setup, and I'm sure others have similar ones. Do you think it makes sense to support all that directly in the smart proxy (as I've tried to do), or should we instead just call a 3rd-party script (and deliver a default one) which handles the account creation, which the admin can override?

c) Anything else?

Actions #5

Updated by Stephen Benjamin over 8 years ago

  • Bugzilla link set to 1216017
Actions #6

Updated by Stephen Benjamin over 8 years ago

Oh hi, sorry I missed this. This is great, thanks!

The best way to get comments would to get a PR open.

My personal preference would be adcli, as it supports the missing features you need, being able to rebuild is somewhat important, but we could discuss it on GitHub. We could always start with rudimentary support and improve it later, or end up using both utilities.

Do you have to have links to the issues you opened on the two projects?

Actions #7

Updated by Anonymous over 7 years ago

  • Related to Feature #17500: Introduce providers for realm module added
Actions #8

Updated by The Foreman Bot over 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/480 added
Actions #9

Updated by Timo Goebel about 6 years ago

  • Status changed from Ready For Testing to New
  • Pull request deleted (https://github.com/theforeman/smart-proxy/pull/480)

PR was closed.

Actions #10

Updated by The Foreman Bot about 6 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Timo Goebel
  • Pull request https://github.com/theforeman/smart-proxy/pull/557 added
Actions #11

Updated by The Foreman Bot about 6 years ago

  • Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/396 added
Actions #12

Updated by Ewoud Kohl van Wijngaarden about 6 years ago

Now that it's a plugin and integrated into the installer, can we consider this fixed?

Actions #13

Updated by Ewoud Kohl van Wijngaarden about 6 years ago

  • Status changed from Ready For Testing to Resolved
Actions #14

Updated by Ondřej Ezr about 3 years ago

  • Related to Feature #31610: Complete ActiveDirectory realm support added
Actions

Also available in: Atom PDF