Puppet + authconf + AD.
Нужно сделать, так что бы юзвери АДа логинились в линуксы. Было выбранно решение поставить puppet c authconfig.
При «puppet agent -tv», команда authconfig описанная в «/etc/puppet/manifests/site.pp» выдает ошибку (ceкцтя «puppet agent -tv»), но если её запустить вручную, оно работает (Cекция «Running authconfig manually») и просит пароль.
Думаю проблема в том, что по какой то причине, пароль не посылается паппетом.
Куда копать?
MASTER:
============================== /etc/puppet/puppet.conf ==============================
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
dns_alt_names = couintblapup01,couintblapup01.bla.local
always_cache_features = true
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = couintblapup01
==============================
/etc/puppet/manifests/site.pp
==============================
node 'test-ad-centos6.bla.local' inherits default {
include('basic-tools')
include motd
class { 'authconfig' :
ldap => true,
ldapauth => false,
ldaptls => false,
ldapserver => 'devbladc01.bla.local:389',
ldapbasedn => 'DC=bla,DC=LOCAL',
# ldaploadcacert => 'http://www.example.com/certificates/Example_CA.pem'
krb5 => true,
krb5kdcdns => true,
krb5realmdns => true,
krb5realm => 'bla.LOCAL',
krb5kdc => ['devbladc01.bla.local:88'],
krb5kadmin => 'devbladc01.bla.local:749',
cache => false,
winbind => true,
winbindauth => true,
smbservers => 'devbladc01.bla.local',
smbsecurity => 'ads',
smbrealm => 'bla.LOCAL',
smbworkgroup => 'bla',
winbindjoin => 'someusertest@bla.LOCAL%bla1234',
mkhomedir => true,
winbindusedefaultdomain => true,
winbindtemplatehomedir => '/home/bla.LOCAL/%U',
winbindtemplateshell => '/bin/bash'
}
}
==============================
/etc/puppet/modules/basic-tools/manifests/init.pp
==============================
class basic-tools {
package { screen:
ensure => installed,
}
package { mlocate:
ensure => installed,
}
package { lsof:
ensure => installed,
[...]
}
}
==============================
/etc/pam.d/password-auth
==============================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
CLIENT:
==============================
puppet agent -tv
==============================
[root@test-ad-centos6 ~]# puppet agent -tv
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for test-ad-centos6.bla.local
Info: Applying configuration version '1436874745'
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: [/usr/bin/net join -w bla -S devbladc01.bla.local -U someuser@bla.LOCAL]
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Enter someusertest@bla.LOCAL's password:
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: ADS join did not work, falling back to RPC...
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Enter someusertest@bla.LOCAL's password:
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Could not connect to server devbladc01.bla.local
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: The username or password was not correct.
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Connection failed: NT_STATUS_LOGON_FAILURE
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Failed to join domain: failed to lookup DC info for domain 'bla.LOCAL' over rpc: Logon failure
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: authconfig: Winbind domain join was not successful.
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Starting nslcd: [ OK ]
Notice: /Stage[main]/Authconfig/Exec[authconfig command]/returns: Starting Winbind services: [ OK ]
Error: authconfig --enableldap --disableldapauth --disableldaptls --ldapbasedn='DC=bla,DC=LOCAL' --ldapserver=devbladc01.bla.local:389 --enablemd5 --passalgo=md5 --enableshadow --enablekrb5 --krb5realm=bla.LOCAL --krb5kdc=devbladc01.bla.local:88 --krb5adminserver=devbladc01.bla.local:749 --enablekrb5kdcdns --enablekrb5realmdns --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=bla.LOCAL --smbworkgroup=bla --winbindjoin=someusertest@bla.LOCAL%bla1234 --smbservers=devbladc01.bla.local --disablepreferdns --disablecache --enablemkhomedir --updateall returned 6 instead of one of [0]
Error: /Stage[main]/Authconfig/Exec[authconfig command]/returns: change from notrun to 0 failed: authconfig --enableldap --disableldapauth --disableldaptls --ldapbasedn='DC=bla,DC=LOCAL' --ldapserver=devbladc01.bla.local:389 --enablemd5 --passalgo=md5 --enableshadow --enablekrb5 --krb5realm=bla.LOCAL --krb5kdc=devbladc01.bla.local:88 --krb5adminserver=devbladc01.bla.local:749 --enablekrb5kdcdns --enablekrb5realmdns --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=bla.LOCAL --smbworkgroup=bla --winbindjoin=someusertest@bla.LOCAL%bla1234 --smbservers=devbladc01.bla.local --disablepreferdns --disablecache --enablemkhomedir --updateall returned 6 instead of one of [0]
Notice: Finished catalog run in 2.31 seconds
==============================
Running authconfig manually:
==============================
[root@test-ad-centos6 ~]# authconfig --enableldap --disableldapauth --disableldaptls --ldapbasedn='DC=bla,DC=LOCAL' --ldapserver=devbladc01.bla.local:389 --enablemd5 --passalgo=md5 --enableshadow --enablekrb5 --krb5realm=bla.LOCAL --krb5kdc=devbladc01.bla.local:88 --krb5adminserver=devbladc01.bla.local:749 --enablekrb5kdcdns --enablekrb5realmdns --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=bla.LOCAL --smbworkgroup=bla --winbindjoin=someusertest@bla.LOCAL%bla1234 --smbservers=devbladc01.bla.local --disablepreferdns --disablecache --enablemkhomedir --updateall
[/usr/bin/net join -w bla -S devbladc01.bla.local -U someusertest@bla.LOCAL]
Enter someusertest@bla.LOCAL's password:
Using short domain name -- bla
Joined 'TEST-AD-CENTOS6' to dns domain 'bla.local'
Starting Winbind services: [ OK ]
Starting nslcd: [ OK ]
==============================
/etc/pam.d/password-auth
==============================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
