# # Cookbook Name:: mu-activedirectory # Recipe:: sssd # # Copyright:: Copyright (c) 2016 eGlobalTech, Inc., all rights reserved # # Licensed under the BSD-3 license (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License in the root of the project or at # # http://egt-labs.com/mu/LICENSE.html # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. case node['platform_family'] when "rhel" %w{sshd winbind smb messagebus}.each { |svc| begin resources('service['+svc+']') rescue Chef::Exceptions::ResourceNotFound service svc do action [:enable, :start] only_if { ::File.exists?("/etc/init.d/#{svc}") } end end } begin resources('service[network]') rescue Chef::Exceptions::ResourceNotFound service "network" do only_if { ::File.exists?("/etc/init.d/network") } end end packages = %w(epel-release dbus sssd sssd-ldap sssd-ad authconfig nscd oddjob-mkhomedir krb5-devel) package packages packages_uninstall = %w(nss-pam-ldapd pam_ldap) package packages_uninstall do action :remove end case elversion when 7 package "adcli" # trying to make sure Chef doesn’t try to start the service if it's already started execute "sed -i 's/--nopidfile//' /usr/lib/systemd/system/messagebus.service && systemctl daemon-reload" do only_if "grep '\--nopidfile' /usr/lib/systemd/system/messagebus.service" end end service "nscd" do action [:disable, :stop] end execute "restorecon -r /usr/sbin" # SELinux Policy for oddjobd and its interaction with syslogd cookbook_file "syslogd_oddjobd.pp" do path "#{Chef::Config[:file_cache_path]}/syslogd_oddjobd.pp" end execute "Add oddjobd and syslogd interaction to SELinux allow list" do command "/usr/sbin/semodule -i syslogd_oddjobd.pp" cwd Chef::Config[:file_cache_path] not_if "/usr/sbin/semodule -l | grep syslogd_oddjobd" notifies :restart, "service[oddjobd]", :delayed end case elversion when 6 service "oddjobd" do start_command "sh -x /etc/init.d/oddjobd start" # seems to actually work action [:enable, :start] end package %w(git automake libtool openldap-devel libxslt-devel) git 'Clone ADCLI' do repository 'git clone git://anongit.freedesktop.org/realmd/adcli' revision 'master' destination '/root' action :sync end # execute "git clone git://anongit.freedesktop.org/realmd/adcli" do # cwd "/root" # not_if { ::Dir.exists?("/root/adcli") } # end # execute "git fetch && git pull" do # cwd "/root/adcli" # end build_essential 'name' do compile_time True end # This is our workaround until the RPM makes it way back into a repo # somewhere. It was removed from EPEL after it became part of mainstream # RHEL 6.8, but CentOS doesn't have it yet. execute "compile adcli" do cwd "/root/adcli" command "./autogen.sh --disable-doc --prefix=/usr && make && make install" not_if { ::File.exists?("/usr/sbin/adcli") } end when 7 # Seems to work on CentOS7 service "oddjobd" do action [:enable, :start] end end execute "/usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do notifies :restart, "service[oddjobd]", :immediately notifies :reload, "service[sshd]", :delayed not_if "grep pam_sss.so /etc/pam.d/password-auth" end include_recipe 'chef-vault' domain_creds = chef_vault_item(node['ad']['join_auth']['vault'], node['ad']['join_auth']['item']) service "sssd" do action :nothing notifies :restart, "service[sshd]", :immediately only_if { ::File.exists?("/etc/krb5.keytab") } end directory "/etc/sssd" template "/etc/sssd/sssd.conf" do source "sssd.conf.erb" mode 0600 cookbook "mu-activedirectory" notifies :restart, "service[sssd]", :immediately variables( :domain => node['ad']['domain_name'], 'homedir' => node['ad']['homedir'], :krb5keytabuser => node['ad']['computer_name'], :short_domain => node['ad']['netbios_name'], :base_dn => node['ad']['domain_name'].split(/\./).map { |x| "dc=#{x}" }.join(","), :dcs => node['ad']['dc_ips'] ) end template "/etc/dhcp/dhclient-eth0.conf" do source "dhclient-eth0.conf.erb" mode 0644 variables( :domain => node['ad']['domain_name'], 'dc_ips' => node['ad']['dc_ips'] ) notifies :restart, "service[network]", :immediately unless %w{redhat centos}.include?(node['platform']) && node['platform_version'].to_i == 7 end # If adcli fails mysteriously, look for bogus /etc/hosts entries pointing # to your DCs. It seems to dumbly trust any reverse mapping it sees, # whether or not the name matches the actual Kerberos tickets you et. execute "Run ADCLI" do not_if { ::File.exists?("/etc/krb5.keytab") } command "echo -n '#{domain_creds[node['ad']['join_auth']['password_field']]}' | /usr/sbin/adcli join #{node['ad']['domain_name']} --domain-realm=#{node['ad']['domain_name'].upcase} -U #{domain_creds[node['ad']['join_auth']['username_field']]} --stdin-password" notifies :restart, "service[sssd]", :immediately # sensitive true end template "/etc/krb5.conf" do source "krb5.conf.erb" mode 0444 cookbook "mu-activedirectory" notifies :restart, "service[sssd]", :immediately variables( 'domain_name' => node['ad']['domain_name'], :dcs => node['ad']['dc_ips'] ) end else Chef::Log.info("Unsupported platform #{node['platform']}") end