AD Service account integration
39 views
Skip to first unread message
Boobathi M
Mar 4, 2020, 5:44:52 AM3/4/20
to go-cd
Hello,
Have anyone tried integrating a service account instead of default ID "go" which create by default.
Pranav Aggarwal
Mar 4, 2020, 11:20:09 PM3/4/20
to go...@googlegroups.com
+ you may try integrating service account login to the instance, which runs as your GoCD server.
+ then you may integrate access management to GoCD console
doing this you may achieve what you could be looking for.
On Wed, Mar 4, 2020 at 9:44 PM Boobathi M <buvh...@gmail.com> wrote:
Hello,
Have anyone tried integrating a service account instead of default ID "go" which create by default.
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/e1e31507-3498-4650-afbf-7af2ce6bd89b%40googlegroups.com.
Boobathi M
Mar 5, 2020, 5:23:20 AM3/5/20
to go-cd
Hi Pranav,
I'm trying to replace the ID "go" with my AD account in backend on the server. Tried changing ownership for all the data, config files as well,
Kindly suggest if it can be done, is there a specific script, configuration which needs to be changed,
Andrew Smith
Mar 5, 2020, 7:06:10 AM3/5/20
to go...@googlegroups.com
Hi Boobathi,
Is it the GoCD server itself or the agents that you are attempting to
run as a domain user?
If it helps, I've tried to silently install and configure my windows
agents to run using an non-admin AD account. I've used this with
partial success:
```
# Powershell
# Install the agent
# * Don't start it yet
# * Don't install the agent in the default location in %ProgramFiles%
# * Always include the suffix "/go" on the serverurl. It will fail
silently if you don't.
& go-agent-19.10.0-10357-jre-64bit-setup.exe /S /START_AGENT=NO
/SERVERURL="https://gocd.example.com/go" /D="C:\gocd\agent"
# Change the user that runs the service to "mydomain\gocd-agent"
& sc.exe config "Go Agent" obj="mydomain\gocd-agent" password=abcdefg
# Attempt to grant the "mydomain\gocd-agent" user permission to "Login
as a Service"
# I've used the "UserRights" module from here:
# https://gallery.technet.microsoft.com/Grant-Revoke-Query-user-26e259b0
# However this does appear to work correctly
Import-Module .\UserRights.psm1
Grant-UserRight -Account "mydomain\gocd-agent" -Right SeServiceLogonRight
# Now start the service
& sc.exe start "Go Agent"
```
I've not attempted to fix the problem with granting the user "Login as
a Service" rights. For now I'm doing that manually in Computer
Management -> Services. (I'd be grateful to know if anyone has a
solution to this step).
Once that is done the agents run correctly, without admin permissions
on their own VMs, and with access to the network resources that I've
assigned to that user.
I hope that is helpful.
Andy
Andy Smith
Head of Technical Development
MapAction
Mapping for people in crisis
For more information about the MapAction privacy policy see
mapaction.org/privacy
Is it the GoCD server itself or the agents that you are attempting to
run as a domain user?
If it helps, I've tried to silently install and configure my windows
agents to run using an non-admin AD account. I've used this with
partial success:
```
# Powershell
# Install the agent
# * Don't start it yet
# * Don't install the agent in the default location in %ProgramFiles%
# * Always include the suffix "/go" on the serverurl. It will fail
silently if you don't.
& go-agent-19.10.0-10357-jre-64bit-setup.exe /S /START_AGENT=NO
/SERVERURL="https://gocd.example.com/go" /D="C:\gocd\agent"
# Change the user that runs the service to "mydomain\gocd-agent"
& sc.exe config "Go Agent" obj="mydomain\gocd-agent" password=abcdefg
# Attempt to grant the "mydomain\gocd-agent" user permission to "Login
as a Service"
# I've used the "UserRights" module from here:
# https://gallery.technet.microsoft.com/Grant-Revoke-Query-user-26e259b0
# However this does appear to work correctly
Import-Module .\UserRights.psm1
Grant-UserRight -Account "mydomain\gocd-agent" -Right SeServiceLogonRight
# Now start the service
& sc.exe start "Go Agent"
```
I've not attempted to fix the problem with granting the user "Login as
a Service" rights. For now I'm doing that manually in Computer
Management -> Services. (I'd be grateful to know if anyone has a
solution to this step).
Once that is done the agents run correctly, without admin permissions
on their own VMs, and with access to the network resources that I've
assigned to that user.
I hope that is helpful.
Andy
Andy Smith
Head of Technical Development
MapAction
Mapping for people in crisis
For more information about the MapAction privacy policy see
mapaction.org/privacy
> --
> You received this message because you are subscribed to the Google Groups "go-cd" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/d80dff49-c69f-4fcf-b6a1-5e4ef309bc64%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "go-cd" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
Boobathi M
Mar 5, 2020, 8:26:46 AM3/5/20
to go-cd
Hi Andy,
We are using Linux machines which is part of AD domain, now I am trying to integrate AD service account with gocd server, which means AD account should install, go-server service start stop, go-server upgrade be done. By default it creates a local user "go". I want to replace this local ID (go) with my AD account.
Hope you gets my point.
Prabha
Mar 9, 2020, 7:55:35 AM3/9/20
to go-cd
Hello,
I am also facing same issue. Is there a possibility to run go-server service using AD backed service account instead of go user which was created during the application installation.
This is basically a security requirement to run go-server daemon under AD backed account.
thanks in advance.
cheers!
Prabha.
Aravind SV
Mar 9, 2020, 8:09:58 AM3/9/20
to go...@googlegroups.com
Hello,
On Mon, Mar 09, 2020 at 04:55:35 -0700, Prabha wrote:
> I am also facing same issue. Is there a possibility to run go-server
> service using AD backed service account instead of *go *user which was
Cheers,
Aravind
On Mon, Mar 09, 2020 at 04:55:35 -0700, Prabha wrote:
> I am also facing same issue. Is there a possibility to run go-server
> created during the application installation.
>
> This is basically a security requirement to run go-server daemon under AD
> backed account.
You can always download the zip version of GoCD server rather than the RPM/DEB version and use it with whatever user is needed, of course.
>
> This is basically a security requirement to run go-server daemon under AD
> backed account.
Cheers,
Aravind
Prabha
Mar 9, 2020, 12:53:49 PM3/9/20
to go-cd
Thanks Aravind let me try this one.
cheers!
Prabha.
Boobathi M
Mar 10, 2020, 5:40:48 AM3/10/20
to go-cd
Hi Aravind,
I could run go-server /go-agent as AD backed ID with zip installer, I need help in converting existing environment which is installed with rpm.
Reply all
Reply to author
Forward
0 new messages