Joining Linux server to the Active directory Domain.

[fahad.r...@gmail.com]

Fahad Riaz <fahad.r...@gmail.com>	3:50 PM (4 minutes ago)
to ansible-project

I am working on a project and part of it includes joining the Linux server to the Active Directory domain.

I've tried every possible way to join the server to the AD but can't resolve it.
This is the playbook I try to run

---

- hosts: RHELTEST

  become: yes

  vars_files:

  - /home/ansiblecore/ansiblecore.yml

  tasks:

  - name: join system to ad

    command: realm join -U ansibleuser addomain.com

    responses:

      Password for ansibleuser: "{{ domain_password }}"

when I run the command on the command line "realm join -U ansibleuser addomain.com"
it responds back with "Password for ansibleuser:" and after i enter the password it joins it to the domain however I am trying to do the same with ansible-playbook.

When i execute the playbook this is the error i get:

[WARNING]: Ignoring invalid attribute: responses

fatal: [dc-rheltest2.addomain.com]: FAILED! => {"changed": true, "cmd": "realm join -U ansibleuser addomain.com", "delta": "0:00:00.192301", "end": "2018-10-29 15:47:16.704292", "msg": "non-zero return code", "rc": 1, "start": "2018-10-29 15:47:16.511991", "stderr": "See: journalctl REALMD_OPERATION=r106172.19338\nrealm: Couldn't join realm: Joining the domain addomain.com failed", "stderr_lines": ["See: journalctl REALMD_OPERATION=r106172.19338", "realm: Couldn't join realm: Joining the domain addomain.com failed"], "stdout": "Password for ansibleuser: ", "stdout_lines": ["Password for ansibleuser: "]}

If anyone of you are able to help me out on this matter, i'd highly appreciate it. 

[S C Rigler]

Hi Fahad,

You could probably get away with changing your task to do something like:

- name: join system to ad

  shell: echo "{{ domain_password }}" | realm join -U ansibleuser addomain.com

But it's generally bad practice to put passwords on the command line, since anyone logged onto the target machine could just do "ps" and see the password exposed.

Another option would be to create a keytab for "ansibleuser" then have the playbook kinit the service account using the keytab and do an unattended join.  But you'd have to make sure that everything is cleaned up (keytab and the associated ticket cache) after the join is complete.  

Neither of these are idempotent, however.  So every time you run the playbook it will just be trying to do the join again no matter the status of the machine.

-- Steve

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6b670906-3f55-4577-aa6e-11f5e32d499b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kai Stian Olstad]

On 29.10.2018 21:56, fahad.r...@gmail.com wrote:
> I've tried every possible way to join the server to the AD but can't
> resolve it.
> This is the playbook I try to run
>
> ---
> - hosts: RHELTEST
> become: yes
>
> vars_files:
> - /home/ansiblecore/ansiblecore.yml
>
> tasks:
> - name: join system to ad
> command: realm join -U ansibleuser addomain.com
> responses:
> Password for ansibleuser: "{{ domain_password }}"
>
> when I run the command on the command line "realm join -U ansibleuser
> addomain.com"
> it responds back with "Password for ansibleuser:" and after i enter the
> password it joins it to the domain however I am trying to do the same
> with
> ansible-playbook.
>
> When i execute the playbook this is the error i get:
> [WARNING]: Ignoring invalid attribute: responses

It looks like you are trying to use the expect module, but missing the
module name.
It should be written like this:

- name: join system to ad

expect:

command: realm join -U ansibleuser addomain.com
responses:
Password for ansibleuser: "{{ domain_password }}"

--
Kai Stian Olstad

[fahad.r...@gmail.com]

Hey Steve, Thank you so much, You're a life saver, the  shell: echo "{{ domain_password }}" | realm join -U ansibleuser addomain.com seemed to work perfectly fine. once again thank you very much Steve.

and Kai I tried the expect module and it promoted me to install pexpect module 3.3 which is currently not recommended by Red Hat and my company doesn't want to have pexpect 3.3 therefore i needed another way around. 

Thank you once again

Best.

Fahad Riaz