+44 20 3287 1023
support@nicktailor.com
My Git Repos

Category: Active Directory

| October 10, 2022

How to Join Windows Servers to your DC with Ansible
 This role will simply join a new windows server to the domain
 You simply need to define the passed parameters in defaults/main.yml indicated below
 This role will ask you for the domain admin password at runtime so you will need to know it. Don’t need to worry about vaulting the admin AD password in the code
 This role assume your windows host is already configured to use winrm

How to use this role:

1.You must first download the git repository into your roles directory usually ansible/role/

.

2.Now you want edit the hosts.client file name file or create it if it doesn’t exist under your “ansible/inventory/dev:staging:prod” directory. This is a good way to separate environments with ansible, inside each environment you should have a hosts.file like indicated below.

Example file: hosts.dev, hosts.staging, hosts.prod

c.Put your server under the appropriate group inside the file and save
i.Testmachine1.nicktailor.coml ansible_host=192.168.1.101

Note: If there is no group simply list the server outside grouping, the –limit flag will pick it

up.

3.Now inside this directory you should see hosts & host_vars, group_vars

Descriptions:

d.Hosts. – is where you will list your servers under specific groups which tell the playbook (what the server is, if it the server should have a specific task run on it, and how to find it)
e.Host_vars – Inside this directory is where you list the server by name which is you will list under hosts. Inside these files you pass variable parameters to the specific roles when running your playbook. Without these the playbook cant do the tasks you want it to.
f.Group_varsAre how a way to group variables for sets of servers and this keeps code cleaners and easier to manage.

Operational Use:

4.Move inside host_var
g.cd host_var
h.create a file called {{ servername }} and save it for us its testmachine1.nicktailor.com

.

5.Now inside this directory you should see hosts & host_vars, group_vars

Descriptions:

i.Hosts. – is where you will list your servers under specific groups which tell the playbook (what the server is, if it the server should have a specific task run on it, and how to find it)
j.Host_vars – Inside this directory is where you list the server by name which is you will list under hosts. Inside these files you pass variable parameters to the specific roles when running your playbook. Without these the playbook cant do the tasks you want it to.
k.Group_varsAre how a way to group variables for sets of servers and this keeps code cleaners and easier to manage.

Operational Use:

6.Move inside host_var
l.cd host_var
m.create a file called {{ servername }} and save it for us its testmachine1.nicktailor.com
n.add the following parameters to your inventory file and save.

passed parameters: example: roles/add-server-to-dc/default/main.yml

dns_domain_name: ad.nicktailor.com

computer_name: testmachine1

domain_ou_path: “OU=Admin,DC=nicktailor,DC=local”

domain_admin_user: adminuser@nicktailor.com

state: domain

.

Running your playbook:

1.You must run your play book from inside parent directory always “ansible
2.Now there is a playbook called joinservertodomain.yml in the ansible directory which simply calls the add-servers-to-dc role inside the roles directory.

Example: of ansible/joinservertodomain.yml

hosts: all

  gather_facts: no

  vars_prompt:

  – name: domain_pass

    prompt: Enter Admin Domain Password

  roles:

    – role: addservers-todc

.

Command:

ansible-playbook –i inventory/dev/hosts joinservertodomain.ymllimit=’testmachine1.nicktailor.com

 -i : This flag tells ansibe-playbook command which hosts file to use, these are always defined by environment like hosts.dev or hosts.staging
 -u : this is the ssh_user you will be connecting to the servers with
 -Kkb : this tells ansible that you will be using sudo su – for the ssh_user when running all role/tasks
 -ask-beocme : is saying become root
 -limit=’server’ : this allows you to segement which server you want to run the playbook against.

.

Successful example run of the book:

.

[alfred@ansible.nicktailor.com ~]$ ansible-playbook –i inventory/hosts joinservertodomain.yml –limit=’testmachine1.nicktailor.com

ansible-playbook 2.9.27

  config file = /etc/ansible/ansible.cfg

  configured module search path = [‘/home/alfred/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]

  ansible python module location = /usr/lib/python3.6/site-packages/ansible

  executable location = /usr/bin/ansible-playbook

  python version = 3.6.8 (default, Nov 10 2021, 06:50:23) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3.0.2)]

.

PLAYBOOK: joinservertodomain.yml *****************************************************************************************************************************************************

Positional arguments: joinservertodomain.yml

verbosity: 4

connection: smart

timeout: 10

become_method: sudo

tags: (‘all’,)

inventory: (‘/home/alfred/inventory/hosts’,)

subset: testmachine1.nicktailor.com

forks: 5

1 plays in joinservertodomain.yml

Enter Domain Password:

.

PLAY [all] ***********************************************************************************************************************************************************************

META: ran handlers

.

TASK [addservertodc : Join windows host to Domain Controller] ********************************************************************************************************************

task path: /home/alfred/roles/addservertodc/tasks/main.yml:1

Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/win_domain_membership.ps1

Pipelining is enabled.

<testmachine1.nicktailor.com> ESTABLISH WINRM CONNECTION FOR USER: ansibleuser on PORT 5986 TO testmachine1.nicktailor.com

EXEC (via pipeline wrapper)

changed: [testmachine1.nicktailor.com] => {

    “changed”: true,

    reboot_required: true

}

.

TASK [addservertodc : win_reboot] ************************************************************************************************************************************************

win_reboot: system successfully rebooted

changed: [testmachine1.nicktailor.com] => {

    “changed”: true,

    “elapsed”: 23,

    “rebooted”: true

}

META: ran handlers

META: ran handlers

.

PLAY RECAP ***********************************************************************************************************************************************************************

testmachine1.nicktailor.com       : ok=2    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

.

.

.

.

October 10, 2022 Active Directory, Ansible, windowsNo Comments »
| July 24, 2018

How to deploy ansibleconfigure powershell script on windows

Okay fun stuff, so I tried this a number of ways which I will describe in this blog post.

So if your windows server is joined to the domain and you have a machine that can reach all he virtual machines, WinRM is configured, and you have powershell 3.0 or higher setup.

Then you could try the following powershell for loop from SYSVOL share

1.You copy the ansibleconfigurescript.ps1 to SYSVOL on so all the joined machines can reach it or you can have it run locally from the joined machine.
2.Next you can use the following for loop in powershell that will basically loop through a text file with a list of all the hosts and run the powershell script

.

Sample powershell For Loop

 Hosts.csv – is servers name, 1 line each as such
 Nicktailor.server1.com,
 Nicktailor.server2.com,
 Etc
 The script will also ask for admin credentials which you will need.

.

powershell loop deploy – ask credentials

$serverfiles=import-CSV ‘d:\scripts\hosts.csv’

$cred = get-credential

Foreach ($server in $serverfiles) {

write-output $server.names

invoke-command -computername $server.names -filepath d:\scripts\ansibleconfigure.ps1 -credential $cred

}

.

3.Now you can open up powershell console as administrator save the above into a file and run it.
a../deployloop – Watch the output for error

Note: This method sucked and failed for me due to WinRM not being there and other restrictions like host having. The other was I’m not exactly powershell intermediate had to muddle around a lot.

 set-executionpolicy -ExecutionPolicy restricted
 set-executionpolicy -ExecutionPolicy unrestricted

.

4.So this brings us to how to deploying the script via GPO(group policy object) from the DC.

What you want to do here is copy the configure script to SYSVOL so all the joined machines can reach the script.

.

In the search bar type: (replace domain to match)

 Copy ansibleconfigure.ps1 inside here.
5.Next you will setup the GPO to deploy on startup as this is the only way the script will work, logon did not appear to work for me.
6.To do this, I decided to create a new Group Policy object (GPO) and link it to my nicktailor.com domain in my forest. In the Group Policy Management Editor, I right-click the domain, and then click Create a GPO in this domain. This is shown in the following image.
7.Image of start of process to create GPO
8.Right-clicking the newly created GPO in the Group Policy Management Console and clicking Edit opens the Group Policy Management Editor, which is shown in the following image. Because I am interested in tracking not only processes that start after the user logs onto the computer but also processes that start before the logon screen, I configure a logon script for the user. There are startup and shutdown scripts that can be configured in Group Policy that are assigned at the computer configuration level, but they would not be the best place to obtain the information I’m looking for. To set a user logon script, open the User Configuration node of the Group Policy Editor, click Windows Settings and then click Scripts (Logon/Logoff).
9.Image of Scripts (Logon/Logoff) window
10.I double-click Logon in the right side of the pane, and click the PowerShell Scripts tab as shown in the following image.

https://content.spiceworksstatic.com/service.community/p/post_images/0000225641/588b7c03/attached_image/Capture.JPG

.

11.Make sure you edit the script path so that it reads the SYSVOL path where its says

script name

Image result for GPO powershell edit path

12.Next when the servers reboot you should be able to check the windows application logs for id=1 to see if the script ran in the event viewer or use
b.gpresult /r (should show the objects applied)
July 24, 2018 Active Directory, Ansible, GPO, PowershellNo Comments »
| July 22, 2015

How to add Redhat Server 6.0 to Active Directory

.We will be using sssd/kerberos/ldap to join the server to a domain in Active directory for SSO(Single Sign On Authentication)

.

Note: After you have successfully deployed a server using kickstart or manually registered a redhat server to satellite, next we need to join the server to domain controller aka Active Directory

.

1.Login via ssh to the server via putty or similar ssh client.
2.Next we will need to install some packages, type the following below.

.

 yum install -y sssd krb5-workstation samba-common authconfig oddjob-mkhomedir
 If you do not have your server registered to satellite. You will need to manually setup the following files for this to work. I have at the bottom of this document provided example files of what they should contain. Which you will need to adjust to your specific environments.

.

· /etc/krb5.conf
· /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf
· /etc/pam.d/password-auth-ac
· /etc/pam.d/su
· /etc/pam.d/system-auth-ac
· /etc/samba/smb.conf
· /etc/sudoers

.

.

3.Now since the server is already registered to satellite. You can deploy the configuration files necessary to join the server to the domain from satellite server as follows.
1.Log into the red hat satellite server into the corresponding organization you wish to manage.
2.Click one systems top left corner
3.Next filter the server by name click go.
4.Click on the host name of the server
5.Now click on configuration
6.On the far right you should see “Deploy all managed config files” click that.
7.At the bottom right select “Schedule deploy”

.

4.Login via ssh to the server and pull down the configuration files by typing the following
8.rhn_check (this will pull down all the configuration files from satellite server)

.

5.Now you want to enabled authconfig so users home directories get created if they aren’t. Type the following at the ssh prompt.
9.Authconfig –emablemkhomedir –update

.

6.Now edit the file /etc/security/limits.conf and add the following line below.
 * – nofile 16384

.

7.Now you want to load configuration from samba by running “testparm”

..

.

The output will look like something this:

.

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

.

[global]

  workgroup = NICKSTG

  realm = NICKSTG.NICKTAILOR.COM

  security = ADS

  kerberos method = secrets and keytab

  log file = /var/log/

  client signing = Yes

  idmap config * : backend = tdb

.

8.Next you want to pull the admin credentials by running the following.
10.Kinit <DC Admin Username >
11.Net ads join k (this will add the server to the domain using above AD Credentials)

.

Note: If the nets join fails. It will be due to most likely three reasons.

 DNS not setup in Active directory for the host
 NTP server time is out more by more then 5 mins.
 Your dns is not pointed to active directory in /etc/resolv.conf

.

I ran into the NTP issue. Here is how you fix it.

 Yum install ntp
 Edit the etc/ntp.conf
 Add the following lines and save the file

.

 restrict default ignore
 restrict 127.0.0.1
 
 restrict ntp01.nicktailor.com mask 255.255.255.255 nomodify notrap noquery
 server ntp01.nicktailor.com iburst
 
 driftfile /var/lib/ntp/drift
 
 Now you want to manually update the NTP server by doing the following
 ntpdate -u 192.168.1.56(ntp01.nicktailor.com)
 and the rerun net ads join k

.

12.enable the following services to boot on reboot.
1.Chkconfig sssd on
2.Chkconfig oddjobd on
3.Chkconfig sshd
4.
13.Start the above services
5.service start sshd
6.service start oddjobd on
7.service start sssd

.

14.Lastly you will need file sharing installed
8.Yum install –y cifs-utils

.

15.Now you should be able reboot your server and login via active directory credentials via ssh.

.

.

If your server is not registered to satellite

.

You will need to have the following files configured as such

.

/etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = NICKSTG.NICKTAILOR.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

NICKSTG.NICKTAILOR.COM = {

kdc = DC1.NICKTAILOR.COM

admin_server = DC1.NICKTAILOR.COM

}

[domain_realm]

.nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM

nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM

.

/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

<?xml version=”1.0″?>

.

<!– This configuration file snippet controls the oddjob daemon. It

     provides access to mkhomedir functionality via a service named

“com.redhat.oddjob_mkhomedir”, which exposes a single object

(“/”).

The object allows the root user to call any of the standard D-Bus

     introspection interface’s methods (these are implemented by

     oddjobd itself), and also defines an interface named

     “com.redhat.oddjob_mkhomedir”, which provides two methods. –>

.

<oddjobconfig>

.

<service name=”com.redhat.oddjob_mkhomedir”>

.

<object name=”/”>

.

<interface name=”org.freedesktop.DBus.Introspectable”>

.

<allow min_uid=”0″ max_uid=”0″/>

        <!– <method name=”Introspect”/> –>

.

</interface>

.

<interface name=”com.redhat.oddjob_mkhomedir”>

.

<method name=”mkmyhomedir”>

<helper exec=”/usr/libexec/oddjob/mkhomedir -u 0077″

                  arguments=”0″

                  prepend_user_name=”yes”/>

          <!– no acl entries -> not allowed for anyone –>

</method>

.

<method name=”mkhomedirfor”>

<helper exec=”/usr/libexec/oddjob/mkhomedir -u 0077″

                  arguments=”1″/>

<allow user=”root”/>

</method>

.

</interface>

.

</object>

.

</service>

.

</oddjobconfig>
================================================================================

.

/etc/pam.d/password-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass

auth required pam_deny.so

.

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account required pam_permit.so

.

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password required pam_deny.so

.

session optional pam_keyinit.so revoke

session required pam_limits.so

session optional pam_oddjob_mkhomedir.so skel=/etc/skel

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

.

/etc/pam.d/su

#%PAM-1.0

auth sufficient pam_rootok.so

.

auth [success=2 default=ignore] pam_succeed_if.so use_uid user ingroup grp_technology_integration_servertech_all

auth [success=1 default=ignore] pam_succeed_if.so use_uid user ingroup wheel

auth required pam_deny.so

.

auth include system-auth

.

account sufficient pam_succeed_if.so uid = 0 use_uid quiet

account include system-auth

.

password include system-auth

.

session include system-auth

session optional pam_xauth.so

.

.

#This line is the last line

.

/etc/pam.d/system-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_fprintd.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass

auth required pam_deny.so

.

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account required pam_permit.so

.

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password required pam_deny.so

.

session optional pam_keyinit.so revoke

session required pam_limits.so

session optional pam_oddjob_mkhomedir.so skel=/etc/skel

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

.

/etc/samba/smb.conf

[global]

workgroup = NICKSTG

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = NICKSTG.NICKTAILOR.COM

.

security = ads

log file = /var/log/

.

/etc/sssd/sssd.conf

[sssd]

config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30

services = nss, pam

domains = default, nickstg.nicktailor.com

.

[nss]

filter_groups = root

filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,games,gopher,ftp,nobody,vcsa,pcap,ntp,dbus,avahi,rpc,sshd,xfs,rpcuser,nfsnobody,haldaemon,avahi-autoipd,gdm,nscd,oracle, ,deploy,tomcat,jboss,apache,ejabberd,cds,distcache,squid,mailnull,smmsp,backup,bb,clam,obdba,postgres,named,mysql,quova, reconnection_retries = 3

.

[pam]

reconnection_retries = 3

.

[domain/nickstg.nicktailor.com]

id_provider = ad

access_provider = simple

cache_credentials = true

#ldap_search_base = OU=NICKSTG-Users,DC=NICKSTG,DC=nicktailor,DC=com

override_homedir = /home/%u

default_shell = /bin/bash

simple_allow_groups = ServerTech_All,Server_Systems_Integration

.

/etc/sudoers

## /etc/sudoers

## nicktailor sudoers configuration

.

## Include all configuration from /etc/sudoers.d

## Note: the single # is needed in the line below and is NOT a comment!

.

#includedir /etc/sudoers.d

##%NICKSTG\\domain\ users ALL = NOPASSWD: ALL

% ServerTech_All ALL = NOPASSWD: ALL

% Server_Systems_Integration ALL = NOPASSWD: ALL

.

July 22, 2015 Active Directory, Centos, LinuxNo Comments »
| July 13, 2015

How to join a OpenSuse Host to Active Directory
1.Login in as root
a.Open up a terminal
 Setup SSH Server
 Edit the file /etc/ssh/sshd_config
 Change PermitRootLogin to yes
 Change PasswordAuthentication to yes
 Save the file
 Start ssh server by typing : service sshd restart <enter>
 Enable ssh to start on reboots : chkconfig sshd on <enter>
 Login via ssh as root and ensure you can login.
b.Update /etc/resolv.conf with Domain controller ips for DNS to authenticate against the Domain controller
 Add the lines and save file.

nameserver 192.168.0.10

nameserver 192.168.0.11

.

2.Open the console window of the VM through vcenter and login as root.
c.Click on the green start button bottom left
d.Next click on the tab that says application right of favorites above the green Button
e.Next click on the System Arrow
f.Scroll down and click on Control Center

.

.

.

g.Next click on User and Group Management

.

.

.

h.Click on far right tab “Authentication Settings”

.

Note: Prior to running these steps you will need to ensure that you have administrator account for the domain controller and have properly setup the dns for the Desktop / Server in Active Directory

.

 Double Click on SSSD
 Click on ADD on the right
 Type in the Domain Name
 DC1.NICKTAILOR.COM
 Select ad for both drop down boxes

.

 Click on Finish

.

i.Next Double Click Samba
 Inside the Domain Or Workgroup type the Domain DC1.NICKTAILOR.COM
 Check the box Use SMB information for Linux Authentication
 Check the box Create Home Directory on Login
 Check the box Offline Authentication

.

j.Next Click on Expert Settings
 Under Allowed Groups
 Enter the Group Names or SID’s
 And hit Okay and then Okay again. (allow any packages that need to be downloaded and install)
 Upon Joining Domain it will ask you for Administrator Login Credentials for the Domain Controller which you will need

.

k.You should now be able to login using your AD credentials though ssh & console

.

 Dc1\username
 password

.

.

.

.

July 13, 2015 Active DirectoryNo Comments »
0