vRA7.1 - RHEL 6 blueprint - using software component to config kerberos and join AD (weird problem)

TimR26 — Wed, 01 Feb 2017 18:58:46 GMT

I have two blueprints:

1. RHEL6 blueprint with a script "living" on the guest OS that configs Kerberos and integrate with AD. Lets call it AD-Join. There is also a text file with the password to the service account we use for Kerberos authentication. The AD-Join script it is executed by a vRO workflow within the blueprint.

2. RHEL 6 blueprint with no scripts or text file "living" on the guest OS. I have a software component that runs AD-Join with secure string property for the service account password.

Blueprint #1 runs without issues and users can log into that server using AD credentials.

Blueprint #2 runs, but I get issues with the AD-Join script within the software component. I have a function in the AD-Join script for the specific task of joining AD (other functions within the script prep for AD join, plus other things.) which is where I've isolated the problem to. For context, here is the function:

The broken function:

echo $password | kinit $username
klist
host=`hostname`
host=$host\$
sleep 20s
net ads join -k
sleep 30s
kinit -k $host

This produces the following error message:

net ads join -k: Failed to join domain: failed to join domain <domain> over rpc: Access denied

kinit -k $host: kinit: Generic preauthentication failure while getting initial credentials

For troubleshooting I added klist so I can see the output. I was able to verify that the ticket was created and is valid.

If I log into the server and run these commands manually, everything works. I thought maybe the Kerberos ticket wasn't replicated across my DCs, so I increased the sleep commands to 5mins each just to be sure, and no difference.

*NOTE* Just to be clear, the broken function works perfectly, as written above, in blueprint #1 (where the AD-Join script "lives" on the host). This error only happens when running the AD-Join script in a software component.

After lots of research I was able to solve my issue:

This is the working function:

echo $password | kinit $username

klist

host=`hostname`

host=$host\$

sleep 20s

net ads join -k -U $username%$password

sleep 30s

kinit -k $host

This did not produce any errors.

I'm trying to understand why I need to specify the -U $username%$password when using a software component to run the script versus running the script within the guest OS.

Any suggestions?

Re: vRA7.1 - RHEL 6 blueprint - using software component to config kerberos and join AD (weird problem)

SteveCSchofield — Sat, 04 Feb 2017 12:48:06 GMT

Software components run as a named user called darwin. Assuming you installed the boot strap agent. Have you investigated that route? What errors do you see on the domain controller? what account do you run the script as when connecting via vRO? Interesting one for sure. Previous roles I've done MS and AD, not so much on the linux side (but am learning now)

topic Re: vRA7.1 - RHEL 6 blueprint - using software component to config kerberos and join AD (weird problem) in VMware Aria Automation Tools Discussions

vRA7.1 - RHEL 6 blueprint - using software component to config kerberos and join AD (weird problem)

Re: vRA7.1 - RHEL 6 blueprint - using software component to config kerberos and join AD (weird problem)