[Spacewalk-list] Unable to fully domain join server during bootstrap

Robert Paschedag robert.paschedag at web.de
Wed Mar 7 21:58:45 UTC 2018 

Am 7. März 2018 21:08:05 MEZ schrieb "DiOrio, Max" <Max.DiOrio at ieeeglobalspec.com>:
>Hi,
>
>I have a slightly convoluted setup.  We use OpenNebula to deploy VM's,
>which has a customization piece.  The customization file used to run:
>
>kinit svc_sc_user at DOMAIN -k -t /tmp/svc_sc_user.keytab
>realm join domain.com --os-name='RedHat Enterprise Linux'
>--os-version='7.4'
>--computer-ou=OU=Linux,OU=DevPortal,OU=Servers,OU=Devices
>Download and extract nsswich.conf and sssd.conf to the appropriate
>directories
>Service sssd restart
>
>This has worked flawlessly for months.  Now we decided to implement
>SpaceWalk for better control over patching and config file management. 
>So I moved the domain join script over to a configuration channel, and
>now instead of running the join directly, OpenNebula customization
>pulls down and runs my Spacewalk bootstrap.
>
>I have my bootstrap script pulling down a managed configuration file
>which is a script to /usr/opt/bin/domainjoin  (root:root 755).  At the
>end of the bootstrap script, I run the script it downloaded.
>
>The script is quite simple.
>
>#!/bin/bash
>rhncfg-client get /tmp/svc_sc_user.keytab
>kinit svc_sc_user at DOMAIN -k -t /tmp/svc_sc_user.keytab
>realm join domain.com --os-name='RedHat Enterprise Linux'
>--os-version='7.4'
>--computer-ou=OU=Linux,OU=DevPortal,OU=Servers,OU=Devices
>rm /tmp/svc_sc_user.keytab
>rhncfg-client get /etc/sssd/sssd.conf
>rhncfg-client get /etc/nsswitch.conf
>service sssd restart
>
>When running the script manually logged in as root, everything works
>perfectly.
>
>When running through the OpenNebula customization and running
>bootstrap, it claims it joins the domain, but fails to create the
>/etc/krb5.keytab file, never actually joins the domain and sssd fails
>to start.
>
>I'm completely baffled by this.  How does the same essential script
>work fine from OpenNebula config, but not from the script downloaded
>via boostrap?
>
>
>Max DiOrio
>Global Systems Administrator
>[cid:image002.jpg at 01D26A5C.D5C0BF00]
>201 Fuller Road, Suite 202
>Albany, NY 12203-3621
>Phone: +518-238-6516 | Mobile: +518-944-5289
>max.diorio at ieeeglobalspec.com<mailto:max.diorio at ieeeglobalspec.com>

This sounds, as if the script is not executed as root. 

Also maybe selinux might be a problem, as the configuration jobs are called by "rhnsd" (or osad?) and there might be a "profile" for it?

Maybe you could test deployment with selinux set to disabled once?

Robert

-- 
sent from my mobile device

More information about the Spacewalk-list mailing list