Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

ad-join (25) Versions 5.1.2

Joins windows computers to Active Directory (LDAP) Domain

Policyfile
Berkshelf
Knife
cookbook 'ad-join', '~> 5.1.2', :supermarket
cookbook 'ad-join', '~> 5.1.2'
knife supermarket install ad-join
knife supermarket download ad-join
README
Dependencies
Changelog
Quality 33%

ad-join Cookbook

Library cookbook that will join an Active Directory domain

Tested OS's

  • Windows 2012R2
  • Ubuntu 14.04 (experimental)
  • Ubuntu 16.04 (experimental)

Usage

This cookbook is a library cookbook and is intended to be used by your own wrapper cookbook. See the [test/cookbooks directory](./test/cookbooks) for examples.
While the examples show running separate cookbooks for windows and linux, this isn't required. It is possible for one wrapper cookbook to manage both windows and linux hosts.

Actions

  • join
  • leave

It contains a custom resource named domain_join with the following properties

  • domain
  • domain_user
  • domain_password
  • ou
  • server (optional)
  • update_hostname (optional, windows only, Set to false if you want the domain name/hostname to be different from the chef node name. (see #5).)
  • double_reboot (optional, windows only, Will continue to reboot windows until joined to domain and breadcrumb c:\\Windows\\chef-ad-join.txt exists. Useful since timezone doesn't always sync after first reboot. )
  • visual_warning true (optional, windows only, display a login warning to anyone who connects via RDP to the machine before chef has finished the reboots and the converge. This will override any group policy your company might have in place for displaying custom login messages.)
  • hide_sensitive (optional, linux only, hide password used in realmd command, set to false for debugging)

example:

domain_join 'foobar' do
  domain          'example.com'
  domain_user     'binduser'
  domain_password 'correct-horse-battery-staple'
  ou              'OU=US,OU=West,OU=Web,DC=example,DC=com'
  server          'DC01'
  update_hostname true
  double_reboot true
  visual_warning true
  hide_sensitive true
  action :join
end

visual_warning

The ou must be formatted with OU= before each organizational unit and DC= before each domain component. see [test/cookbooks directory](./test/cookbooks) for an example of how to derive the OU from attributes.

Behind the scenes

If you bootstrapped the node with the name option; e.g.

knife bootstrap -N us-web01

Then that is the name that will be used to join the domain (not the hostname since windows randomly generates it on first boot)

The name cannot include control characters, leading or trailing spaces, or any of the following characters: / \ [ ].

Windows

In most cases, Windows hostnames must be 15 characters or less.

The cookbook creates a windows scheduled task that runs chef as soon as the VM is started. The scheduled task is deleted after all the reboots.

The cookbook will restart windows twice since some group policy objects (like the time zone) are not applied on first boot. You can change this behavior by changing the following attribute to false.

default['ad-join']['windows']['double_reboot'] = true  

This cookbook basically runs this powershell command, then reboots

$adminname = "EXAMPLE.COM\\bob"
$password = 'correct-horse-battery-staple' | ConvertTo-SecureString -asPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($adminname,$password)
Add-computer -DomainName  -OUPath  -Server "'} -Credential $credential -force -Options JoinWithNewName,AccountCreate -PassThru

Ubuntu

ad-join can join ubuntu machines to active directory. (experimental. Bug reports / pull requests encouraged)
It does not reboot or manage any of the additional files that might be required for a complete ad join

domain_join 'foobar' do
  domain          'EXAMPLE.COM'
  domain_user     'binduser'
  domain_password 'correct-horse-battery-staple'
  ou              'OU=US,OU=West,OU=Web,DC=example,DC=com'
  server          'DC01'
  hide_sensitive true
  action :join
end

Common pitfalls

  • Hostnames longer than 15 characters will be truncated
  • NetBios names are not supported (Windows 2000 domain controllers )
  • Domain is cAsE SenSITive. In most cases this needs to be all UPPERCASE.
  • Debugging can be difficult, temporarily set 'hide_sensitive' false to get additional information. domain_password will be shown in plain text.

The ad-join cookbook is as unopinionated as possible. It will not configure sudoers file, /etc/pam.d or /etc/krb5.conf. Use the sudoers cookbook in your wrapper cookbook to manage those services. See [test/cookbooks/ad-join-linux directory](./test/cookbooks/ad-join-linux) for examples on how to manage those files

This cookbook basically runs this bash command

echo "correct-horse-battery-staple" | sudo realm join --verbose EXAMPLE.COM --user bob@EXAMPLE.COM --computer-ou OU=foobar --install=/

Troubleshooting

Ubuntu

realm: No such realm found

Realm is case sensitive. Try EXAMPLE.COM instead of example.com

realm: Not authorized to perform this action

Not all packages installed successfully. Verify adcli and packagekit are installed. Please open github issue if you find missing packages.

! Couldn't get kerberos ticket for: foo@example.com: KDC reply did not match expectations
adcli: couldn't connect to example.com domain: Couldn't get kerberos ticket for: foo@example.com: KDC reply did not match expectations

The domain is case sensitive. Try changing example.com to EXAMPLE.COM

DNS update failed: NT_STATUS_INVALID_PARAMETER

Make sure a fqdn is setup hostname -f

https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members

License and Authors

Authors:

Volodymyr Babchynskyy vbabch@softserveinc.com

Spencer Owen sowen@netdocuments.com

Dependent cookbooks

windows >= 1.36.0

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

5.1.2

Fix issue where chef 14 could complain about lack of new_resource definitions (#39)

5.1.1

Fix double_reboot error on chef 14 (#37)

5.1.0

Change schedule task modify to make more chef 13 friendly

5.0.4

Fix typo in metadata

5.0.3

Work around bug with chef 13
https://github.com/chef/chef/issues/6824#issuecomment-367141438


Fix leave action on chef 13 (#31)

5.0.1

Fix scheduled task not running on windows

5.0.0

Adds Ubuntu support

Fix Chef 13. Requires 13.4.19 or greater (or >=12.7) (#12, #20, #23)

4.12.1

Throws error if running on chef 11 or chef 13
Temporary fix until this issue is fixed https://github.com/NetDocuments/ad-join-cookbook/issues/23

4.12.0

Fixes issue #19
Fixes deprecation warning for chef 13

4.11.1

Fix berkshelf supermarket url

4.11.0

Abort if hostname is longer than 15 characters on windows

4.10.0

Adds domain leave functionality (#16 metalseargolid)

4.9.0

Fix: Scheduled task wont run if time zone changes on reboot (#13)

4.8.0

Fix: No longer gives deprecation warnings if 'server' is nil. (#9)

4.7.0

Improvement: Adds name to scheduled task, removing need for workaround http://bit.ly/1WDZ1kn
Change: Changes c:\windows\chef-ad-join.txt to windows friendly path c:/windows/chef-ad-join.txt

4.6.1

Fix: Warning registry key not cleaned up

4.6.0

Add: 'server' parameter to allow for specifying a specific domain controller
Fix: Warning message wouldn't be displayed (#4)

4.5.0

Fix: Passwords with special characters now work properly (#7 Thanks opsline-radek)
Fix: OU Parameter is now truly optional (#6 Thanks opsline-radek)

4.4.0

Adds new attribute default['ad-join']['windows']['update_hostname']

4.3.0

Adds warning attribute

4.2.0

Fixes incorrect CWD in sched task (issue #3)
Fixes incorrect ohai fact "node['os']"

4.1.0

Fixes powershell error when vm name is same as bootstrap name. issue #2

4.0.2

Updates metadata for supermarket

4.0.1

Fixes attribute name for double reboot

4.0.0

Created new git repo for public release on github

3.0.2

Create breadcrumb only if missing

3.0.1

Fixes OU not having quotes

3.0.0

Complete rewrite to make it a library cookbook

2.0.2

More verbose logging in scheduled task

2.0.1

Reduces timeout to 30 seconds

1.0.0

general cleanup, removed private domain name and so on, prepared for public release

0.9.0

removed private usernames and passwords

0.8.1

rubocop convention alerts accepted

0.8.0

changed databag name

0.6.1

rubocop check for line length now is 120 symbols

0.6.0

rubocop and foodcritic inspections added

0.5.1

icon added

0.5.0

tests added

0.4.0

Added possibility to run it on teamcity CI

0.3.0

Fixed, directory server is unavailable issue, code commented for future use

0.2.0

Passwords moved into databag

0.1.1

added ohai reload for new fqdn resolution in chef

0.1.0

Initial release of ad-join

Collaborator Number Metric
            

5.1.2 failed this metric

Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

5.1.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

5.1.2 passed this metric

No Binaries Metric
            

5.1.2 passed this metric

Testing File Metric
            

5.1.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

5.1.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number