0

TL;DR How do I reference an AD group for folder permissions before my computer has joined the domain?

I'm setting up an Ubuntu system to interface with the orgs Active Directory. I've read that private groups on the Linux machine is not the best idea and that I should use AD groups.

How do I reference AD groups when my machine hasn't joined the domain yet? Right now, I use ansible to set everything up, but I still have to do the following steps for it to become part of the domain.

sudo kinit Administrator
sudo net ads join -k
sudo systemctl start sssd.service

I was thinking of just creating a private group devops, and hoping that since the names were the same between linux and AD that it would automatically link up. That seems too easy, so I thought I'd ask.

Black Dynamite
  • 483
  • 2
  • 5
  • 15
  • Why don't you implement the AD joining with Ansible as well? – Henrik Pingel May 12 '20 at 14:58
  • @HenrikPingel Because I have to manually interact with the system and enter in the Administrator password into the shell prompt. i.e I don't really know how to automate it – Black Dynamite May 12 '20 at 16:08
  • Ok .. I understand. However it should be possible to script that also. Check [this role](https://github.com/riponbanik/ansible-role-domain-join/blob/master/tasks/main.yaml). You basically need to use `expect` `command` `responses` `Password`. – Henrik Pingel May 12 '20 at 17:08

1 Answers1

1

Join to AD can be automated. Which for Ansible implies searching for Galaxy roles that already do this. For inspiration or to use with minimal modification.

Adding the same named user or group to the directory and local files does not sync them, do not do it. Doing so invites confusion and host specific problems, such as different results depending on the order in /etc/nsswitch.conf. A source of truth exists in the directory, use that.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • I was able to search Ansible Galaxy for where the domain join is automated. Then, I was able to use the "--extra-vars" commadline switch to get my user/pass into the sytem that way. I'm concerned that I didn't think of this before. – Black Dynamite May 13 '20 at 19:08