[Authentication] adcli: Support precreate with additional options

Philipp Wagner lists at philipp-wagner.com
Mon Apr 25 12:00:00 UTC 2016 

Hi,

We're currently using msktutil to pre-create computer accounts in an AD,
and I'm trying to move to adcli (as msktutil lacks delete and reset
options, and I'd like to stay with one tool). The ultimate goal is to
enable Foreman to create computer accounts in AD.

So I had a look at the status of adcli in this regard and found some
issues which might require adcli changes.

Let's start with a quick description of the specialties in our setup:

- We have computers in a different domain than the directory domain. In
particular, the directory domain is ads.mwn.de, the computers are in
(e.g.) lis.ei.tum.de.

- The NetBIOS (aka pre-Windows 2000, also the CN in the LDAP tree) is
different than the hostname.
Usually, we have TUEILIS-hostname as NetBIOS-Name, and
hostname.lis.ei.tum.de as FQDN. The "TUEILIS-" prefix is required by our
local AD policy.

- We require the userPrincipalName (UPN) to be set to to host/FQDN at REALM
for kerberized NFSv4 (with a NetApp filer)


msktutil allows us to override all attributes in a way to fulfill this
setup:

msktutil \
  --precreate
  --realm ADS.MWN.DE
  --hostname test.lis.ei.tum.de
  --upn host/test.lis.ei.tum.de
  --service host
  --computer-name TUEILIS-test
  --base OU=Computes,...


When trying to replicate the same with adcli, I'm missing the following
functionality:

- Set the NetBIOS Computer Name independent of the hostname/FQDN

- By using `adcli preset-computer --user-principal` the UPN is set to
"host/HOSTNAME at ADS.MWN.DE". I need the FQDN the instead of HOSTNAME
here, and b) the actual hostname, not the NetBIOS-name (see above).



I had a look at the adcli source code, and before I get started with a
patch I have two questions:

- I think the easiest solution would be to add additional arguments to
precreate-computer to allow some attributes to be special-cased to
support environments like ours. Or do you have other ideas/plans?

- preset-computer currently accepts as (only?) command line option
multiple hosts to be created at the same time. That makes the addition
of settings like --computername impossible, as they work only on one
host. What option do you prefer?
  a) change preset-computer to support only one host, and then add the
new options
  b) create a new command preset-single-computer (or similar) and add
the options there to avoid breaking existing tooling?


Philipp

More information about the Authentication mailing list