[Authentication] adcli: Support precreate with additional options

Tue Apr 26 09:18:20 UTC 2016

On 25.04.2016 14:00, Philipp Wagner wrote:
> Hi,
> 
> We're currently using msktutil to pre-create computer accounts in an AD,
> and I'm trying to move to adcli (as msktutil lacks delete and reset
> options, and I'd like to stay with one tool). The ultimate goal is to
> enable Foreman to create computer accounts in AD.
> 
> So I had a look at the status of adcli in this regard and found some
> issues which might require adcli changes.
>
> Let's start with a quick description of the specialties in our setup:
>
> - We have computers in a different domain than the directory domain. In
> particular, the directory domain is ads.mwn.de, the computers are in
> (e.g.) lis.ei.tum.de.

Perhaps --domain-ou together with --domain-controller could work? You
can specify a specific controller to connect to and a full LDAP parent
DN to place the computer account in.

> - The NetBIOS (aka pre-Windows 2000, also the CN in the LDAP tree) is
> different than the hostname.
> Usually, we have TUEILIS-hostname as NetBIOS-Name, and
> hostname.lis.ei.tum.de as FQDN. The "TUEILIS-" prefix is required by our
> local AD policy.
>
> - We require the userPrincipalName (UPN) to be set to to host/FQDN at REALM
> for kerberized NFSv4 (with a NetApp filer)

--user-principal

> 
> 
> msktutil allows us to override all attributes in a way to fulfill this
> setup:
> 
> msktutil \
>   --precreate
>   --realm ADS.MWN.DE
>   --hostname test.lis.ei.tum.de
>   --upn host/test.lis.ei.tum.de
>   --service host
>   --computer-name TUEILIS-test
>   --base OU=Computes,...
> 
> 
> When trying to replicate the same with adcli, I'm missing the following
> functionality:
> 
> - Set the NetBIOS Computer Name independent of the hostname/FQDN
> 
> - By using `adcli preset-computer --user-principal` the UPN is set to
> "host/HOSTNAME at ADS.MWN.DE". I need the FQDN the instead of HOSTNAME
> here, and b) the actual hostname, not the NetBIOS-name (see above).
> 
> 
> 
> I had a look at the adcli source code, and before I get started with a
> patch I have two questions:
> 
> - I think the easiest solution would be to add additional arguments to
> precreate-computer to allow some attributes to be special-cased to
> support environments like ours. Or do you have other ideas/plans?

That sounds good.

> - preset-computer currently accepts as (only?) command line option
> multiple hosts to be created at the same time. That makes the addition
> of settings like --computername impossible, as they work only on one
> host. What option do you prefer?
>   a) change preset-computer to support only one host, and then add the
> new options
>   b) create a new command preset-single-computer (or similar) and add
> the options there to avoid breaking existing tooling?

Hmmm, good point.

How about adding the options and having them produce a failure (in
adcli/tools/computer.c) when more than one computer account is specified?

Stef