On 10 Aug 2017, at 19:09, Joakim Tjernlund
<Joakim.Tjernlund(a)infinera.com> wrote:
On Thu, 2017-08-10 at 11:12 -0500, Robert Giles wrote:
> I'll throw this out there (there's no doubt a myriad of other, likely more
> reliable ways to do this).
>
> In Puppet, I'm executing a 'join domain' script unless this condition is
> true:
>
> ...
> unless => "/usr/bin/klist -k ${::sssd::keytab} | /bin/grep -q
'host/${::fqdn}@${::sssd::realm_upcase}'"
> ...
>
> Check the global keytab file, say /etc/krb5.keytab, to see if
> "host/yourhost.contoso.com(a)CONTOSO.COM" exists. This could depend on how
> you're joining the domain; "YOURHOST$(a)CONTOSO.COM" might also be
used.
I always figured kvno was the tool for that:
# > kvno "YOURHOST$(a)CONTOSO.COM"
Either you get an error or it prints the full line including the KVNO number.
Is that correct?
Right, if you don’t mind that this requires network connectivity. On the other hand, this
method really tests the client authentication so it’s quite precise.
My ansible playbooks that set up my test VMs just test for the presence of
/etc/krb5.keytab :-) it really depend on your use-case though.
Jocke
>
> Robert
>
>
> On August 10th, 2017, at 10:32, Eugene Vilensky wrote:
>> Hello,
>>
>> Apologies for the naivete of this question. How can I test if a machine
>> already has a successful relationship with active directory?
>>
>> context: I want to set an ansible fact if it is in fact join and if not execute
>> adcli to join.
>>
>> Thank you!
>> -Eugene
>>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org