Link to home
Start Free TrialLog in
Avatar of wbens
wbens

asked on

I need help with an Ansible role to join Linux servers to a Windows Domain in AWS.

Hello Experts:
 
I am writing an Ansible role that connects Linux servers to a Windows Domain in AWS.  However, I am getting nowhere.  The requirement is to use the System Security Services Daemon (SSSD) and realm.  
 
This is my Ansible code in tasks/main.yml (this is the only place where I have code):


---
# tasks file for Join_Linux_to_AD # - name: Install Required Packages   yum:           name:           - realmd           - sssd           - oddjob           - oddjob-mkhomedir           - adcli           - krb5-workstation           - samba-common-tools           state: latest - name: Join Linux Server to AD   shell: |           echo "myP@ssword" | realm join -v -U Administrator WILLIE.COM           realm list   register: realm_results - name: See the Results from Joining   debug:           msg: "{{ realm_results }}"

Open in new window


I have the IP (172.31.82.130) of the Windows Domain in /etc/resolv.conf of the Linux server:


# Generated by NetworkManager
search ec2.internal nameserver 172.31.82.130 nameserver 172.31.0.2

Open in new window



This is the results of my Ansible role as written above:


PLAY [all] *********************************************************************
TASK [Gathering Facts] ********************************************************* ok: [172.31.90.156] TASK [Join_Linux_to_AD : Install Required Packages] **************************** ok: [172.31.90.156] TASK [Join_Linux_to_AD : Join to AD if Server is REHL8.4] ********************** changed: [172.31.90.156] TASK [Join_Linux_to_AD : See the Results from Joining] ************************* ok: [172.31.90.156] => {     "msg": {         "changed": true,         "cmd": "echo \"thinkpad@102\" | realm join -v -U Administrator WILLIE.COM\nrealm list\n",         "delta": "0:02:14.885949",         "end": "2021-12-16 16:09:07.422984",         "failed": false,         "rc": 0,         "start": "2021-12-16 16:06:52.537035",         "stderr": " * Resolving: _ldap._tcp.willie.com\n * Resolving: willie.com\n * Performing LDAP DSE lookup on: 198.58.118.167\n * Performing LDAP DSE lookup on: 173.255.194.134\n * Performing LDAP DSE lookup on: 96.126.123.244\n ! Can't contact LDAP server\n * Performing LDAP DSE lookup on: 72.14.185.43\n ! Can't contact LDAP server\n * Performing LDAP DSE lookup on: 72.14.178.174\n ! Can't contact LDAP server\n * Performing LDAP DSE lookup on: 45.79.19.196\n ! Discovery timed out after 15 seconds\nrealm: No such realm found\nPlease check\n    https://red.ht/support_rhel_ad \nto get help for common issues.",         "stderr_lines": [             " * Resolving: _ldap._tcp.willie.com",             " * Resolving: willie.com",             " * Performing LDAP DSE lookup on: 198.58.118.167",             " * Performing LDAP DSE lookup on: 173.255.194.134",             " * Performing LDAP DSE lookup on: 96.126.123.244",             " ! Can't contact LDAP server",             " * Performing LDAP DSE lookup on: 72.14.185.43",             " ! Can't contact LDAP server",             " * Performing LDAP DSE lookup on: 72.14.178.174",             " ! Can't contact LDAP server",             " * Performing LDAP DSE lookup on: 45.79.19.196",             " ! Discovery timed out after 15 seconds",             "realm: No such realm found",             "Please check",             "    https://red.ht/support_rhel_ad ",             "to get help for common issues."         ],         "stdout": "",         "stdout_lines": []     } } PLAY RECAP ********************************************************************* 172.31.90.156              : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  

Open in new window


None of these IPs:

198.58.118.167

Open in new window

173.255.194.134

Open in new window

96.126.123.244

Open in new window

72.14.185.43

Open in new window

72.14.178.174

Open in new window

45.79.19.196

Open in new window


are known to me. I do not know where they are coming from and/or why.


This is a picture of how my Windows Domain controller looks like (this is a test controller in AWS):


User generated image


This environment is in AWS. 

Thanks!




ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wbens
wbens

ASKER

Hello arnold:

It seems it does not find it:

[root@ip-172-31-90-156 ~]# nslookup -q=SRV _ldap._tcp.DC._msdcs.willie.com
Server:         172.31.0.2
Address:        172.31.0.2#53


Non-authoritative answer:
*** Can't find _ldap._tcp.DC._msdcs.willie.com: No answer


Authoritative answers can be found from:
_ldap._tcp.DC._msdcs.willie.com
        origin = ns1.mytrafficmanagement.com
        mail addr = admin.mytrafficmanagement.com
        serial = 2013020401
        refresh = 10800
        retry = 3600
        expire = 604800
        minimum = 3600


[root@ip-172-31-90-156 ~]#

Open in new window


Thanks!
Avatar of wbens

ASKER

This is what I have in DNS (on the controller):

User generated image



and

User generated image

Avatar of wbens

ASKER

Now, I am getting a different response.

[root@ip-172-31-90-156 ~]# nslookup -q=SRV _ldap._tcp.DC._msdcs.willie.com
Server:         172.31.82.130
Address:        172.31.82.130#53


_ldap._tcp.DC._msdcs.willie.com service = 0 100 389 ec2amaz-tm1bpvd.willie.com.


[root@ip-172-31-90-156 ~]#

Open in new window


It seems that my Linux server finds the Windows Domain Controller.

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wbens

ASKER

Hello arnold:

It is working now.

I just needed to make sure to have the Windows Domain Controller IP in the /ect/resolv.conf and its network interface /etc/sysconfig/network-scripts/ifcgt-*.  

As I was googling the response of your command above, that search led me to this.
It is working now.

[root@ip-172-31-90-156 network-scripts]# more ifcfg-ens3
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens3
UUID=02cc87e6-dc7c-4c9e-a530-f908611c7f5e
DEVICE=ens3
ONBOOT=yes
DNS1=172.31.82.130
PEERDNS=yes
[root@ip-172-31-90-156 network-scripts]#

Open in new window


and

[root@ip-172-31-90-156 network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
search ec2.internal
nameserver 172.31.82.130
nameserver 172.31.0.2
[root@ip-172-31-90-156 network-scripts]#

Open in new window

Note , NetworkManager, automatically adds DNS records. so make sure it is not importing the 172.31.0.2 from the DHCP server from which it gets the IP:
BOOTPROTO=dhcp