6.3 novell-ad-util

The Novell AD Utility (novell-ad-util) lets you do the following:

  • Join an OES server/cluster node or a cluster resource to an AD domain.

  • Remove an OES server/cluster node or cluster resource from an AD domain.

  • Manage the Kerberos keytab files of OES servers/cluster nodes and cluster resources as required for authentication within the domain.

The YaST installation component that lets you join an OES server/cluster node to an AD domain as part of configuring NSS AD support, leverages novell-ad-util in the background.

6.3.1 novell-ad-util Command Line Utility

novell-ad-util joins an OES server/cluster node or a cluster resource to an AD domain, and manages the Kerberos keytabs of those components.

Syntax

novell-ad-util <activity> <optional parameters>

Usage Options

Primary Activity

--join

Joins the current host or cluster resource to the Active Directory domain.

--leave-domain

Disjoins the current host or cluster resource from the Active Directory domain by deleting the computer object from AD and flushes all entries from the keytab, including samAccountName.

NOTE:To execute the --join or --leave-domain commands, the user's Credential Cache should have sufficient rights to create or delete an object in Active Directory.

--validate-container

Checks if the container exists in the domain specified. It must be followed by the --context option.

--purge <number>

Purges the keytab entries, retaining only the last specified number of key versions.

If this command is executed without the --cluster-resource option, key tab entries of the host are purged.

If this command is executed with --cluster-resource option, key tab entries of the cluster resource are purged.

--reset

Resets the password, adds service principals if any, and updates all the corresponding entries in the keytab.

--auto-reset

Resets the password, adds service principals if any, and updates all the corresponding entries in the keytab, if the password age is more than 30 days.

--online

This command is used for cluster resources. It must be followed by the --cluster-resource option. This command will merge the keys residing in the keytab files of the volumes with the default keytab of the node.

--offline

This is used generally for cluster resources. Must be followed by the --cluster-resource option. When a cluster resource goes offline in a node during migration, this command will copy all they keys related to the cluster resource to all the available volumes' keytab from the node's default keytab.

--create-object

Creates a computer object in a non-default realm (a realm other than the one to which the host or cluster resource is joined) and updates the keytab entries. To create a computer object for a cluster resource, use this option with --cluster-resource.

--delete-object

Deletes a computer object that is created using --create-object along with the keytab entries. To delete a computer object for a cluster resource, use this option with --cluster-resource.

NOTE:To execute --create-object or --delete-object, the user's Credential Cache should have sufficient rights to create or delete an object in Active Directory.

Optional Parameters

--service-principal <service_name>

Creates a service principal for the associated account. For example, <service_name>/<hostname>.<domain_name>@<DOMAIN_NAME>.

--domain-name <domain_name>

Use the domain name specified instead of parsing the krb5 file to retrieve the domain name.

--context

Allows you to join your machine to a specific context of Active Directory (Default is CN=Computers.)

--pre-created-object [yes/no]

Allows you to join your machine to a pre-created computer object in the Active Directory. (Default is no.)

--realm-name <realm_name>

Allows you to specify the non-default realm for the multi-realm operation such as --create-object or --delete-object. This option is mandatory for multi-realm operations.

--description <Description>

Allows you to specify the description for a computer object. Must be used with the option --join, --create-object, or --reset. If this option is not specified, the default description 'Open Enterprise Server' or 'Open Enterprise Server Cluster Resource' is used.

When this option is used with --reset, if the computer account (SELF) does not have sufficient rights, it fails to set the description. By default, the computer account (SELF) does not have WRITE permission on the description attribute of its object. The administrator can manually provide the WRITE permission on the description attribute at the container level for such computer account

--cluster-resource <virtual server_FDN_eDir_format>

Joins or updates the current cluster resource to the Active Directory.The object will be created as the NETBIOS name of the cluster resource with

  • samAccountName: <NetBIOS_NAME>$

  • service principal: host/<NetBIOS_NAME>.<domain_name>@<DOMAIN_NAME>.

If used with --join or --reset, it also updates the keytab in

  • Each available volume associated with that resource in <mount_path>/VOL_NAME/._NETWARE/vol.keytab

  • The default keytab

To find the virtual server FDN for the cluster resource in eDirectory format:

At the command prompt, execute the following commands.

  1. cluster resources to get the list of cluster resources.

  2. cat /var/opt/novell/ncs/<cluster_resource>.load, for example, cat /var/opt/novell/ncs/NSSAD64_SERVER.load.

    #!/bin/bash
    . /opt/novell/ncs/lib/ncsfuncs
    exit_on_error nss /poolact=NSSAD64
    exit_on_error ncpcon mount BLR716993_VOL2=253
    exit_on_error add_secondary_ipaddress 192.168.100.10
    exit_on_error ncpcon bind --ncpservername=NSS64VM-NSSAD64-SERVER --ipaddress=192.168.100.10
    exit_on_error novcifs --add '--vserver=".cn=NSS64VM-NSSAD64-SERVER.o=novell.t=NSS64VM-TREE."' --ip-addr=192.168.100.10
    exit 0
  3. Identify the virtual server FDN for the cluster resource ".cn=NSS64VM-NSSAD64-SERVER.o=novell.t=NSS64VM-TREE." in the line exit_on_error novcifs --add '--vserver=".

--pooldn <cluster_pool_FDN_eDir_Format>

This can be used instead of cluster_resourceFDN.

Examples

novell-ad-util --join --domain-name EXAMPLE.COM --service-principal cifs

If your server name is oes2018_server.example.com, executing this command will create an account oes2018_server with

  • samAccountName: oes2018_server$

  • Service Principals: host/oes2018_server.example.com@EXAMPLE.COM, cifs/oes2018_server.example.com@EXAMPLE.COM, and cifs/oes2018_server@EXAMPLE.COM

Then it associates those principals with the computer account.

It also updates the default keytab, /etc/krb5.keytab and /etc/krb5.conf files.

novell-ad-util --join --cluster-resource .cn=CLUSTER-OES2018-POOL-SERVER.o=novell.t=NSSAD_CLUSTER. --domain-name EXAMPLE.COM --service-principal cifs

If your cluster resource eDirectory object is .cn=CLUSTER-OES2018-POOL-SERVER.o=novell.t=NSSAD_CLUSTER. and it's NetBIOS name is cluster2018, executing this command will create an account cluster2018 (NetBIOS name) with,

samAccountName: cluster2018$

Service Principals: host/cluster2018.example.com@EXAMPLE.COM, cifs/cluster2018.example.com@EXAMPLE.COM, and cifs/cluster2018@EXAMPLE.COM.

and associates those principals with the cluster account.

If this cluster resource has volumes, VOL1 and VOL2 mounted on /media/nss, it updates the following:

  • The default keytab /etc/krb5.keytab

  • The keytab files in the volumes

    • /media/nss/VOL1/._NETWARE/vol.keytab

    • /media/nss/VOL2/._NETWARE/vol.keytab

  • The kerberos configuration file /etc/krb5.conf

novell-ad-util --join --pooldn .cn=CLUSTER_OES2018_POOL.o=novell.t=NSSAD_CLUSTER. --domain-name EXAMPLE.COM --service-principal cifs

Executing this command will join the cluster resources as explained in the previous example.

novell-ad-util --leave-domain --domain-name EXAMPLE.COM

Executing this command will disjoin the current host from the Active Directory domain.

novell-ad-util --leave-domain --cluster-resource .cn=CLUSTER-OES2018-POOL-SERVER.o=novell.t=NSSAD_CLUSTER. --domain-name EXAMPLE.COM

Executing this command will disjoin the cluster resource specified from the Active Directory domain.

How do I remove stale entries of keytab for unjoined cluster resources on all cluster nodes in the cluster?

When you disjoin a cluster resource from an Active Directory domain, novell-ad-util removes the keytab entries of that resource from the default keytab file, /etc/krb5.keytab, and deletes the volume keytab file. For example, /media/nss/vol1/._NETWARE/vol.keytab on the node where the resource is running.

Before disjoining the resource, if you have migrated it to other cluster nodes, all the cluster nodes where the resource is migrated will have the default keytab entires.

When you disjoin the cluster resource, the default keytab entries for that specific cluster node and the volume keytab entries will be removed. However, the default keytab entries will still be seen on those nodes where the resource was migrated.

To remove the stale entries, execute the following command respectively all nodes other than the node that you used for the resource disjoin:

novell-ad-util --purge 0 --cluster-resource <cluster dn> --domain-name <domain name>

This command removes the keytab entries of the cluster resource <cluster dn> specified; it will not remove the volume keytab file.

novell-ad-util --validate-container --context CN=OES2018Servers --domain-name EXAMPLE.COM

Validates the container OES2018Servers in the domain example.com.

novell-ad-util --purge 2

Removes keytab entires of the host from the default keytab file, retaining only the last two key versions. For example, if key versions 2,3,4,5 exist in the keytab file, executing this command will purge versions 2 and 3, and retain versions 4 and 5.

novell-ad-util --purge 2 --cluster-resource .cn=CLUSTER-OES2018-POOL-SERVER.o=novell.t=NSSAD_CLUSTER.

Removes keytab entires of the cluster resource specified from the default key tab file, retaining only the last two key versions. For example, if key versions 2,3,4,5 exist in the key tab file, executing this command will purge versions 2 and 3, and retain versions 4 and 5.

novell-ad-util --purge 0 --cluster-resource .cn=CLUSTER-OES2018-POOL-SERVER.o=novell.t=NSSAD_CLUSTER.

Removes all the keytab entries of the cluster resource specified from the default key tab file.

novell-ad-util --join --domain-name EXAMPLE.COM --context cn=OES2018Servers --pre-created-object yes --service-principal cifs

Joins this host to the Active Directory domain, provided the computer object for this host should already exist in Active Directory. The name of the pre-created object should be the same as the NetBIOS name of the server object.

novell-ad-util --create-object --service-principal cifs --realm-name TESTAD.COM --cluster-resource .cn=CLUSTER16-CLUS-POOL1-SERVER.o=novell.t=EDIR_CLUS16.

Creates a computer object of a cluster resource in a non-default realm TESTAD.COM and updates the keytab entries.

novell-ad-util --delete-object --realm-name TESTAD.COM --cluster-resource .cn=CLUSTER16-CLUS-POOL1-SERVER.o=novell.t=EDIR_CLUS16.

Deletes the computer object of a cluster resource from the non-default realm TESTAD.COM.

novell-ad-util --create-object --service-principal cifs --realm-name TESTAD.COM --cluster-resource .cn=CLUSTER16-CLUS-POOL1-SERVER.o=novell.t=EDIR_CLUS16. --description "OES TEST OBJECT"

Creates a computer object of a cluster resource in a non-default realm TESTAD.COM and updates the description as OES TEST OBJECT.

Files

/etc/krb5.conf

Stores Kerberos configuration.

/etc/krb5.keytab

Default keytab file that contains Service Principals of the OES server/cluster node or cluster resource.

/var/log/novell-ad-util/novell-ad-util.log

Stores the log information.

/etc/cron.daily/ad-util-auto-update

Sets the cron job to execute the ad-util-auto-update script every day and checks whether the password age is more than 30 days. If yes, resets the password of a node computer account and all cluster resource computer accounts. It ensures only two sets of key versions are present in the keytab files and also, the default keytab files and volume keytab files are in sync.

/etc/cron.daily/ad-util-auto-update --force-reset

Forcefully reset the password of a node computer account and all cluster resource computer accounts. For testing purpose, you can manually execute this command.

Help Options

--help

Displays the help information commands and syntax, and then exits.