Ansible for devops is an open source tool for IT configuration management, deployment and orchestration similar to Chef, Puppet, is extremely simple and easy to use because it uses SSH to connect to servers and run the configured Tasks instead of using agent.
In this tutorial, we are going to show you how to join CentOS 7 /RHEL 7 servers to the Active Directory and limit logon access and sudo access to a specified AD security groups.
If you don’t install yet Ansible you can take a look to our previous tutorials:
- Getting Started With Ansible
- Create user account & configure key-based authentication with Ansible
- How to install EPEL Repository with Ansible on CentOS 7 /RHEL 7
1. Create the Playbook
--- ## This playbook installs and configures AD authentication - name: Install and configure AD authentication hosts: all gather_facts: no become: yes become_method: sudo vars_prompt: - name: "bind_password" prompt: "Password for [email protected]" private: yes tasks: - name: Install the required packages yum: name: realmd,sssd,oddjob,oddjob-mkhomedir,adcli,samba-common,samba-common-tools,ntpdate,ntp,python-pip state: present notify: - restart realmd - name: Install pexpect using pip pip: name: pexpect - name: Join system to AD and add the computer object in the Linux OU expect: command: /bin/bash -c "/usr/sbin/realm join [email protected] --computer-ou=OU=Linux,OU=Servers,DC=YALLALABS,DC=LOCAL yallalabs.local" responses: Password for *: "{{ bind_password }}" - name: Add default_domain_suffix to sssd.conf lineinfile: dest: /etc/sssd/sssd.conf line: 'default_domain_suffix = yallalabs.local' insertafter: '^\[sssd\]' notify: - restart sssd - name: Allow the LinuxAdmins AD group to logon to the system command: /bin/bash -c "/usr/sbin/realm permit -g [email protected]" - name: Add the LinuxAdmins AD Group to sudoers lineinfile: dest: /etc/sudoers line: '%[email protected] ALL=(ALL) ALL' insertafter: '^%wheel' handlers: - name: restart realmd service: name: realmd state: restarted - name: restart sssd service: name: sssd state: restarted
– vars_prompt named bind_password where you going to prompted to type the password for the Administrator AD Account, by using the option private: yes the characters will not be showed.
– Install the required packages : In the First play we are going to install all the required packages to join the system to AD.
– Install pexpect using pip: we will install The expect module, that will respond to prompt for the Administrator Password
– Join system to AD and add the computer object in the Linux OU: here we will join the domain and add the Computer Account in the OU=Linux,OU=Servers
– Add default_domain_suffix to sssd.conf : we will use the lineinfile to make changes to the sssd.conf by specifying the default domain.
– Allow the LinuxAdmins AD group to logon to the system: here we will permit just the LinuxAdmins to logon to the system.
– Add the LinuxAdmins AD Group to sudoers: Finally, we will edit the sudoers file and add the LinuxAdmins to the sudoers.
2. Create the Inventory file
In this file specify the list of the hosts to be managed by Ansible
[ansadm@ylclansas01 ~]$ vi inventory.ini [Centos7] 192.168.1.141
3. Run the Playbook
– Let’s do a syntax check, which we should run before running the role:
[ansadm@ylclansas01 ~]$ ansible-playbook -i inventory.ini join-domain.yml --syntax-check
– Finally you can run the role using this following command
[ansadm@ylclansas01 ~]$ ansible-playbook -i inventory.ini join-domain.yml Password for [email protected]: PLAY [Install and configure AD authentication] ********************************************************************************************************************** TASK [Install the required packages] ******************************************************************************************************************************* changed: [192.168.1.141] TASK [Install pexpect using pip] ************************************************************************************************************************************ changed: [192.168.1.141] TASK [Join system to AD and add the computer object in the Linux OU] ************************************************************************************************ changed: [192.168.1.141] TASK [Add default_domain_suffix to sssd.conf] *********************************************************************************************************************** changed: [192.168.1.141] TASK [Allow the LinuxAdmins AD group to logon to the system] ******************************************************************************************************** changed: [192.168.1.141] TASK [Add the LinuxAdmins AD Group to sudoers] ********************************************************************************************************************** changed: [192.168.1.141] RUNNING HANDLER [restart realmd] ************************************************************************************************************************************ changed: [192.168.1.141] RUNNING HANDLER [restart sssd] ************************************************************************************************************************************** changed: [192.168.1.141] PLAY RECAP ********************************************************************************************************************************************************** 192.168.1.141 : ok=8 changed=8 unreachable=0 failed=0
If you want to get the source code of this playbook visit this link Ansible Projects
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
5 comments
great example! I am using ansible 2.9.2 and am not able to install – python-pip…this is the error i get “Public key for python2-pip-8.1.2-10.el7.noarch.rpm is not installed” . i am able to add the epel repo but still get the above error
Hi,
Try to install python34-pip.noarch
Hi i get Specify one realm to join error
hi, make sure to use the correct OU
--computer-ou
Since this is one of the first hits on google for ansible AD rhel7, wanted to leave a comment that installing pip packages as root is a BadIdea™