I have a slightly convoluted setup.  We use OpenNebula to deploy VM's, which 
has a customization piece.  The customization file used to run:

kinit svc_sc_user@DOMAIN -k -t /tmp/svc_sc_user.keytab
realm join domain.com --os-name='RedHat Enterprise Linux' --os-version='7.4' 
Download and extract nsswich.conf and sssd.conf to the appropriate directories
Service sssd restart

This has worked flawlessly for months.  Now we decided to implement SpaceWalk 
for better control over patching and config file management.  So I moved the 
domain join script over to a configuration channel, and now instead of running 
the join directly, OpenNebula customization pulls down and runs my Spacewalk 

I have my bootstrap script pulling down a managed configuration file which is a 
script to /usr/opt/bin/domainjoin  (root:root 755).  At the end of the 
bootstrap script, I run the script it downloaded.

The script is quite simple.

rhncfg-client get /tmp/svc_sc_user.keytab
kinit svc_sc_user@DOMAIN -k -t /tmp/svc_sc_user.keytab
realm join domain.com --os-name='RedHat Enterprise Linux' --os-version='7.4' 
rm /tmp/svc_sc_user.keytab
rhncfg-client get /etc/sssd/sssd.conf
rhncfg-client get /etc/nsswitch.conf
service sssd restart

When running the script manually logged in as root, everything works perfectly.

When running through the OpenNebula customization and running bootstrap, it 
claims it joins the domain, but fails to create the /etc/krb5.keytab file, 
never actually joins the domain and sssd fails to start.

I'm completely baffled by this.  How does the same essential script work fine 
from OpenNebula config, but not from the script downloaded via boostrap?

Max DiOrio
Global Systems Administrator
201 Fuller Road, Suite 202
Albany, NY 12203-3621
Phone: +518-238-6516 | Mobile: +518-944-5289

Spacewalk-list mailing list

Reply via email to