> On 10 Aug 2017, at 19:09, Joakim Tjernlund <[email protected]> > wrote: > > On Thu, 2017-08-10 at 11:12 -0500, Robert Giles wrote: >> I'll throw this out there (there's no doubt a myriad of other, likely more >> reliable ways to do this). >> >> In Puppet, I'm executing a 'join domain' script unless this condition is >> true: >> >> ... >> unless => "/usr/bin/klist -k ${::sssd::keytab} | /bin/grep -q >> 'host/${::fqdn}@${::sssd::realm_upcase}'" >> ... >> >> Check the global keytab file, say /etc/krb5.keytab, to see if >> "host/[email protected]" exists. This could depend on how >> you're joining the domain; "[email protected]" might also be used. > > I always figured kvno was the tool for that: > # > kvno "[email protected]" > > Either you get an error or it prints the full line including the KVNO number. > Is that correct? >
Right, if you don’t mind that this requires network connectivity. On the other hand, this method really tests the client authentication so it’s quite precise. My ansible playbooks that set up my test VMs just test for the presence of /etc/krb5.keytab :-) it really depend on your use-case though. > Jocke > >> >> Robert >> >> >> On August 10th, 2017, at 10:32, Eugene Vilensky wrote: >>> Hello, >>> >>> Apologies for the naivete of this question. How can I test if a machine >>> already has a successful relationship with active directory? >>> >>> context: I want to set an ansible fact if it is in fact join and if not >>> execute >>> adcli to join. >>> >>> Thank you! >>> -Eugene >>> >> >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
