current [[ ]] string-match logic doesn't work with error-strings containing spaces and reserved characters.

Similarly, the || exit 1 lines need to be removed to allow proper control-flow,

Check for presence of config files (e.g. cache DB) to make an install or upgrade method-selection.

Support an ouname option, that specifies the name of the OU in which to place the system. As a DN still needs to be constructed, this will require additional options, possibly basedn and prependdn (or whatever).

For example, if a user were to specify:

ouname="Super Cool App"
basedn="OU=foo,DC=example,DC=com"
prependdn="OU=Computers"

Then the resulting OU path would be:

"OU=Computers,OU=Super Cool App,OU=foo,DC=example,DC=com"

Quick Fix: Change the assignment of the script's second argument to an array-assignement.

• Pro: one line of minimally-changed code required
• Con: Brittle: requires that joined-to domain always be the first value in the dns_name pillar-key

Full Fix: Rewrite the script to handle a multi-value setting of the dns_name Pillar-key:

• Pro: Arguably the Right Way™ to do it
• Cons: Significant rewrite; Script doesn't really need to work against all the domains in a multi-value argument, just the joined-to domain. Complexity-cost of full fix may not justifiable (and may introduce new "wrinkles" to deal with)

Quick Fix: Change the assignment of the script's second argument to an array-assignement.

• Pro: one line of minimally-changed code required
• Con: Brittle: requires that joined-to domain always be the first value in the dns_name pillar-key

Full Fix: Rewrite the script to handle a multi-value setting of the dns_name Pillar-key:

• Pro: Arguably the Right Way™ to do it
• Cons: Significant rewrite; Script doesn't really need to work against all the domains in a multi-value argument, just the joined-to domain. Complexity-cost of full fix may not justifiable (and may introduce new "wrinkles" to deal with)

It is desired to be able to specify a list of users and a list of groups that should not have remote access to the system. If a specified user or group currently has remote access, the formula should remove them.

Seems like Windows does not attempt to remove the object when a request is triggered to join a different OU. So doesn't matter what perms the join domain svc acct has, the object has to be removed before adding to another OU.

Verified that this is not an issue with Linux. The object is removed and added by the fix collision script, so may need a similar approach for Windows

CIS/STIG-hardened EL7 host will be FIPS enabled. When running join-domain-formula/join-domain/elx/pbis/files/join.sh in interactive diagnostic mode, script throws the following error in the decrypt operation:

PWCLEAR=$(echo "${PWCRYPT}" | openssl enc -aes-256-ecb -a -d -salt -pass pass:"${PWUNLOCK}")

produces:

140407787075488:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:251:
140407787075488:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:

Need to find alternate (FIPS-compatible) method for passing join-user's credentials into the Salt-run.

Depending on configuration of target domain, the adtool utility can exit differently than previously-observed.

Need to:

1. Add an exit handler
2. Decide whether to continue, any way, on error from adtool

If "continue any way" is selected, this will allow non-colliding hosts to still attempt to execute a join. However, if there's an unresolved collision, a subsequent join-attempt will fail.

If the Pillar's ou value is undefined, state will vomit. If Pillar's ou value is set but null, the state will run but will fail as SaltStack will change the null-value to None ...which is generally an invalid OU in AD-domains. This causes pbis-join.sh to execute similar to the following:

domainjoin-cli join --ou None --assumeDefaultDomain yes --userDomainPrefix AWSLAB \
   awslab.localdomain joiner_service 'MyJ0!nP4ss'

Need to add logic to pbis-join.sh to ensure that if passed ou-value is None that the join-command ommits the --ou flag.

Currently the formula only supports enabling remote access for domain groups. This feature request is to add support for a list of domain user accounts, as well.

Encountered issue with production ADs where bulk instance create/join/delete/recreate/join operations fail. Appears that there may be issues with speed with which AD receives the object-delete request and fully removing it from directory. Need to add retry logic - possibly with delay/backoff - to work around AD issues

Currently, initializing DC as an empty array (not compatible with set -u in BASH pre-4.4 but not the actual error)

Subsequently, use DC as a standard var rather than an array

After that reference DC as an array, again.

Bad juju overall...

Need to make the typing-consistent so that set -u is happy with DC's usage on line 126.

Allow grains to override or complement the values passed via Pillar. This will more easily allow framework users to inject their desired sudoers and login-users AD groups into the configuration setup.

Running into cases where the change-hostname behavior is being triggered where it might not ought to be. Need to see what hostname is being used that triggers the action (i.e., are other CM actions only setting the persistent-hostname but leaving the active-hostname at the original value).

Current helper-scripts test/allow for pbis-open. Need to update to also allow pbis-enterprise

Fix in issue #23 allows PBIS-based logins to succeed. However, because /etc/pam.d/sudo (and others) reference /etc/pam.d/system-auth via include, repetative sudo-calls exposes misordering in system-auth (pam_faillock spuriously increments until lockout occurs).

"Out of the box" PBIS configuration is not compatible with domains that have LdapSignAndSeal security-setting enabled/forced. Need to add option to enable LdapSignAndSeal as part of formula's PBIS configuration tasks.

Note: Initial testing indicates that enabling LdapSignAndSeal has no adverse impact using PBIS with domains that don't force its use. Adding the config-item could be done either as a new deployment-default or as a conditional setting (i.e., "use a Pillar toggle").

Make operation conditional on Saltstack Pillar and/or make it exit non-fatally on error.

Query to see if node is already talking to a DC

Currently, the state-message when invoked with --mode saltstack simply ouputs:

Delete of computer-object succeeded

or

Delete of computer-object failed

It would help production-users, when viewing logs, if the message included the computer-object name.

Need to update the project README's join-domain: linux section. The enumerated keys are no longer 100% correct and the currently-valid keys could use further elaboration.

While there, ensure elaboration on use of the dns_name key in a multi-trust AD forest.

@moskey71 / @Vandalay1125
Opened per today's domain-trust issue

The stateful syntax takes better advantage of salt's data and execution models. No need for 'notify' states, as that info would be returned as the 'comment'. It may also allow better integration with a test framework, via the test_name parameter.

See:

• https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cmd.html

Example:

• https://github.com/lorengordon/join-domain-formula/blob/master/join-domain/windows/init.sls

The pbis.sls leverages the PBIS domainjoin-cli utility to do the heavy-lifting surrounding joining the client to the domain. However, the domainjoin-cli utility (through at least PBIS 8.3.0) defaults to inserting pam_lsass modules late in the /etc/pam.d/password-auth stack. When the pam_faillock modules are present ahead of the pam_lsass modules and a PBIS user attempts to perform password-based authentication, the pam_faillock modules abort the PAM-call before the pam_lsass modules may be referenced. This results in PBIS users only being able to do non-PAM authentications (SSH key, GSSAPI tokens, etc.)

Need to update join-domain-formula/join-domain/elx/pbis/files/join.sh script's local JOINSTAT declaration (in the DomainJoin function) to better handle spaces in OUs.

Need to either better-encapsulate the passed OU-path or need to properly escape any spaces that are present.

The OpenLDAP-Clients utilities provide functionalities not present in the native (SSSD) and third-party (PBIS, et. al.) utilities. The ELx join-domain-formula capabilities could be enhanced by making those utilities available (and wrapping key elements in Salt states).

It seems the Powershell version in Windows 2016 does not particularly like passing $null as a value to a function...?

watchmaker.exceptions.WatchmakerException: Salt state execution failed:
    set dns search suffix:
        __id__: set dns search suffix
        __run_num__: 81
        changes:
            pid: 492
            retcode: 1
            stderr: "C:\\Users\\Administrator\\AppData\\Local\\Temp\\tmpwi66m_.ps1\
                \ : Cannot validate argument on parameter \r\n'Ec2ConfigSetDnsSuffixList'.\
                \ The argument \"$null\" does not belong to the set \"True,False,\"\
                \ specified by the \r\nValidateSet attribute. Supply an argument that\
                \ is in the set and then try the command again.\r\n    + CategoryInfo\
                \          : InvalidData: (:) [tmpwi66m_.ps1], ParentContainsErrorRecordException\r\
                \n    + FullyQualifiedErrorId : ParameterArgumentValidationError,tmpwi66m_.ps1"
            stdout: ''
        comment: Command 'salt://join-domain/windows/files/Set-DnsSearchSuffix.ps1'
            run
        duration: 1163.0
        name: salt://join-domain/windows/files/Set-DnsSearchSuffix.ps1
        result: false
        start_time: '21:08:01.690000'

If the user has modified sshd_config to include the Match directive, and pbis-grpCfg.sls appends AllowGroups to the end the file, sshd fails to start due to an invalid config.

https://github.com/plus3it/join-domain-formula/blob/master/join-domain/elx/pbis-grpCfg.sls#L31

Inserting AllowGroups above the Match directive resolves the issue.

Refs:

• http://lambdaops.com/automation/travis/travis%20ci/configuration%20management/continuous%20integration/salt/chef/saltstack/salt%20stack/2014/01/29/travis-for-salt-states/
• https://groups.google.com/d/msg/salt-users/M4YxlFOlw7U/mbOCp0AUCgAJ
• https://09663951122791824653.googlegroups.com/attach/a1440a782b399/travis.yml?part=0.0.1&view=1&vt=ANaJVrE4L5E7W7Cpm-72sjE84rUs0VADqIxmB1SffxnOYHUfuhLYm_jN-8vo3UaOPhOxqFYeZSzZfBOuRK142sU7ywQ9kqg4DQzVEXnU0mldnuJjTMDBzIc

NetBIOS hostname char-limit is 15. Some DHCP-assigned hostnames may exceed this limit - resulting in LDAP_CONSTRAINT_VIOLATION errors. Need to include a method for reliably and uniquely compressing hostnames when a limit-violation is encountered

Domain-join function does not accept nor act on OU targets.

• Update pillar.example to show AD groups as list-object
• Add functionality to read list-into the AllowGroups directive of /etc/ssh/sshd_config

See PBIS issue 34

search queries can fail if there's a case-mismatch between AD hostname and client hostname.

There may be an overarching issue with the primary target domain associated with #58. It appears that - with greater frequency - the join operation actually succeeds, but that Saltstack thinks that it failed. This causes the client-config tasks to not run. End result, while things like getent, id, etc. work, PBIS is only partially configured.

Possible that changing the client-config tasks to happen before the join attempt will paper over this issue - may even cause the join-attempt to not report the spurious failure.

Notifying @lorengordon due to potential tie-back to #58

Current PBIS join.sh and fix-collisions.sh both individually implement PWunlock(); SSSD modules will need similar. Best to move to a sourcable file.

Reference #72 and #74

Once issues #122 and #123 are closed, formula should be ready to test deprecation of the current …/pbis/files/fix-collisions.sh utility (in favor of the …/openldap-clients/files/find-collisions.sh utility).

Original genesis for the adtool-based was to account for sync-delays in large AD domains.

When using the standard domainjoin method to join a new host to a domain in which there already existed an object of the same name, the operation would sometimes fail despite permissions granted to the join service/account. The domainjoin tool attempts to self-resolve collisions. However, it c/would run into issues where it would talk to one DC for the object-removal and a different DC for object-(re)creation: if the inter-DC sync-delay was longer than the interval between the object-removal action and the object-(re)creation action, the join would fail.

Need to ensure that the LDAP-based removal method does a verification against a couple DCs to make sure the deletion-sync has occurred before handing off to the next state.

Would help reduce errors when using the admin/login user/group options.

• Update pillar.example to show AD groups as list-object
• Add group_ files to /etc/sudoers.d

When using AMIs/templates/etc. that either have a baked-in user different than maintuser - or any baked-in maintuser account is overridden – a superfluous entry in the AllowGroups list results.

With production testing, appears script may not be properly exiting when join-state detection indicates an untestable state for presence of AD object.

Check whether PBIS RPMs are already present

Self-explanatory. See #72 for fix-reference.

Need to add detection of current join-state and prevent join-rerun (particularly the object-delete step).

For lifecycle usage, need to add the capability of upgrading the Linux AD client software's installed version. PBIS will, by default, do an upgrade-in-place if the installer is simply invoked with pbis-open-<VERSION>.linux.<ARCH>.rpm.sh -- --dont-join --legacy install