Am 7. März 2018 21:08:05 MEZ schrieb "DiOrio, Max" <max.dio...@ieeeglobalspec.com>: >Hi, > >I have a slightly convoluted setup. We use OpenNebula to deploy VM's, >which has a customization piece. The customization file used to run: > >kinit svc_sc_user@DOMAIN -k -t /tmp/svc_sc_user.keytab >realm join domain.com --os-name='RedHat Enterprise Linux' >--os-version='7.4' >--computer-ou=OU=Linux,OU=DevPortal,OU=Servers,OU=Devices >Download and extract nsswich.conf and sssd.conf to the appropriate >directories >Service sssd restart > >This has worked flawlessly for months. Now we decided to implement >SpaceWalk for better control over patching and config file management. >So I moved the domain join script over to a configuration channel, and >now instead of running the join directly, OpenNebula customization >pulls down and runs my Spacewalk bootstrap. > >I have my bootstrap script pulling down a managed configuration file >which is a script to /usr/opt/bin/domainjoin (root:root 755). At the >end of the bootstrap script, I run the script it downloaded. > >The script is quite simple. > >#!/bin/bash >rhncfg-client get /tmp/svc_sc_user.keytab >kinit svc_sc_user@DOMAIN -k -t /tmp/svc_sc_user.keytab >realm join domain.com --os-name='RedHat Enterprise Linux' >--os-version='7.4' >--computer-ou=OU=Linux,OU=DevPortal,OU=Servers,OU=Devices >rm /tmp/svc_sc_user.keytab >rhncfg-client get /etc/sssd/sssd.conf >rhncfg-client get /etc/nsswitch.conf >service sssd restart > >When running the script manually logged in as root, everything works >perfectly. > >When running through the OpenNebula customization and running >bootstrap, it claims it joins the domain, but fails to create the >/etc/krb5.keytab file, never actually joins the domain and sssd fails >to start. > >I'm completely baffled by this. How does the same essential script >work fine from OpenNebula config, but not from the script downloaded >via boostrap? > > >Max DiOrio >Global Systems Administrator >[cid:image002.jpg@01D26A5C.D5C0BF00] >201 Fuller Road, Suite 202 >Albany, NY 12203-3621 >Phone: +518-238-6516 | Mobile: +518-944-5289 >max.dio...@ieeeglobalspec.com<mailto:max.dio...@ieeeglobalspec.com>
This sounds, as if the script is not executed as root. Also maybe selinux might be a problem, as the configuration jobs are called by "rhnsd" (or osad?) and there might be a "profile" for it? Maybe you could test deployment with selinux set to disabled once? Robert -- sent from my mobile device _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list