I have the following exec that joins a Linux (CentOS 6) host to an Active Directory domain. When run as root from the bash terminal, it runs successfully and the host is joined to the AD domain properly.
However, when run in puppet, the net ads join command fails with:
Failed to join domain: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)
Here is the exec
exec { 'adjoin':
command => "kinit [email protected] -k -t /etc/krb5.keytab && net ads join createcomputer='Machines/Servers/Linux Servers' osName='${operatingsystem}' osVer=${operatingsystemrelease} -k",
unless => "net ads testjoin -k | grep -q 'Join is OK'",
provider => shell,
user => root,
path => '/usr/sbin:/usr/bin:/sbin:/bin',
require => [
File['/etc/krb5.conf'],
File['/etc/krb5.keytab'],
],
logoutput => true,
}
I've tried with and without the provider and user parameters.
It turns out I had to explicitly set a few environment variables using the
environmentparameter in exec, specificallyLOGNAME:Two reasons for this:
net ads -k join fails without LOGNAME env variable
LOGNAME, USER, and HOME are specifically unset by puppet during an exec's run. It was a design choice that is detailed in the ticket I linked to.
I also set USER and HOME for sanity's sake, though I'm not sure they are required by
net ads.