'realm_join_with_password' doesnt get called again if domain join failed

[jbencic]

i have a scenario where the first time I did a puppet run the AD domain join failed
then every subsequent run; it would just try to start the service an fail saying no keytab file

I believe this is because 'realm_join_with_password' should be executed everytime not just if the /etc/realm.conf file changes refreshonly and notify

deleting the /etc/realm.conf and [deleting /etc/sssd/sssd.conf OR running realm leave 'mydomain'] resolves the issue eg "realm join" gets called and joins the domain

maybe the "unless" statement in realm_join_with_password could be some other test to validate the system has been joined to the domain

[walkamongus]

It sounds like the refreshonly parameter could just be removed and the unless test relied upon. If the domain joined failed then the unless test will fail and re-run the join command. Would that work for your situation?

[andrewwippler]

I came across this issue while creating the Debian portion. @jbencic mentioned he was using a keytab file. if $krb_ticket_join is set to false, this issue does not happen.

It appears to stem from $::realmd::sssd_config_file being created before the run of run_realm_join_with_keytab. Once $::realmd::sssd_config_file is run, realm list --name-only | grep ${_domain} returns true and does not trigger a realm join ${_domain}.

I don't use keytabs in my environment, but I believe the below code would fix it:

  exec { 'run_realm_join_with_keytab':
    path        => '/usr/bin:/usr/sbin:/bin',
    command     => "realm join ${_domain}",
    unless      => "realm list --name-only | grep ${_domain}",
    refreshonly => true,
    require     => Exec['run_kinit_with_keytab'],
    before      => File[$::realmd::sssd_config_file],
  }

[walkamongus]

The join command does run before the sssd.conf file is placed on disk. The problem is that the join command fails on the first run but the sssd.conf file is still configured. On the second run, the realm list and realm join commands blindly trust what is in the now-configured sssd.conf file and report already being joined to the domain even though the initial realm join command failed.

I've updated the code to perform a more robust check via klist and run the realm join command any time the check fails. This doesn't solve the ultimate problem in that realm will report being joined to the domain as long as SSSD is configured for that domain even if the realm join command failed.

At least now you will get consistent failures if this is the case, because the keytab check will fail and realm join will run but fail with the message Already joined to this domain, which is actually not true.

This could easily be remedied if the realm command would provide a --force flag to join the domain no matter what.

[walkamongus]

I'm going to go ahead an close this as I don't think there is a good solution for this until the realm command allows you to force a domain join, or adds real checks for figuring out whether the machine is actually joined to the domain or not.