ADJOIN Role

This role is used to connect a Debian or RedHat machine to one or more Active Directory domains. To use this role, you need the following:

On the Windows Side:

• An Active Directory (AD) domain that is set up and ready.
• Correct DNS records for the domain.
• A user account with permission to create Computer Objects.

On the Linux Side:

• Administrative access to your client system.
• The clock on your client must be synchronized with the AD domain controller.

Configuration Steps

This role will configure the following programs to get your system ready for AD authentication:

• Kerberos
• Oddjob (only for RHEL)
• OpenLDAP
• PAM
• Samba
• SSSD

Each time you run this role, it checks if the connection to the AD domain is valid. If it isn't, it will automatically try to reconnect using the saved credentials.

It will also set up sudo permissions for a user-defined AD group. The default permissions given to this group are:

ALL=(ALL) ALL:NOPASSWD

There are two reasons for this:

• With strong authentication through Kerberos, needing a password is less important.
• This enables a similar single sign-on (SSO) experience when using SSH keys for root access.

Usage

Once you've met the requirements mentioned earlier, you can use this role as follows:

1. Install the role (from Galaxy or directly from GitHub).
2. Copy the defaults file to your inventory (or wherever you keep them) and fill in the details.
3. Add the role to your main playbook.
4. Run Ansible.
5. ???
6. Enjoy!