Putting AD "computer accounts" in your OU

As a result of using Active Directory for authentication and authorization a "computer object" is created for each machine in the AD. If you care where these objects are created, you will need to do some one time setup in your AD organizational unit.

If you’re not using Active Directory or Wolftech, you don’t need to worry about this section.

Further, even if you are using Wolftech, if you don’t plan to manage computer objects for linux machines in your own organizational unit in Wolftech, you can skip this section. By default, computer objects are collected in an OIT managed OU, so if you take no action, you’ll always get basic services.

Computer objects in AD

Every computer managed by AD gets a computer object created in that AD. These objects are either created by hand by a human using the “Users and Computers” tool, or they can be automatically created via a secured “service account” that has the proper permissions assigned in Active Directory.

If you don’t want to create a service account

You can “prestage” computer objects for linux machines just as for Windows machines. Refer to the “Computer Account Prestaging” in the Wolftech documentation for WDS for details. Note that the other topics in these documents are specific to Windows machines – you only need to perform the prestaging step for linux machines.

Install the computer with foreman. You will get numerous errors from the ncsu::profile::authnz and other modules because the linux machine will not be allowed to communicate with Wolftech at all as an untrused machine. You will need to login with the root password you set in foreman, as obviously you can’t use any Wolftech/Unity logins until the machine is properly joined.

The ncsu::profile::authnz puppet module creates a script in the root user’s home directory called joindomin.sh Run this script and enter the credentials of an account with “Join Domain” rights to link the running linux computer with it’s associated object in AD.

At this point, runs of puppet agent -t should succeed. It may take several runs to get all the various services that depend on authnz reporting no errors.

This quick overview assumes that you are an OU admin for your organizational unit, and that you’re following the typical Wolftech OU layout

  1. Create a service account. You need to follow the naming conventions for service accounts We recommend **yourOU.linuxjoin.svc

  2. Add your service account to the **yourOU**-Computer Migrators group so it will have the join domain permission.

  3. Decide where in your OU you want your linux machines and grant your service account the permissions needed to create computers there.

  4. Encrypt your service account password, and send it, the service account name, and the OU where you want computer objects to OIT-CSI so we can associate it with your organization in Foreman.

Computers belonging to your organization should now automatically join the domain and place their objects into the OU you’ve specified.

Edit me