The Novell AD Utility (novell-ad-util) lets you do the following:
Join an OES server/cluster node or a Novell cluster resource to an AD domain.
Remove an OES server/cluster node or cluster resource from an AD domain.
Manage the Kerberos keytab files of OES servers/cluster nodes and cluster resources as required for authentication within the domain.
The YaST installation component that lets you join an OES server/cluster node to an AD domain as part of configuring NSS AD support, leverages novell-ad-util in the background.
novell-ad-util joins an OES server/cluster node or a Novell cluster resource to an AD domain, and manages the Kerberos keytabs of those components.
novell-ad-util <activity> <optional parameters>
Joins the current host or cluster resource to the Active Directory domain.
Disjoins the current host or cluster resource from the Active Directory domain by deleting the computer object from AD and flushes all entries from the keytab, including samAccountName.
NOTE:To execute the --join or --leave-domain commands, the user's Credential Cache should have sufficient rights to create or delete an object in Active Directory.
Checks if the container exists in the domain specified. It must be followed by the --context option.
Flushes all the entries from the keytab except samAccountName entries.
Purges the keytab entries, retaining only the last specified number of key versions.
If this command is executed without the --cluster-resource option, key tab entries of the host are purged.
If this command is executed with --cluster-resource option, key tab entries of the cluster resource are purged.
Resets the password, adds service principals if any, and updates all the corresponding entries in the keytab.
Fetches the NetBIOS name of the cluster resource and the domain name where the cluster resource should join. It must be followed by the --cluster-resource option.
This command is used for cluster resources. It must be followed by the --cluster-resource option. This command will merge the keys residing in the keytab files of the volumes with the default keytab of the node.
This is used generally for cluster resources. Must be followed by the --cluster-resource option. When a cluster resource goes offline in a node during migration, this command will copy all they keys related to the cluster resource to all the available volumes' keytab from the node's default keytab.
Creates a service principal for the associated account. For example, <service_name>/<hostname>.<domain_name>@<DOMAIN_NAME>.
Use the domain name specified instead of parsing the krb5 file to retrieve the domain name.
Allows you to join your machine to a specific context of Active Directory (Default is CN=Computers.)
Allows you to join your machine to a pre-created computer object in the Active Directory. (Default is no.)
Joins or updates the current cluster resource to the Active Directory.The object will be created as the NETBIOS name of the cluster resource with
samAccountName: <NetBIOS_NAME>$
service principal: host/<NetBIOS_NAME>.<domain_name>@<DOMAIN_NAME>.
If used with --join or --reset, it also updates the keytab in
Each available volume associated with that resource in <mount_path>/VOL_NAME/._NETWARE/vol.keytab
The default keytab
To find the virtual server FDN for the cluster resource in eDirectory format:
At the command prompt, execute the following commands.
cluster resources to get the list of cluster resources.
cat /var/opt/novell/ncs/<cluster_resource>.load, for example, cat /var/opt/novell/ncs/NSSAD64_SERVER.load.
#!/bin/bash . /opt/novell/ncs/lib/ncsfuncs exit_on_error nss /poolact=NSSAD64 exit_on_error ncpcon mount BLR716993_VOL2=253 exit_on_error add_secondary_ipaddress 192.168.100.10 exit_on_error ncpcon bind --ncpservername=NSS64VM-NSSAD64-SERVER --ipaddress=192.168.100.10 exit_on_error novcifs --add '--vserver=".cn=NSS64VM-NSSAD64-SERVER.o=novell.t=NSS64VM-TREE."' --ip-addr=192.168.100.10 exit 0
Identify the virtual server FDN for the cluster resource ".cn=NSS64VM-NSSAD64-SERVER.o=novell.t=NSS64VM-TREE." in the line exit_on_error novcifs --add '--vserver=".
This can be used instead of cluster_resourceFDN.
If your server name is oes2015_server.example.com, executing this command will create an account oes2015_server with
samAccountName: oes2015_server$
Service Principals: host/oes2015_server.example.com@EXAMPLE.COM, cifs/oes2015_server.example.com@EXAMPLE.COM, and cifs/oes2015_server@EXAMPLE.COM
Then it associates those principals with the computer account.
It also updates the default keytab, /etc/krb5.keytab and /etc/krb5.conf files.
If your cluster resource eDirectory object is .cn=CLUSTER-OES2015-POOL-SERVER.o=novell.t=NSSAD_CLUSTER. and it's NetBIOS name is cluster2015, executing this command will create an account cluster2015 (NetBIOS name) with,
samAccountName: cluster2015$
Service Principals: host/cluster2015.example.com@EXAMPLE.COM, cifs/cluster2015.example.com@EXAMPLE.COM, and cifs/cluster2015@EXAMPLE.COM.
and associates those principals with the cluster account.
If this cluster resource has volumes, VOL1 and VOL2 mounted on /media/nss, it updates the following:
The default keytab /etc/krb5.keytab
The keytab files in the volumes
/media/nss/VOL1/._NETWARE/vol.keytab
/media/nss/VOL2/._NETWARE/vol.keytab
The kerberos configuration file /etc/krb5.conf
Executing this command will join the cluster resources as explained in the previous example.
Executing this command will disjoin the current host from the Active Directory domain.
Executing this command will disjoin the cluster resource specified from the Active Directory domain.
How do I remove stale entries of keytab for unjoined cluster resources on all cluster nodes in the cluster?
When you disjoin a cluster resource from an Active Directory domain, novell-ad-util removes the keytab entries of that resource from the default keytab file, /etc/krb5.keytab, and deletes the volume keytab file. For example, /media/nss/vol1/._NETWARE/vol.keytab on the node where the resource is running.
Before disjoining the resource, if you have migrated it to other cluster nodes, all the cluster nodes where the resource is migrated will have the default keytab entires.
When you disjoin the cluster resource, the default keytab entries for that specific cluster node and the volume keytab entries will be removed. However, the default keytab entries will still be seen on those nodes where the resource was migrated.
To remove the stale entries, execute the following command respectively all nodes other than the node that you used for the resource disjoin:
novell-ad-util --purge 0 --cluster-resource <cluster dn> --domain-name <domain name>
This command removes the keytab entries of the cluster resource <cluster dn> specified; it will not remove the volume keytab file.
Validates the container OES2015Servers in the domain example.com.
Removes keytab entires of the host from the default keytab file, retaining only the last two key versions. For example, if key versions 2,3,4,5 exist in the keytab file, executing this command will purge versions 2 and 3, and retain versions 4 and 5.
Removes keytab entires of the cluster resource specified from the default key tab file, retaining only the last two key versions. For example, if key versions 2,3,4,5 exist in the key tab file, executing this command will purge versions 2 and 3, and retain versions 4 and 5.
Removes all the keytab entries of the cluster resource specified from the default key tab file.
Fetches the NetBIOS name of the cluster resource and the domain name where the cluster resource should join.
Joins this host to the Active Directory domain, provided the computer object for this host should already exist in Active Directory. The name of the pre-created object should be the same as the NetBIOS name of the server object.
Stores Kerberos configuration.
Default keytab file that contains Service Principals of the OES server.
Stores the log information.
Displays the help information commands and syntax, and then exits.