Delinea Agents Activation Playbook

This playbook performs the following tasks:

  • Check if the CentrifyDC package is installed (skip further actions if not installed)

  • Check if a computer is joined to domain (skip further actions if already joined)

  • Copy Service Account keytab file for Kerberos to join and obtain the KRBTGT

  • Join computer to domain using the KRBTGT

  • Destroy the KRBTGT and keytab file

Playbook example running adjoin using Kerberos:

Copy 
---
- hosts: all
    become: true
    vars:
    domain_name: domain.com
    user_principal: svc_delineaadjoin@DOMAIN.COM
    user_keytab: /etc/adjoin.keytab
    container: domain.com/Delinea/Computers
    zone: domain.com/Delinea/Zones/Global/Linux/Development
    realm_config: /etc/krb5.conf
    
    tasks:
    - name: Check if CentrifyDC is installed
    
    yum:
    list: 'DelineaDC'
    
    register: yum_cmd
    - name: Check if computer is joined to domain
    command: adinfo
    register: adinfo_cmd
    changed_when: adinfo_cmd.rc == 10
    failed_when:
    - adinfo_cmd.rc != 10
    - adinfo_cmd.rc != 0
    
    - name: Join computer to Active Directory
    block:
    
    - name: Copy kerberos config file to guarantee finding realm
    copy:
    src: "{{realm_config}}"
    dest: "{{realm_config}}"
    owner: root
    group: root
    mode: '0644'
    
    - name: Copy service account's keytab file
    copy:
    src: "{{user_keytab}}"
    dest: "{{user_keytab}}"
    owner: root
    group: root
    mode: '0600'
    
    - name: Obtain service account's krbtgt
    command: kinit -kt "{{user_keytab}}" "{{user_principal}}"
    
    - name: Join the computer to Active Directory domain using kerberos
    command: adjoin "{{domain_name}}" --container "{{container}}" --zone "{{zone}}" --verbose
    
    - name: Destroy service account's krbtgt
    command: kdestroy
    
    - name: Securely remove service account's keytab file
    command: shred --iterations=1 --remove "{{user_keytab}}"
    
    when:
    - yum_cmd.results | selectattr("yumstate", "match", "installed") | list | length == 1
    - adinfo_cmd.rc == 10

The following playbook below performs the following tasks:

  • Check if the CentrifyDC package is installed (skip further actions if not installed)

  • Check if a computer is joined to a domain (skip further actions if already joined)

  • Join a computer to a domain using a self-service

Playbook example running self-service adjoin:

Copy 
---
- hosts: all
    become: true
    vars:
    domain_name: domain.com
    tasks:
    - name: Check if CentrifyDC is installed
    yum:
    list: 'CentrifyDC'
    register: yum_cmd
    
    - name: Check if computer is joined to domain
    command: adinfo
    register: adinfo_cmd
    changed_when: adinfo_cmd.rc == 10
    failed_when:
    - adinfo_cmd.rc != 10
    - adinfo_cmd.rc != 0
    
    - name: Join computer to Active Directory
    block:
    - name: Join the computer to Active Directory domain using self-service
    command: adjoin "{{domain_name}}" --selfserve --verbose
    when:
    - yum_cmd.results | selectattr("yumstate", "match", "installed") | list | length == 1
    - adinfo_cmd.rc == 10

Self-service join requires pre-creating a computer account in the Active Directory domain, a computer profile in the target Delinea zone, and delegating permissions to this computer to join the domain with self-service. It is available by running the “Prepare UNIX Computer” wizard from the Access Manager console or using the PowerShell cmdlet New-CdmManagedComputer.

Delinea Agents Deactivation Playbook

The playbook performs the following tasks:

  • Check if the CentrifyDC package is installed (skip further actions if not installed)

  • Check if a computer is joined to a domain (skip further actions if not joined)

  • Copy Service Account keytab file for Kerberos join and obtain the KRBTGT

  • Remove a computer from a domain using the KRBTGT

  • Destroy the KRBTGT and a keytab file

Playbook example running adleave:using Kerberos

Copy 
---
- hosts: all
    become: true
    vars:
    user_principal: svc_delineaadjoin@DOMAIN.COM
    user_keytab: /etc/adjoin.keytab
    
    tasks:
    - name: Check if CentrifyDC is installed
    yum:
    list: 'CentrifyDC'
    register: yum_cmd
    
    - name: Check if computer is joined to domain
    command: adinfo
    register: adinfo_cmd
    changed_when: adinfo_cmd.rc == 0
    failed_when:
    - adinfo_cmd.rc != 10
    - adinfo_cmd.rc != 0
    
    - name: Remove computer from Active Directory
    block:
    - name: Copy service account's keytab file
    copy:
    src: "{{user_keytab}}"
    dest: "{{user_keytab}}"
    owner: root
    group: root
    mode: '0600'
    
    - name: Obtain service account's krbtgt
    command: kinit -kt "{{user_keytab}}" "{{user_principal}}"
    
    - name: Leave Active Directory domain
    command: adleave --remove --verbose
    
    - name: Destroy service account's krbtgt
    command: kdestroy
    
    - name: Securely remove service account's keytab file
    command: shred --iterations=1 --remove "{{user_keytab}}"
    when:
    - yum_cmd.results | selectattr("yumstate", "match", "installed") | list | length == 1
    - adinfo_cmd.rc == 0