vagrant: add active directory box

menonsudhir · Aug 17, 2022 · 14ad325 · 14ad325
1 parent 9ba3b2c
commit 14ad325
Show file tree

Hide file tree

Showing 9 changed files with 470 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@
 __pycache__
 /.env
 /docker-compose.override*
+.vagrant
 
 shared/**/*
 !shared/.gitkeep
diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf
@@ -10,6 +10,7 @@ local=/test/
 # These zones have their own DNS server
 server=/ipa.test/172.16.100.10
 server=/samba.test/172.16.100.30
+server=/ad.test/172.16.200.10
 
 # Add A records for LDAP and client machines
 address=/master.ldap.test/172.16.100.20
@@ -23,3 +24,4 @@ ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test
 ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test
 ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
 ptr-record=40.100.16.172.in-addr.arpa,client.test
+ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
diff --git a/readme.md b/readme.md
@@ -142,6 +142,78 @@ services:
     image: ${REGISTRY}/ci-client-devel:${TAG}
 ```
 
+## Using real Active Directory instance
+
+Active Directory does not run in containers so we have Samba DC container to
+mitigate this. However, there may be situations when we need to test against
+real Active Directory running on a Windows server. There is a virtual machine
+defined in [Vagrantfile](./src/Vagrantfile) that can be instantiated via
+[vagrant](https://www.vagrantup.com/).
+
+| Name         |        IP       |      FQDN       | Netbios name | Description    |
+|--------------|-----------------|-----------------|--------------|----------------|
+| ad           | `172.16.200.10` | `dc.ad.test`    | `AD`         | AD forest root |
+
+### Preqrequisites
+
+The following vagrant plugins are required:
+
+* `vagrant-libvirt`
+* `winrm` and `winrm-elevated` (these are built-in to the official [Hashicorp package](https://www.vagrantup.com/downloads))
+
+There are often compatibility issues and bugs when mixing packages provided by
+Linux distributions and non-packaged plugins that require difficult workarounds.
+We recommend to use vagrant from
+[quay.io/sssd/vagrant:latest](https://quay.io/repository/sssd/vagrant?tab=tags&tag=latest)
+container instead to prevent any issues. You can define the following function
+in your `.bashrc`:
+
+```bash
+function vagrant {
+  dir="${VAGRANT_HOME:-$HOME/.vagrant.d}"
+  mkdir -p "$dir/"{boxes,data,tmp}
+
+  podman run -it --rm \
+    -e LIBVIRT_DEFAULT_URI \
+    -v /var/run/libvirt/:/var/run/libvirt/ \
+    -v "$dir/boxes:/vagrant/boxes" \
+    -v "$dir/data:/vagrant/data" \
+    -v "$dir/tmp:/vagrant/tmp" \
+    -v $(realpath "${PWD}"):${PWD} \
+    -w $(realpath "${PWD}") \
+    --network host \
+    --security-opt label=disable \
+    quay.io/sssd/vagrant:latest \
+      vagrant $@
+}
+```
+
+### Starting and stopping the virtual machine
+
+```console
+$ cd ./src
+$ vagrant up
+$ vagrant halt
+$ vagrant destroy
+```
+
+### Creating IPA trust
+
+First, start the CI containers with `sudo make up`, after that you can setup trust
+between `ipa.test` and `ad.test`.
+
+```console
+$ sudo podman exec ipa /usr/bin/bash -c 'echo Secret123 | kinit admin && echo vagrant | ipa trust-add ad.test --admin Administrator --password'
+```
+
+### Joining client into the ad.test domain
+
+First, start the CI containers with `sudo make up`, after that you can enroll the client to `ad.test` domain.
+
+```console
+sudo podman exec client /usr/bin/bash -c 'echo -e Administrator\nvagrant | realm join ad.test'
+```
+
 # Advanced topics
 
 ## Recreating certificates and ssh keys

diff --git a/src/Vagrantfile b/src/Vagrantfile
@@ -0,0 +1,28 @@
+Vagrant.configure("2") do |config|
+    config.vm.define "ad" do |this|
+        this.vm.box = "peru/windows-server-2022-standard-x64-eval"
+        this.vm.hostname = "dc"
+        this.vm.guest = :windows
+        this.vm.communicator = "winrm"
+        this.winrm.username = "Administrator"
+        this.vm.network "private_network",
+            :ip => "172.16.200.10",
+            :libvirt__dhcp_enabled => false,
+            :libvirt__network_address => '172.16.200.0/24',
+            :libvirt__forward_mode => 'route'
+
+        this.vm.provider :libvirt do |libvirt|
+            libvirt.memory = 4092
+
+            if defined?(libvirt.qemu_use_session)
+                libvirt.qemu_use_session = false
+            end
+        end
+
+        this.vm.provision "ansible" do |ansible|
+            ansible.inventory_path = "./ansible/inventory.yml"
+            ansible.playbook = "./ansible/playbook_vagrant.yml"
+            ansible.config_file = "./ansible/ansible.cfg"
+        end
+    end
+end
diff --git a/src/ansible/inventory.yml b/src/ansible/inventory.yml
@@ -31,3 +31,12 @@ all:
       vars:
         ansible_connection: podman
         ansible_python_interpreter: /usr/bin/python3
+    windows:
+      hosts:
+        ad:
+          ansible_host: 172.16.200.10
+      vars:
+        ansible_connection: winrm
+        ansible_port: 5985
+        ansible_user: .\Administrator
+        ansible_password: vagrant
diff --git a/src/ansible/playbook_vagrant.yml b/src/ansible/playbook_vagrant.yml
@@ -0,0 +1,7 @@
+---
+- hosts: ad
+  gather_facts: yes
+  roles:
+  - ad
+  vars_files:
+  - variables.yml