Joining Warewulf Managed Compute Nodes to Active Directory

The following tutorial will walk through how to join your Warewulf managed compute nodes to Active Directory. This tutorial assumes that you have the following prerequisites satisfied: 

1. You have Warewulf installed with a compute node configured, which can be deployed to. For more information on how to set up a Warewulf cluster, please refer to the quick start guide.

2. Your compute nodes have network access to Active Directory. 

Join Compute Node to Active Directory

Let’s install the required packages to join your compute node to Active Directory into your node image, using the wwctl container shell command. The container we will work with in this tutorial is called slurm-compute.  

[root@hpc-lab-control0 ~]# wwctl container shell slurm-compute 
[slurm-compute] Warewulf> dnf install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstatio

Exiting the container shell with exit code 0 will trigger a container rebuild. 

[slurm-compute] Warewulf> exit 0 
exit
+ LANG=C
+ LC_CTYPE=C
+ export LANG LC_CTYPE
+ dnf clean all
56 files removed
Rebuilding container...
Created image for VNFS container slurm-compute:/var/lib/warewulf/container/slurm-compute.img
Compressed image for VNFS container slurm-compute: /var/lib/warewulf/container/slurm-compute.img.gz

Deploy your node image to a compute node. We will power cycle our compute node using the command below to trigger a PXE boot off the deployed Warewulf server. 

[root@hpc-lab-control0 ~]# wwctl power cycle hpc-lab-compute0

Once your node is up, let’s SSH to it and join it to Active Directory by calling realm join and entering your credentials. 

[root@hpc-lab-compute0 ~]# realm join  my.ad-domain.com

To verify your node is successfully joined to Active Directory, attempt to get passwd information for an Active Directory user and check that file /etc/krb5.keytab has been created.

[root@hpc-lab-compute0 ~]# getent passwd user@my.ad-domain.com
[root@hpc-lab-compute0 ~]# ls /etc/krb5.keytab

Persist Compute Node Active Directory Join in Warewulf

In the ideal case, when your compute node comes up, it should already be joined to Active Directory. Let’s use the following steps to accomplish this: 

Create an overlay called active-directory. 

[root@hpc-lab-control0 ~]# wwctl overlay create active-directory

Add a Warewulf template file /etc/krb5.keytab.ww with the following content: 

{{- Include (printf "/srv/krb5/krb5.keytab-%s" .Id) -}}

The above Warewulf overlay template will take the compute node’s krb5.keytab files staged in directory /srv/krb5 and render its binary content into the overlay. Note the - after the curly parentheses are important as they remove any additional white space which may affect the binary data being rendered.  

To import this file into the overlay active-directory, run the following command: 

wwctl overlay import active-directory krb5.keytab.ww /etc/krb5.keytab.ww

Active Directory may periodically refresh the /etc/krb5.keytab on the compute node. After the file is refreshed, the checksum of /etc/krb5.keytab on the compute node will not match the staged file on the Warewulf server. If a compute node is rebooted without the latest krb5.keytab in the overlay, it will fail to join Active Directory on boot. We will set up a cronjob on the Warewulf server to copy back /etc/krb5.keytab files from the the compute nodes and stage them in /srv/krb5/ to ensure Warewulf has the latest krb5.keytab file when nodes get deployed. 

Create file /etc/cron.daily/copy-krb5-keytabs.sh with the following content. Ensure that the file has execute permissions. 

#!/bin/sh

PREFIX="/srv/krb5/krb5.keytab-"

function main () {

local node

for node in $(list_nodes)
do
scp "${node}:/etc/krb5.keytab" "${PREFIX}${node}"
done
}

function list_nodes () {
ls -d /srv/krb5/krb5.keytab-* | cut -c "$(expr ${#PREFIX} + 1)"-
}

main "$@"

Let’s stage these files under directory /srv/krb5 by running script /etc/cron.daily/copy-krb5-keytab.sh.

[root@hpc-lab-control0 ~]# /etc/cron.daily/copy-krb5-keytab.sh

Reboot the compute node and verify that the node comes up joined to Active Directory by attempting to get passwd information from Active Directory. 

[root@hpc-lab-control0 ~]# wwctl power cycle hpc-lab-compute0
[root@hpc-lab-control0 ~]# ssh hpc-lab-compute0
[root@hpc-lab-control0 ~]# getent passwd user@my.ad-domain.com

It’s that simple! By following these step-by-step instructions, you will successfully join your Warewulf managed compute nodes to Active Directory.