6

We're joining our Linux machines to our Active Directory using adcli join. Now we start doing this as part of our saltstack setup, but we cannot figure out how to determine if the machine is already joined to the domain? It seems nothing breaks by doing multiple joins, but it does take some time and seems a bit unclean. What can we look at to find if the machine is already joined? Nothing in the adcli suite seems to do the trick.

Linux distro used is CentOS (both 6.6 and 7), domain is 2008R2 functional level.

EDIT: I've seen some people checking for the existence of /etc/krb5.keytab, but it seems to me that that is only indicative if the machine has ever been joined. If I remove the machine account from the AD, the file will still be there, but the machine is in fact no longer joined.

carlpett
  • 926
  • 8
  • 18
  • 30
  • Could you run `ldapsearch` against your Active Directory? I don't have AD in my environment to test this with, but it seems you should be able to write a query that would search for your machine's ID. – Joe Block Jul 06 '15 at 00:50

3 Answers3

5

I think you could just check the return code of the following command:

realm list | grep active-directory

It should return 1 if there are no domains connected.

Vasili Syrakis
  • 4,558
  • 3
  • 22
  • 30
4

A successful kinit -k host/$(hostname -f) should be sufficient.

This checks to see both if the keytab exists and is valid.

84104
  • 12,905
  • 6
  • 45
  • 76
2

You can use the adcli testjoin,

adcli testjoin

adcli testjoin uses the current credentials in the keytab and tries to authenticate with the machine account to the AD domain. If this works the machine account password and the join are still valid.

or realm list.

realm list

List all the discovered and configured realms.

Romain
  • 207
  • 1
  • 6