vcl-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From arku...@apache.org
Subject svn commit: r1785881 - in /vcl/trunk/managementnode/lib/VCL: DataStructure.pm Module/OS/Windows.pm Module/Provisioning.pm utils.pm
Date Tue, 07 Mar 2017 20:28:49 GMT
Author: arkurth
Date: Tue Mar  7 20:28:49 2017
New Revision: 1785881

URL: http://svn.apache.org/viewvc?rev=1785881&view=rev
Log:
VCL-867
Made another attempt to update DataStructure.pm::_automethod to not display warnings when
get_image_domain* is called and the data is not defined. The previous change wasn't catching
all calls.

Added utils.pm::get_active_directory_domain_credentials. This is needed to determine the domain
username and password in order to remove a computer from a domain after the preloaded image
was reconfigured to not join a domain. The normal $self->data->get_image_domain* information
is not available in this case.

Updated Provisioning.pm to check if OS module implements a node_status_os_check subroutine
and call it if it does.

Added Windows.pm::ad_check. It contains all logic to determine if an image is configured for
AD, if a computer is already joined to a domain, and calls the necessary subroutines to either
unjoin the domain, join the domain, or both if the computer is joined to a different domain
or located in the wrong OU. Removed similar logic from ad_join.

Replaced call from ad_join to ad_check in Windows.pm::post_load.

Added Windows.pm::node_status_os_check which simply returns the value of ad_check. Naming
reason: ad_check is called elsewhere and Windows-specific. node_status_os_check is more general
and may perform additional functions in the future.

Reworked Windows.pm::ad_unjoin to call wmic.exe rather than building Powershell script. Need
to test this and determine which is better.

Updated Windows.pm::ad_search, ad_delete_computer, and ad_search_computer to accept domain
DNS name argument. This is used when a computer is joined to a domain but shouldn't be (image
was reconfigured after computer was loaded).


Modified:
    vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
    vcl/trunk/managementnode/lib/VCL/Module/Provisioning.pm
    vcl/trunk/managementnode/lib/VCL/utils.pm

Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1785881&r1=1785880&r2=1785881&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Tue Mar  7 20:28:49 2017
@@ -900,7 +900,7 @@ sub _automethod : Automethod {
 			$return_value = eval $hash_path;
 		}
 		elsif (!$key_defined) {
-			if ($show_warnings && $hash_path !~ /(serverrequest|image_domain)/) {
+			if ($show_warnings && $hash_path !~ /(serverrequest|domain)/) {
 				notify($ERRORS{'WARNING'}, 0, "corresponding data has not been initialized for $method_name:
$hash_path", $self->request_data);
 			}
 			return sub { };

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm?rev=1785881&r1=1785880&r2=1785881&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm Tue Mar  7 20:28:49 2017
@@ -947,7 +947,7 @@ sub post_load {
 =cut
 
 	if ($imagedomain_domaindnsname) {
-		if (!$self->ad_join()) {
+		if (!$self->ad_check()) {
 			notify($ERRORS{'WARNING'}, 0, "failed to join Active Directory domain");
 			return 0;
 		}
@@ -13502,6 +13502,149 @@ sub ad_join_prepare {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 node_status_os_check
+
+ Parameters  : none
+ Returns     : boolean
+ Description : Called from provisioning module's node_status subroutine. This
+               checks if the loaded computer's Active Directory configuration is
+               correct if image is configured to join an AD domain.
+
+=cut
+
+sub node_status_os_check {
+	my $self = shift;	
+	if (ref($self) !~ /windows/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+		return;
+	}
+	
+	# Check if computer AD configuration is correct if image is configured for AD
+	# Returning false indicates AD configuration could not be corrected and calling subroutine
should reload the computer
+	return $self->ad_check();
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 ad_check
+
+ Parameters  : none
+ Returns     : boolean
+ Description : Checks if the computer is joined to an Active Directory domain
+               and located in the correct OU.
+
+=cut
+
+sub ad_check {
+	my $self = shift;	
+	if (ref($self) !~ /windows/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+		return;
+	}
+	
+	my $computer_name	= $self->data->get_computer_short_name();
+	my $image_domain_dns_name = $self->data->get_image_domain_dns_name();
+	
+	# Check if the computer is joined to any AD domain
+	my $computer_current_domain_name = $self->ad_get_current_domain();
+	
+	if (!$image_domain_dns_name) {
+		# Computer should NOT be joined to an AD domain
+		if (!$computer_current_domain_name) {
+			notify($ERRORS{'OK'}, 0, "image is not configured for Active Directory and $computer_name
is not joined to a domain, returning 1");
+			return 1;
+		}
+		
+		# Computer incorrectly joined to an AD domain, attempt to unjoin the domain
+		notify($ERRORS{'OK'}, 0, "$computer_name is joined to the $computer_current_domain_name
domain but the image is not configured for Active Directory, attempting to unjoin the domain");
+		if ($self->ad_unjoin()) {
+			notify($ERRORS{'OK'}, 0, "image is not configured for Active Directory, unjoined $computer_name
from $computer_current_domain_name domain, returning 1");
+			return 1;
+		}
+		else {
+			notify($ERRORS{'WARNING'}, 0, "image is not configured for Active Directory, failed to
unjoin $computer_name from $computer_current_domain_name domain, returning undefined");
+			return;
+		}
+	}
+	
+	# Computer should be joined to AD domain
+	if (!$computer_current_domain_name) {
+		# Computer is not joined to an AD domain, return the result of attempting to join
+		notify($ERRORS{'OK'}, 0, "image is configured to join the $image_domain_dns_name domain,
$computer_name is not joined to a domain, attempting to join the domain");
+		return $self->ad_join();
+	}
+	
+	
+	# Computer is joined to an AD domain, check if it's in the correct domain
+	if ($computer_current_domain_name ne $image_domain_dns_name) {
+		# Computer is not joined to the correct domain, attempt to unjoin and then rejoin
+		notify($ERRORS{'DEBUG'}, 0, "$computer_name is joined to the $computer_current_domain_name
domain, image is configured to join the $image_domain_dns_name, attempting to unjoin then
join the correct domain");
+		if (!$self->ad_unjoin()) {
+			notify($ERRORS{'WARNING'}, 0, "image is configured to join the $image_domain_dns_name,
failed to unjoin $computer_name from the $computer_current_domain_name domain, returning undefined");
+			return;
+		}
+		elsif (!$self->ad_join()) {
+			notify($ERRORS{'WARNING'}, 0, "image is configured to join the $image_domain_dns_name,
unjoined $computer_name from the incorrect $computer_current_domain_name domain but failed
to rejoin the correct $image_domain_dns_name domain, returning undefined");
+			return;
+		}
+		else {
+			notify($ERRORS{'OK'}, 0, "unjoined $computer_name from the incorrect $computer_current_domain_name
and rejoined to the correct domain: $image_domain_dns_name, returning 1");
+			return 1;
+		}
+	}
+	
+	# Computer is joined to the correct AD domain, make sure computer object is in the correct
OU
+	
+	# Determine the OU configured for the image
+	my $image_ou_dn = $self->get_ad_computer_ou_dn();
+	if (!$image_ou_dn) {
+		notify($ERRORS{'WARNING'}, 0, "image is configured to join the $image_domain_dns_name domain
but proper computer OU DN could not be determined, returning undefined");
+		return;
+	}
+	
+	# Get the computer's current OU
+	my $computer_current_dn = $self->ad_search_computer();
+	if (!$computer_current_dn) {
+		notify($ERRORS{'WARNING'}, 0, "$computer_name is joined to the correct $computer_current_domain_name
domain but current OU could not be determined, assuming computer object is in the correct
OU, returning 1");
+		return 1;
+	}
+	
+	# Extract the OU DN from the DN of the computer object
+	my ($computer_current_ou_dn) = $computer_current_dn =~ /^[^,]+,(OU=.+)$/;
+	if (!$computer_current_ou_dn) {
+		notify($ERRORS{'WARNING'}, 0, "$computer_name is joined to the correct $computer_current_domain_name
domain but current OU DN could not be parsed from current computer object DN: '$computer_current_dn',
assuming computer object is in the correct OU, returning 1");
+		return 1;
+	}
+	
+	if ($computer_current_ou_dn =~ /^$image_ou_dn$/i) {
+		notify($ERRORS{'OK'}, 0, "$computer_name is joined to the correct domain and in the correct
OU, returning 1:\n" .
+			"current domain: $computer_current_domain_name\n" .
+			"computer object OU: $computer_current_ou_dn"
+		);
+		return 1;
+	}
+	
+	# Computer is in the wrong OU
+	notify($ERRORS{'OK'}, 0, "$computer_name is joined to the correct $computer_current_domain_name
domain but located in the wrong OU, attempting to unjoin then rejoin the domain in the correct
OU:\n" .
+		"OU configured for image    : $image_ou_dn\n" .
+		"current computer object OU : $computer_current_ou_dn"
+	);
+	if (!$self->ad_unjoin()) {
+		notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_name from the $computer_current_domain_name
domain in order to rejoin in the correct OU, returning undefined");
+		return;
+	}
+	elsif (!$self->ad_join()) {
+		notify($ERRORS{'WARNING'}, 0, "failed to rejoin $computer_name to the correct OU in the
$image_domain_dns_name domain: '$image_ou_dn', returning undefined");
+		return;
+	}
+	else {
+		notify($ERRORS{'OK'}, 0, "rejoined $computer_name to the correct OU in the $image_domain_dns_name
domain: '$image_ou_dn', returning 1");
+		return 1;
+	}
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 =head2 ad_join
 
  Parameters  : none
@@ -13545,43 +13688,6 @@ sub ad_join {
 		return;
 	}
 	
-	# Make sure the computer is not already a member of a domain
-	# TODO: add logic to check if computer belongs to the correct domain in the correct OU
-	# If not, remove and rejoin
-	my $current_domain_name = $self->ad_get_current_domain();
-	if ($current_domain_name) {
-		if ($current_domain_name ne $domain_dns_name) {
-			notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to $domain_dns_name domain,
it is already a member of a different domain: $current_domain_name");
-			return;
-		}
-		
-		# Search for the computer object in the domain
-		my $current_computer_dn = $self->ad_search_computer();
-		if (!$current_computer_dn) {
-			notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to $domain_dns_name domain,
it appears to already a member of the domain but the current DN could not be determined");
-			return;
-		}
-		
-		# Extract the OU DN from the computer DN
-		my ($current_computer_ou_dn) = $current_computer_dn =~ /^[^,]+,(OU=.+)$/;
-		if (!$current_computer_ou_dn) {
-			notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to $domain_dns_name domain,
failed to parse OU DN from current computer DN: $current_computer_dn");
-			return;
-		}
-		
-		if ($current_computer_ou_dn =~ /^$computer_ou_dn$/i) {
-			notify($ERRORS{'OK'}, 0, "$computer_name is already joined to $domain_dns_name domain
and in the correct OU: $current_computer_ou_dn");
-			return 1;
-		}
-		else {
-			notify($ERRORS{'WARNING'}, 0, "$computer_name is already joined to $domain_dns_name domain
but in the a different OU:\n" .
-				"correct OU: $computer_ou_dn\n" .
-				"current OU: $current_computer_ou_dn"
-			);
-			$self->ad_unjoin() || return;
-		}
-	}
-	
 	# Figure out/fix the computer OU and assemble optional section to add to PowerShell command
 	my $domain_computer_command_section = '';
 	if ($computer_ou_dn) {
@@ -13594,7 +13700,7 @@ sub ad_join {
 		"domain password: $domain_password\n" .
 		"domain computer OU DN: " . ($computer_ou_dn ? $computer_ou_dn : '<not configured>')
 	);
-
+	
 	# Perform preparation tasks
 	$self->ad_join_prepare() || return;
 	
@@ -13719,69 +13825,124 @@ sub ad_unjoin {
 	
 	my $computer_name	= $self->data->get_computer_short_name();
 	my $image_name	= $self->data->get_image_name();
+	my $system32_path = $self->get_system32_path() || return;
 	
-	my $domain_dns_name = $self->data->get_image_domain_dns_name();
-	my $domain_username = $self->data->get_image_domain_username();
-	my $domain_password = $self->data->get_image_domain_password();
+	my $computer_current_domain = $self->ad_get_current_domain();
+	if (!$computer_current_domain) {
+		notify($ERRORS{'DEBUG'}, 0, "$computer_name does not need to be removed from AD because
it is not currently joined to a domain");
+		return 1;
+	}
 	
-	if (!defined($domain_dns_name)) {
-		notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, image $image_name
is not assigned to a domain");
+	# Expected output:
+	# Executing (\\<COMPUTERNAME>\ROOT\CIMV2:Win32_ComputerSystem.Name="<COMPUTERNAME>")->UnJoinDomainOrWorkgroup()
+	# Method execution successful.s
+	# Out Parameters:
+	# instance of __PARAMETERS
+	# {
+	#       ReturnValue = 0;
+	# };
+	
+	# Assemble the unjoin command
+	my $unjoin_command = "echo | cmd.exe /c \"$system32_path/Wbem/wmic.exe /INTERACTIVE:OFF
COMPUTERSYSTEM WHERE Name=\\\"%COMPUTERNAME%\\\" Call UnJoinDomainOrWorkgroup FUnjoinOptions=0\"";
+	notify($ERRORS{'DEBUG'}, 0, "attempting to unjoin $computer_name from $computer_current_domain
Active Directory domain");
+	my ($unjoin_exit_status, $unjoin_output) = $self->execute($unjoin_command);
+	if (!defined($unjoin_output)) {
+		notify($ERRORS{'DEBUG'}, 0, "failed to execute command to unjoin the $computer_current_domain
Active Directory domain");
 		return;
 	}
-	elsif (!defined($domain_username)) {
-		notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, user name is not
configured for $domain_dns_name domain");
+	elsif (grep(/ERROR/i, @$unjoin_output)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_current_domain Active Directory
domain, output:\n" . join("\n", @$unjoin_output));
 		return;
 	}
-	elsif (!defined($domain_password)) {
-		notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, password is not
configured for $domain_dns_name domain");
+	elsif (grep(/ReturnValue\s+=\s+[1-9]/i, @$unjoin_output)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_current_domain Active Directory
domain, return value is not 0, output:\n" . join("\n", @$unjoin_output));
 		return;
 	}
-	
-	if (!$self->ad_get_current_domain()) {
-		notify($ERRORS{'DEBUG'}, 0, "$computer_name does not need to be removed from AD because
it is not currently joined to a domain");
-		return 1;
+	elsif (grep(/Method execution successful/i, @$unjoin_output)) {
+		notify($ERRORS{'OK'}, 0, "unjoined $computer_current_domain Active Directory domain, output:\n"
. join("\n", @$unjoin_output));
+	}
+	else {
+		notify($ERRORS{'WARNING'}, 0, "unexpected output unjoining $computer_current_domain Active
Directory domain, output:\n" . join("\n", @$unjoin_output));
 	}
 	
-	notify($ERRORS{'DEBUG'}, 0, "attempting to unjoin $computer_name from AD");
 	
-	# Assemble the PowerShell script
-	my $ad_powershell_script = <<EOF;
-\$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size(5000, 500)
-\$ps_credential = New-Object System.Management.Automation.PsCredential("$domain_dns_name\\$domain_username",
(ConvertTo-SecureString "$domain_password" -AsPlainText -Force))
-try {
-   Add-Computer -WorkgroupName VCL -Credential \$ps_credential -ErrorAction Stop
-}
-catch {
-   Write-Host "ERROR: failed to add computer to workgroup, error: \$(\$_.Exception.Message)"
-   exit 1
-}
-EOF
-
-	my ($exit_status, $output) = $self->run_powershell_as_script($ad_powershell_script, 1,
1);
-	if (!defined($output)) {
-		notify($ERRORS{'WARNING'}, 0, "failed to execute PowerShell script to remove $computer_name
from Active Directory domain");
+	# Assemble the join workgroup command
+	my $join_workgroup_command = "echo | cmd.exe /c \"$system32_path/Wbem/wmic.exe /INTERACTIVE:OFF
COMPUTERSYSTEM WHERE Name=\\\"%COMPUTERNAME%\\\" Call JoinDomainOrWorkgroup name=VCL\"";
+	my ($join_workgroup_exit_status, $join_workgroup_output) = $self->execute($join_workgroup_command);
+	if (!defined($join_workgroup_output)) {
+		notify($ERRORS{'DEBUG'}, 0, "failed to execute command to join workgroup");
 		return;
 	}
-	elsif (grep(/ERROR/, @$output)) {
-		# Computer object was already or deleted or can't be found for some reason:
-		#   This command cannot be executed on target computer('') due to following error: No mapping
between account names and security IDs was done.
-		if (grep(/No mapping between account names/, @$output)) {
-			notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory domain,
the computer object may have been deleted from the domain, output:\n" . join("\n", @$output));
-		}
-		else {
-			notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory domain,
output:\n" . join("\n", @$output));
-		}
-		return 0;
+	elsif (grep(/ERROR/i, @$join_workgroup_output)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to join workgroup, output:\n" . join("\n", @$join_workgroup_output));
 	}
-	
-	notify($ERRORS{'OK'}, 0, "removed $computer_name from Active Directory domain, output:\n"
. join("\n", @$output));
-	
+	elsif (grep(/ReturnValue\s+=\s+[1-9]/i, @$join_workgroup_output)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to join workgroup, return value is not 0, output:\n"
. join("\n", @$join_workgroup_output));
+	}
+	elsif (grep(/Method execution successful/i, @$join_workgroup_output)) {
+		notify($ERRORS{'OK'}, 0, "joined workgroup, output:\n" . join("\n", @$join_workgroup_output));
+	}
+	else {
+		notify($ERRORS{'WARNING'}, 0, "unexpected output joining workgroup, output:\n" . join("\n",
@$join_workgroup_output));
+	}
+
 	if (!$self->reboot(300, 3, 1)) {
-		notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory domain,
failed to reboot computer after unjoining domain");
+		notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_name from Active Directory domain,
failed to reboot computer after unjoining domain");
+		return;
+	}
+	
+	# Verify the computer no longer is joined to a domain
+	my $new_computer_current_domain = $self->ad_get_current_domain();
+	if ($new_computer_current_domain) {
+		notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_name from Active Directory domain,
it appears to still be a member of the $new_computer_current_domain domain");
 		return;
 	}
 	
-	$self->ad_delete_computer($computer_name);
+	#if (!defined($domain_dns_name)) {
+	#	notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, image $image_name
is not assigned to a domain");
+	#	return;
+	#}
+	#elsif (!defined($domain_username)) {
+	#	notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, user name is not
configured for $domain_dns_name domain");
+	#	return;
+	#}
+	#elsif (!defined($domain_password)) {
+	#	notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, password is not
configured for $domain_dns_name domain");
+	#	return;
+	#}
+	#	# Assemble the PowerShell script
+	#	my $ad_powershell_script = <<EOF;
+	#\$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size(5000, 500)
+	#\$ps_credential = New-Object System.Management.Automation.PsCredential("$domain_dns_name\\$domain_username",
(ConvertTo-SecureString "$domain_password" -AsPlainText -Force))
+	#try {
+	#   Add-Computer -WorkgroupName VCL -Credential \$ps_credential -ErrorAction Stop
+	#}
+	#catch {
+	#   Write-Host "ERROR: failed to add computer to workgroup, error: \$(\$_.Exception.Message)"
+	#   exit 1
+	#}
+	#EOF
+	#
+	#	my ($exit_status, $output) = $self->run_powershell_as_script($ad_powershell_script,
1, 1);
+	#	if (!defined($output)) {
+	#		notify($ERRORS{'WARNING'}, 0, "failed to execute PowerShell script to remove $computer_name
from Active Directory domain");
+	#		return;
+	#	}
+	#	elsif (grep(/ERROR/, @$output)) {
+	#		# Computer object was already or deleted or can't be found for some reason:
+	#		#   This command cannot be executed on target computer('') due to following error: No
mapping between account names and security IDs was done.
+	#		if (grep(/No mapping between account names/, @$output)) {
+	#			notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory
domain, the computer object may have been deleted from the domain, output:\n" . join("\n",
@$output));
+	#		}
+	#		else {
+	#			notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory
domain, output:\n" . join("\n", @$output));
+	#		}
+	#		return 0;
+	#	}
+	#	
+	#	notify($ERRORS{'OK'}, 0, "removed $computer_name from Active Directory domain, output:\n"
. join("\n", @$output));
+	
+	$self->ad_delete_computer($computer_name, $computer_current_domain);
 	return 1;
 }
 
@@ -13792,6 +13953,14 @@ EOF
  Parameters  : none
  Returns     : boolean
  Description : Checks if the computer is joined to any Active Directory domain.
+               Returns the following:
+               * undefined - Error occurred, unable to determine if computer is
+                 joined to a domain.
+               * 0 - Computer is not joined to a domain.
+               * string - Computer is joined to a domain. The domain name is
+                 returned.
+               * 1 - Computer is joined to a domain but the domain name could
+                 not be determined.
 
 =cut
 
@@ -13860,7 +14029,11 @@ sub ad_search {
 		return;
 	}
 	
-	my ($ldap_filter_argument, $attempt_limit) = @_;
+	my $arguments = shift;
+	
+	my $computer_name	= $self->data->get_computer_short_name();
+	
+	my $ldap_filter_argument = $arguments->{ldap_filter};
 	if (!defined($ldap_filter_argument)) {
 		notify($ERRORS{'WARNING'}, 0, "LDAP filter hash reference argument was not supplied");
 		return;
@@ -13873,11 +14046,8 @@ sub ad_search {
 		notify($ERRORS{'WARNING'}, 0, "empty LDAP FILTER hash reference argument was supplied");
 		return;
 	}
-	
-	$attempt_limit = 3 unless $attempt_limit;
-	
-	# Make sure objectClass was specified
-	if (!defined($ldap_filter_argument->{objectClass})) {
+	elsif (!defined($ldap_filter_argument->{objectClass})) {
+		# Make sure objectClass was specified
 		notify($ERRORS{'WARNING'}, 0, "LDAP FILTER hash reference argument does not contain an
objectClass value:\n" . format_data($ldap_filter_argument));
 		return;
 	}
@@ -13886,24 +14056,24 @@ sub ad_search {
 		return;
 	}
 	
-	# This sub handles both search and delete under very strict conditions
-	# This is somewhat ugly but was done to reduce code duplication - especially with the Powershell
below
-	my $operation;
-	my $calling_subroutine = get_calling_subroutine();
-	if ($calling_subroutine =~ /(ad_delete_computer)/) {
-		$operation = 'delete';
+	my $domain_dns_name;
+	my $domain_username;
+	my $domain_password;
+	if (defined($arguments->{domain_dns_name})) {
+		$domain_dns_name = $arguments->{domain_dns_name};
+		($domain_username, $domain_password) = get_active_directory_domain_credentials($domain_dns_name);
+		if (!defined($domain_username) || !defined($domain_password)) {
+			notify($ERRORS{'WARNING'}, 0, "unable to search domain: $domain_dns_name, domain DNS name
argument was specified but credentials could not be determined from existing 'addomain' table
entries");
+			return;
+		}
 	}
 	else {
-		$operation = 'search for';
+		$domain_dns_name = $self->data->get_image_domain_dns_name();
+		$domain_username = $self->data->get_image_domain_username();
+		$domain_password = $self->data->get_image_domain_password();
 	}
-	
-	my $computer_name	= $self->data->get_computer_short_name();
-	
-	my $domain_dns_name = $self->data->get_image_domain_dns_name();
-	my $domain_username = $self->data->get_image_domain_username();
-	my $domain_password = $self->data->get_image_domain_password();
 	if (!defined($domain_dns_name)) {
-		notify($ERRORS{'WARNING'}, 0, "unable to determine if AD object exists on $computer_name,
domain DNS name is not configured");
+		notify($ERRORS{'WARNING'}, 0, "unable to determine if AD object exists on $computer_name,
domain DNS name is not configured for the image and was not passed as an argument");
 		return;
 	}
 	elsif (!defined($domain_username)) {
@@ -13915,6 +14085,19 @@ sub ad_search {
 		return;
 	}
 	
+	my $attempt_limit = $arguments->{attempt_limit} || 3;
+	
+	# This sub handles both search and delete under very strict conditions
+	# This is somewhat ugly but was done to reduce code duplication - especially with the Powershell
below
+	my $operation;
+	my $calling_subroutine = get_calling_subroutine();
+	if ($calling_subroutine =~ /(ad_delete_computer)/) {
+		$operation = 'delete';
+	}
+	else {
+		$operation = 'search for';
+	}
+	
 	my $search_attribute_count = scalar(keys %$ldap_filter_argument);
 	
 	my $ldap_filter;
@@ -14064,7 +14247,7 @@ EOF
 
 =head2 ad_delete_computer
 
- Parameters  : $computer_samaccountname (optional)
+ Parameters  : $computer_samaccountname (optional), $domain_dns_name (optional)
  Returns     : boolean
  Description : Deletes a computer object from the active directory domain with a
                sAMAccountName attribute matching the argument. If no argument is
@@ -14084,23 +14267,34 @@ sub ad_delete_computer {
 		return;
 	}
 	
-	my $computer_samaccountname = shift || $self->data->get_computer_short_name();
+	my ($computer_samaccountname, $domain_dns_name) = @_;
 	
+	$computer_samaccountname = $self->data->get_computer_short_name() unless $computer_samaccountname;
+	
+	# Make sure computer samAccountName does not contain a trailing dollar sign
+	# A dollar sign will be present if retrieved directly from AD
 	$computer_samaccountname =~ s/\$*$/\$/g;
 	
-	return $self->ad_search(
-		{
+	my $ad_search_arguments = {
+		'ldap_filter' => {
 			'objectClass' => 'computer',
 			'sAMAccountName' => $computer_samaccountname,
-		},
-	);
+		}
+	};
+	
+	# If a specific domain was specified, retrieve the username and password for that domain
+	if ($domain_dns_name) {
+		$ad_search_arguments->{domain_dns_name} = $domain_dns_name;
+	}
+	
+	return $self->ad_search($ad_search_arguments);
 }
 
 #/////////////////////////////////////////////////////////////////////////////
 
 =head2 ad_search_computer
 
- Parameters  : $computer_samaccountname (optional)
+ Parameters  : $computer_samaccountname (optional), $domain_dns_name (optional)
  Returns     : string
  Description : Checks if a computer exists in the Active Directory domain with a
                sAMAccountName attribute matching the argument. If found, a
@@ -14115,16 +14309,27 @@ sub ad_search_computer {
 		return;
 	}
 	
-	my $computer_samaccountname = shift || $self->data->get_computer_short_name();
+	my ($computer_samaccountname, $domain_dns_name) = @_;
+	
+	$computer_samaccountname = $self->data->get_computer_short_name() unless $computer_samaccountname;
 	
+	# Make sure computer samAccountName does not contain a trailing dollar sign
+	# A dollar sign will be present if retrieved directly from AD
 	$computer_samaccountname =~ s/\$*$/\$/g;
 	
-	my @computer_dns = $self->ad_search(
-		{
+	my $ad_search_arguments = {
+		'ldap_filter' => {
 			'objectClass' => 'computer',
 			'sAMAccountName' => $computer_samaccountname,
 		}
-	);
+	};
+	
+	# If a specific domain was specified, retrieve the username and password for that domain
+	if ($domain_dns_name) {
+		$ad_search_arguments->{domain_dns_name} = $domain_dns_name;
+	}
+	
+	my @computer_dns = $self->ad_search($ad_search_arguments);
 	if (@computer_dns) {
 		return $computer_dns[0];
 	}
@@ -14174,8 +14379,10 @@ sub ad_search_ou {
 	
 	return $self->ad_search(
 		{
-			'objectClass' => 'organizationalUnit',
-			$attribute_name => $ou_identifier,
+			'ldap_filter' => {
+				'objectClass' => 'organizationalUnit',
+				$attribute_name => $ou_identifier,
+			}
 		}
 	);
 }
@@ -14216,8 +14423,10 @@ sub ad_user_exists {
 	
 	my @user_dns = $self->ad_search(
 		{
-			'objectClass' => 'user',
-			'sAMAccountName' => $user_samaccountname,
+			'ldap_filter' => {
+				'objectClass' => 'user',
+				'sAMAccountName' => $user_samaccountname,
+			}
 		}
 	);
 	

Modified: vcl/trunk/managementnode/lib/VCL/Module/Provisioning.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/Provisioning.pm?rev=1785881&r1=1785880&r2=1785881&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/Provisioning.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/Provisioning.pm Tue Mar  7 20:28:49 2017
@@ -128,14 +128,22 @@ sub node_status {
 	
 	# Check if the post-load tasks have been completed
 	my $post_load_status = $self->os->get_post_load_status();
-	if ($post_load_status) {
-		notify($ERRORS{'OK'}, 0, "OS module post_load tasks have been completed on $computer_name,
returning 'READY'");
-		return 'READY';
-	}
-	else {
+	if (!$post_load_status) {
 		notify($ERRORS{'DEBUG'}, 0, "OS module post_load tasks have NOT been completed on $computer_name,
returning 'POST_LOAD'");
 		return 'POST_LOAD';
 	}
+	
+	# Check if OS module implements a node_status_os_check subroutine
+	# Currently, this is only used by the Windows module to ensure the AD configuration is correct
if an image's AD configuration is changed after a computer is loaded
+	if ($self->os->can('node_status_os_check')) {
+		if (!$self->os->node_status_os_check()) {
+			notify($ERRORS{'DEBUG'}, 0, "OS module's node_status_os_check returned false, returning
'RELOAD'");
+			return 'RELOAD';
+		}
+	}
+	
+	notify($ERRORS{'DEBUG'}, 0, "general node status checks all succeeded, returning 'READY'");
+	return 'READY';
 }
 
 #/////////////////////////////////////////////////////////////////////////////

Modified: vcl/trunk/managementnode/lib/VCL/utils.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/utils.pm?rev=1785881&r1=1785880&r2=1785881&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/utils.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/utils.pm Tue Mar  7 20:28:49 2017
@@ -115,6 +115,7 @@ our @EXPORT = qw(
 	format_data
 	format_hash_keys
 	format_number
+	get_active_directory_domain_credentials
 	get_affiliation_info
 	get_array_intersection
 	get_block_request_image_info
@@ -14697,6 +14698,61 @@ EOF
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 get_active_directory_domain_credentials
+
+ Parameters  : $domain_dns_name, $no_cache (optional)
+ Returns     : ($username, $password)
+ Description : Attempts to retrieve the username and password for the domain
+               from the addomain table. This is used if a computer needs to be
+               removed from a domain but the reservation image is not configured
+               for Active Directory. When this occurs, the credentials are not
+               available from $self->data.
+
+=cut
+
+sub get_active_directory_domain_credentials {
+	my ($domain_dns_name, $no_cache) = @_;
+	if (!$domain_dns_name) {
+		notify($ERRORS{'WARNING'}, 0, "domain DNS name argument was not specified");
+		return;
+	}
+	
+	if (!$no_cache && defined($ENV{active_directory_domain_credentials}{$domain_dns_name}))
{
+		notify($ERRORS{'DEBUG'}, 0, "returning cached Active Directory credentials for $domain_dns_name
domain");
+		return @{$ENV{active_directory_domain_credentials}{$domain_dns_name}};
+	}
+	
+	# Construct the select statement
+	my $select_statement = <<EOF;
+SELECT DISTINCT
+username,
+password
+FROM
+addomain
+WHERE
+addomain.domainDNSName = '$domain_dns_name'
+EOF
+	
+	# Call the database select subroutine
+	my @selected_rows = database_select($select_statement);
+
+	# Check to make sure 1 row was returned
+	if (scalar @selected_rows == 0) {
+		notify($ERRORS{'DEBUG'}, 0, "Active Directory domain does not exist in the database: $domain_dns_name");
+		return ();
+	}
+
+	# Get the single row returned from the select statement
+	my $row = $selected_rows[0];
+	my $username = $row->{username};
+	my $password = $row->{password};
+	notify($ERRORS{'DEBUG'}, 0, "retrieved credentials for $domain_dns_name domain from database,
username: '$username', password: '$password'");
+	$ENV{active_directory_domain_credentials}{$domain_dns_name} = [$username, $password];
+	return @{$ENV{active_directory_domain_credentials}{$domain_dns_name}};
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 
 1;
 __END__



Mime
View raw message