Roles updated to include LDAPS and local base-box vagrantfile updgraded to test

base-boxes/base-winsvr2012/Vagrantfile

@@ -7,15 +7,15 @@ required_plugins.each do |plugin|
 end
 
 Vagrant.configure("2") do |config|
+  config.vm.boot_timeout = 600
   config.vm.box = "edu.psu/base-winsvr2012"
-  #config.vm.box_url = "file:///home/cpb113/base-vagrant/psu_winsvr2012_basebox_1_0_0.tar.gz"
-  config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json"
+  config.vm.box_url = "file:///home/cpb113/base-vagrant/base-winsvr2012.json"
+  #config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json"
 
   config.winrm.username = "vagrant"
   config.winrm.password = "P@ssw0rd"
 
-  
-  config.vm.network "forwarded_port", guest: 3389, host: 3389
+  config.vm.network "forwarded_port", guest: 3389, host: 3389, host_ip: "127.0.0.1", id: "rdp"
 
   config.vm.network "private_network", ip: "192.168.33.11", virtualbox__intnet: "localDev"
 
@@ -26,15 +26,16 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.provider :virtualbox do |vb|
-    vb.customize ["modifyvm", :id, "--memory", "1024"]
+    vb.memory = "1024"
+    vb.cpus = "2"
   end
   
   # Enable provisioning with Ansible 
-  #config.vm.provision :ansible do |ansible|
-  #  ansible.playbook = "playbook.yml"
-  #  ansible.groups = {
-  #    "vagrant" => ["default"],
-  #  }
-  #end
+  config.vm.provision :ansible do |ansible|
+    ansible.playbook = "playbook.yml"
+    ansible.groups = {
+      "vagrant" => ["default"],
+    }
+  end
 
 end

roles/ActiveDirectory/tasks/main.yml

+- name: force Name of machine
+  rename_computer: >
+    computer_name=develop-dc-01
+
+- name: wait for reboot
+  local_action: wait_for 
+  args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started
+
+- name: generate ca cert key
+  shell: openssl genrsa -des3 -passout pass:{{ ad_safe_mode_password }} -out ca.key 4096
+  delegate_to: localhost
+
+- name: generate ca cert
+  shell: openssl req -new -x509 -days 3650 -passin pass:{{ ad_safe_mode_password }} -key ca.key -out ca.crt -subj "/C=US/ST=Pennsylvania/L=University Park/O=Pennsylvania State University/OU=IT/CN=CA.develop.local"
+  delegate_to: localhost
+
+- name: create LDAPS local certRequest.inf
+  delegate_to: localhost
+  copy:
+     content: ";----------------- request.inf -----------------
+[Version]
+Signature=$Windows NT$
+[NewRequest]
+Subject = \"CN=develop-dc-01.develop.local\" ; replace with the FQDN of the DC
+KeySpec = 1
+KeyLength = 2048
+; Can be 1024, 2048, 4096, 8192, or 16384.
+; Larger key sizes are more secure, but have
+; a greater impact on performance.
+Exportable = TRUE
+MachineKeySet = TRUE
+SMIME = False
+PrivateKeyArchive = FALSE
+UserProtected = FALSE
+UseExistingKeySet = FALSE
+ProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"
+ProviderType = 12
+RequestType = PKCS10
+KeyUsage = 0xa0
+[Extensions]
+OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
+
+;-----------------------------------------------"
+     dest: ./certRequest.inf
+
+
+- name: create temp directory
+  win_file:
+     path: c:\temp
+     state: directory
+
+- name: copy ldaps inf to server
+  win_copy:
+     src: certRequest.inf
+     dest: c:\temp\certRequest.inf
+
+- name: generate ldaps PEM
+  win_shell: certreq -new c:\temp\certRequest.inf c:\temp\develop_dc.pem
+
+- name: copy ldaps pem to server
+  fetch:
+     src: c:\temp\develop_dc.pem
+     dest: develop_dc.pem
+     flat: yes
+
+##### NOT SURE IF NEEDED
+#- name: create v3ext.txt
+#  delegate_to: localhost
+#  copy:
+#     content: "keyUsage=digitalSignature,keyEncipherment
+# extendedKeyUsage=serverAuth
+# subjectKeyIdentifier=hash"
+#     dest: ./v3ext.txt
+
+- name: create ldaps cert
+  shell: openssl x509 -req -days 3650 -in develop_dc.pem -passin pass:{{ ad_safe_mode_password }} -CA ca.crt -CAkey ca.key -set_serial 01 -out develop_dc.crt
+  delegate_to: localhost
+
+- name: copy ca pub cert to server
+  win_copy:
+     src: ca.crt
+     dest: c:\temp\ca.crt
+
+- name: import certificate into Windows
+  import_certs: >
+    name=develop_dc.crt
+
+- name: copy ldaps pub cert to server
+  win_copy:
+     src: develop_dc.crt
+     dest: c:\temp\develop_dc.crt
+
+- name: import certificate into Windows
+  win_shell: certreq -accept c:\temp\develop_dc.crt
+
 - name: Install AD-Domain-Services feature
   win_feature: >
     name=AD-Domain-Services
@@ -11,20 +106,10 @@
     safe_mode_password={{ ad_safe_mode_password }}
   register: result
 
-- name: Reboot
+- name: Reboot second
   win_shell: restart-computer -force
   when: result|changed
   
-#- name: pause for reboot
-#  pause: seconds=30
-  
-#- name: wait for machine start up
-#  win_ping:
-#  register: result
-#  until: result.rc == 0
-#  retries: 30
-#  delay: 10
-  
 - name: wait for reboot
   local_action: wait_for 
   args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started

roles/ONEForest/library/ONEForest_Config.ps1

@@ -32,25 +32,39 @@ function createUser([String]$inUserName, [String]$inDN, [String]$inPassword)
 	}
 }
 
-function grantUserPermssion($inUsername, $inPermissionApplyToDN, $inPermissionType)
+function grantUserPermssion($inUsername, $inPermissionApplyToDN, $inPermissionType, $inAccessControlType)
 {
+Write-host "----------------------------------------------------"
+Write-host "Granting Permissions to $inUsername"
+write-host "Against DN $inPermissionApplyToDN"
+write-host "With Permission Type $inPermissionType"
+write-host "Permission Type of $inAccessControlType"
+
     $acl = get-acl "ad:$inPermissionApplyToDN"
-    $acl.access
+    #$acl.access
     $user = get-aduser $inUsername
     $sid = [System.Security.Principal.SecurityIdentifier] $user.SID
     
     $identity = [System.Security.Principal.IdentityReference] $sid
     $adRights = [System.DirectoryServices.ActiveDirectoryRights] $inPermissionType
-    $type = [System.Security.AccessControl.AccessControlType] "Allow"
+    $Controltype = [System.Security.AccessControl.AccessControlType] "Allow"
     $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
 
-    $ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $inheritanceType
+    if ($inPermissionType.CompareTo("ExtendedRight") -eq 0) {
+        $guid = new-object Guid $inAccessControltype
+        $ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $controltype, $inheritanceType, $guid
+    } else {
+        $ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $controltype, $inheritanceType
+    }
+
     
     $acl.AddAccessRule($ace)
     
     $newACL = set-acl -aclobject $acl "ad:$inPermissionApplyToDN"
 }
 
+$ADS_EXTENDED_CHANGEPASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"
+$ADS_EXTENDED_SETPASSWORD = "00299570-246d-11d0-a768-00aa006e0529"
 
 
 ################################################### actual code to execute ##########################################################3
@@ -111,8 +125,16 @@ try {
     #### LOCAL Configuration ####
     createOU "LocalConfig" $baseDN
     createUser $localDevUsername "OU=LocalConfig,$baseDN" $localDevPassword
+    set-aduser $localDevUsername -PasswordNeverExpires 1
     grantUserPermssion $localDevUsername "OU=PSU-Users,$baseDN" "GenericAll"
     grantUserPermssion $localDevUsername "OU=PSU-Groups,$baseDN" "GenericAll"
+    grantUserPermssion $localDevUserName "OU=PSU-Users,$baseDN" "ExtendedRight" $ADS_EXTENDED_SETPASSWORD
+
+    #### Test Accounts for Local Mirror of Kerb ###
+    createUser "bad1" "OU=PSU-Users,$baseDN" $localDevPassword
+    createUser "bad2" "OU=PSU-Users,$baseDN" $localDevPassword
+    createUser "gud1" "OU=PSU-Users,$baseDN" $localDevPassword
+    createUser "gud2" "OU=PSU-Users,$baseDN" $localDevPassword
 
     $result.changed = $true