RacADM, Powershell, and Kerberos KeyTabs

Summary:
I was looking to automate configuration of iDRAC's (Dell Remote Admin Console) synonymous w/ iLOM and many other acronyms.  I also wanted to enable domain authentication in a somewhat secure manner.  By using a kerberos keytag, I'm able to in the very least obfuscate the username and password into a file for upload into the iDRAC.  What follows is a journey into a ridiculous realm.

PreReqs:

  1. RACADM
  2. ktpass
  3. Powershell 3.0 (2.0 probably works too, but I was using 3.0 @ the time)
  4. Your root CA's cert
    1. This is so it AD Authentication can be setup
Solution:
It's not a complete solution, but hopefully it'll help you get started in your own endeavors.  Below assumes the iDRAC has been configured and is available on the network in default config.

To generate a kerbero's keytab, you simply need the name and password of a service account (this is simply a Active Directory user account) in your domain.

ktpass /pass ReallySecurePas5word /ptype KRB5_NT_PRINCIPAL /princ someserviceaccount@yourdomain.somethinglikethis.com /out C:\directoryofyourchoice\aNameThatMakesSense.keytab


$IPAddress="192.168.123.42"  #This would be the IP of your iDRAC.
$DNS1="8.8.8.8"  #These are google's DNS and likely don't know about your AD so don't use these.
$DNS2="8.8.4.4"
$myDomainName="yourdomain.somethinglikethis.com" #If it's not obvious, you want to change this to something appropriate to you.
$myRootDomain="somethinglikethis.com" # mydomainname and rootdomain may be the same, iDRAC uses this to look up a list of domain controllers defined as GC's
$nameofADGroup="domain admins" # You want to populate this a domain group that you want to have admin rights to the iDRAC.
$RootCALocation="C:\certs\myDomainsCA.cer"  # If you don't have this, you can forego it, but your authentication calls to AD will be unencrypted.
$EnableCertValidation="Enabled" #Disable this if you don't upload a root CA cert.  "Disabled" is valid
$KeyTabLocation="C:\directoryofyourchoice\aNameThatMakesSense.tab"
$NTP1="nameofNTPserver"
$NTP2="nameofNTPserver2"
$TimeZone="US/Eastern"  # You can check the GUI to see what options would be valid.
$iDracSchema="2" # 2 means that your Active Directory has not been extended w/ Dell's Schema.  If it has you can change this to 1, but I don't know if there other things you need to configure.

Write-Host "Disabling annoying error message" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.Tuning.DefaultCredentialWarning Disabled

Write-Host "Uploading RootCA Cert" -ForegroundColor:Green
# The '-t 2' portion is specifying that you are uploading 
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin sslcertupload -f $RootCALocation -t 2
Write-Host "Uploading Kerberos KeyTab File" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin krbkeytabupload -f $KeyTabLocation

Write-Host "Configuring TimeZone" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.Time.Timezone "$($TimeZone)"

Write-Host "Configuring NTP" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.NTPConfigGroup.NTP1 $NTP1
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.NTPConfigGroup.NTP2 $NTP2
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.NTPConfigGroup.NTPEnable Enabled

Write-Host "Configuration AD User Domain" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.UserDomain.1.Name $myDomainName

Write-Host "Configuring Enable DNS from DHCP (Needed for AD Configuration)" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.IPv4.DNSFromDHCP Enabled
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.IPv4Static.DNS1 $DNS1
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.IPv4Static.DNS2 $DNS2

Write-Host "Sorry waiting 15 seconds to make sure AD recognizes configured DNS settings." -ForegroundColor:Green
Start-Sleep -Seconds 15

Write-Host "Configuring Active Directory Authentication" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.CertValidationEnable Enabled
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.DCLookupByUserDomain Enabled
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.DCLookupEnable Enabled
# These particular options rely upon DNS to work and setting them prior to DNS recognition causes an error.
$count = 0
While ($? -ne $true -and $count -lt 5){
$count ++
Write-Host "Sorry, I seem to have failed in setting the DC Lookup Option.  Trying again, Try count: $($count)" -ForegroundColor:Yellow
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.DCLookupEnable Enabled
If ($? -ne $true -and $count -eq 5){Write-Host "Unfortunately, I was unable to successfully enable Active Directory Domain Controller lookup.  Please do so manually." -ForegroundColor:Red }
Start-Sleep -Seconds 5
}
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.GCLookupEnable Enabled
# These particular options rely upon DNS to work and setting them prior to DNS recognition causes an error.
$count = 0
While ($? -ne $true -and $count -lt 5){
$count ++
Write-Host "Sorry, I seem to have failed in setting the GC Lookup Option.  Trying again, Try count: $($count)" -ForegroundColor:Yellow
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.GCLookupEnable Enabled
If ($? -ne $true -and $count -eq 5){Write-Host "Unfortunately, I was unable to successfully enable Active Directory Global Catalog lookup.  Please do so manually." -ForegroundColor:Red }
Start-Sleep -Seconds 5
}
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.GCRootDomain $myRootDomain
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.Schema 2
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.SSOEnable Enabled
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ActiveDirectory.Enable Enabled

Write-Host "Configuring Active Directory Group" -ForegroundColor:Green
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ADGroup.1.Domain $myDomainName
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ADGroup.1.Name $nameofADGroup
& 'C:\Program Files\Dell\SysMgt\rac5\racadm.exe' -r $IPAddress -u root -p calvin set iDRAC.ADGroup.1.Privilege 0x1ff

Comments

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.