Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

101 lines
3.2 KiB

---
- name: Build trusted domains list
set_fact: ad_trusted_domains_conf={{ ad_trusted_domains_conf | default([]) + [ad_default_trusted_domain | combine(item,recursive=True)] }}
with_items: "{{ ad_trusted_domains }}"
tags: auth
- set_fact: ad_trusted_domains={{ ad_trusted_domains_conf | default([]) }}
tags: auth
- include_tasks: install_{{ ansible_os_family }}.yml
- name: Set LDAP base
set_fact: ad_ldap_base=DC={{ ad_realm | regex_replace('\.',',DC=') }}
tags: auth
- include_tasks: pam_{{ ansible_os_family }}.yml
- name: Check if there's a secrets.tdb DB
stat: path=/var/lib/samba/private/secrets.tdb
register: ad_samba_secrets
tags: auth
- name: Deploy sssd configuration
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600
notify: restart sssd ad
tags: auth
- name: Deploy krb5 configuration
template: src=krb5.conf.j2 dest=/etc/krb5.conf
tags: auth
- name: Remove current keytab
file: path=/etc/krb5.keytab state=absent
when: ad_force_join | bool
tags: auth
- name: Check if we already have our keytab file
stat: path=/etc/krb5.keytab
register: ad_keytab
tags: auth
# We need to have our correct hostname before joining the domain !!
- name: Set system hostname
hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
tags: auth
- name: Join the domain
command: adcli join {{ ad_realm | upper }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password
args:
stdin: "{{ ad_admin_pass }}"
no_log: True
when: not ad_keytab.stat.exists
register: ad_join
tags: auth
- name: Check if we're a DC
stat: path=/var/lib/samba/private/secrets.keytab
register: ad_dc_keytab
tags: auth
- name: Add a cron task to renew machine password
cron:
name: sssd_ad
cron_file: renew_ad_pass
minute: "{{ 59 | random(seed=inventory_hostname) }}"
hour: "{{ 23 | random(seed=inventory_hostname) }}"
day: "{{ 28 | random(seed=inventory_hostname) }}"
user: root
job: net ads changetrustpw
state: "{{ (ad_dc_keytab.stat.exists or not ad_samba_secrets.stat.exists) | ternary('absent','present') }}"
tags: auth
- name: Create keytabs dir
file: path=/var/lib/sss/keytabs state=directory owner=sssd mode=700
tags: auth
- name: Join trusted domains
command: adcli join {{ item.name | upper }} --login-user={{ item.admin_user }} --stdin-password --host-keytab=/var/lib/sss/keytabs/{{ item.name | upper }}.keytab
args:
stdin: "{{ item.admin_pass }}"
creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
become_user: sssd
with_items: "{{ ad_trusted_domains }}"
register: ad_trusted_join
tags: auth
- name: Start and enable services
service: name={{ item }} state=started enabled=True
with_items:
- sssd
- oddjobd
tags: auth
# On el8 for example, sssd is already installed and running on a default setup
# so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
# We can't rely on the handler, because it would only run at the end of the playbook
- name: Restart sssd if needed
service: name=sssd state=restarted
when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
tags: auth