ansible-roles/roles/sssd_ad_auth/tasks/main.yml

---

- name: Build trusted domains list
  set_fact: ad_trusted_domains_conf={{ ad_trusted_domains_conf | default([]) + [ad_default_trusted_domain | combine(item,recursive=True)] }}
  with_items: "{{ ad_trusted_domains }}"
  tags: auth
- set_fact: ad_trusted_domains={{ ad_trusted_domains_conf | default([]) }}
  tags: auth

- include: install_{{ ansible_os_family }}.yml

- name: Set LDAP base
  set_fact: ad_ldap_base=DC={{ ad_realm | regex_replace('\.',',DC=') }}
  tags: auth

- include_tasks: pam_{{ ansible_os_family }}.yml

- name: Check if there's a secrets.tdb DB
  stat: path=/var/lib/samba/private/secrets.tdb
  register: ad_samba_secrets
  tags: auth

- name: Deploy sssd configuration
  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600
  notify: restart sssd ad
  tags: auth

- name: Deploy krb5 configuration
  template: src=krb5.conf.j2 dest=/etc/krb5.conf
  tags: auth

- name: Remove current keytab
  file: path=/etc/krb5.keytab state=absent
  when: ad_force_join | bool
  tags: auth

- name: Check if we already have our keytab file
  stat: path=/etc/krb5.keytab
  register: ad_keytab
  tags: auth

  # We need to have our correct hostname before joining the domain !!
- name: Set system hostname
  hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
  tags: auth

- name: Join the domain
  command: adcli join {{ ad_realm | upper }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password
  args:
    stdin: "{{ ad_admin_pass }}"
  no_log: True
  when: not ad_keytab.stat.exists
  register: ad_join
  tags: auth

- name: Check if we're a DC
  stat: path=/var/lib/samba/private/secrets.keytab
  register: ad_dc_keytab
  tags: auth

- name: Add a cron task to renew machine password
  cron:
    name: sssd_ad
    cron_file: renew_ad_pass
    minute: "{{ 59 | random(seed=inventory_hostname) }}"
    hour: "{{ 23 | random(seed=inventory_hostname) }}"
    day: "{{ 28 | random(seed=inventory_hostname) }}"
    user: root
    job: net ads changetrustpw
    state: "{{ (ad_dc_keytab.stat.exists or not ad_samba_secrets.stat.exists) | ternary('absent','present') }}"
  tags: auth

- name: Create keytabs dir
  file: path=/var/lib/sss/keytabs state=directory owner=sssd mode=700
  tags: auth

- name: Join trusted domains
  command: adcli join {{ item.name | upper }} --login-user={{ item.admin_user }} --stdin-password --host-keytab=/var/lib/sss/keytabs/{{ item.name | upper }}.keytab
  args:
    stdin: "{{ item.admin_pass }}"
    creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
  become_user: sssd
  with_items: "{{ ad_trusted_domains }}"
  register: ad_trusted_join
  tags: auth

- name: Start and enable services
  service: name={{ item }} state=started enabled=True
  with_items:
    - sssd
    - oddjobd
  tags: auth

  # On el8 for example, sssd is already installed and running on a default setup
  # so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
  # We can't rely on the handler, because it would only run at the end of the playbook
- name: Restart sssd if needed
  service: name=sssd state=restarted
  when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
  tags: auth
Update to 2020-04-14 5 years ago			`---`

			`- name: Build trusted domains list`
			`set_fact: ad_trusted_domains_conf={{ ad_trusted_domains_conf \| default([]) + [ad_default_trusted_domain \| combine(item,recursive=True)] }}`
			`with_items: "{{ ad_trusted_domains }}"`
			`tags: auth`
			`- set_fact: ad_trusted_domains={{ ad_trusted_domains_conf \| default([]) }}`
			`tags: auth`

Update to 2021-09-03 11:00 3 years ago			`- include: install_{{ ansible_os_family }}.yml`
Update to 2020-04-14 5 years ago
			`- name: Set LDAP base`
			`set_fact: ad_ldap_base=DC={{ ad_realm \| regex_replace('\.',',DC=') }}`
			`tags: auth`

			`- include_tasks: pam_{{ ansible_os_family }}.yml`

			`- name: Check if there's a secrets.tdb DB`
			`stat: path=/var/lib/samba/private/secrets.tdb`
			`register: ad_samba_secrets`
			`tags: auth`

			`- name: Deploy sssd configuration`
			`template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600`
			`notify: restart sssd ad`
			`tags: auth`

			`- name: Deploy krb5 configuration`
			`template: src=krb5.conf.j2 dest=/etc/krb5.conf`
			`tags: auth`

Update to 2021-01-28 14:00 4 years ago			`- name: Remove current keytab`
			`file: path=/etc/krb5.keytab state=absent`
			`when: ad_force_join \| bool`
			`tags: auth`

Update to 2020-04-14 5 years ago			`- name: Check if we already have our keytab file`
			`stat: path=/etc/krb5.keytab`
			`register: ad_keytab`
			`tags: auth`

			`# We need to have our correct hostname before joining the domain !!`
			`- name: Set system hostname`
			`hostname: name={{ system_hostname \| default(inventory_hostname \| regex_replace('^([^\.]+)\..*','\\1')) }}`
			`tags: auth`

			`- name: Join the domain`
			`command: adcli join {{ ad_realm \| upper }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password`
			`args:`
			`stdin: "{{ ad_admin_pass }}"`
			`no_log: True`
			`when: not ad_keytab.stat.exists`
Update to 2020-11-09 10:00 4 years ago			`register: ad_join`
Update to 2020-04-14 5 years ago			`tags: auth`

			`- name: Check if we're a DC`
			`stat: path=/var/lib/samba/private/secrets.keytab`
			`register: ad_dc_keytab`
			`tags: auth`

			`- name: Add a cron task to renew machine password`
			`cron:`
			`name: sssd_ad`
			`cron_file: renew_ad_pass`
			`minute: "{{ 59 \| random(seed=inventory_hostname) }}"`
			`hour: "{{ 23 \| random(seed=inventory_hostname) }}"`
			`day: "{{ 28 \| random(seed=inventory_hostname) }}"`
			`user: root`
			`job: net ads changetrustpw`
			`state: "{{ (ad_dc_keytab.stat.exists or not ad_samba_secrets.stat.exists) \| ternary('absent','present') }}"`
			`tags: auth`

			`- name: Create keytabs dir`
			`file: path=/var/lib/sss/keytabs state=directory owner=sssd mode=700`
			`tags: auth`

			`- name: Join trusted domains`
			`command: adcli join {{ item.name \| upper }} --login-user={{ item.admin_user }} --stdin-password --host-keytab=/var/lib/sss/keytabs/{{ item.name \| upper }}.keytab`
			`args:`
			`stdin: "{{ item.admin_pass }}"`
			`creates: /var/lib/sss/keytabs/{{ item.name \| upper }}.keytab`
			`become_user: sssd`
			`with_items: "{{ ad_trusted_domains }}"`
Update to 2020-11-09 10:00 4 years ago			`register: ad_trusted_join`
Update to 2020-04-14 5 years ago			`tags: auth`

			`- name: Start and enable services`
			`service: name={{ item }} state=started enabled=True`
			`with_items:`
			`- sssd`
			`- oddjobd`
			`tags: auth`
Update to 2020-11-09 10:00 4 years ago
			`# On el8 for example, sssd is already installed and running on a default setup`
			`# so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)`
			`# We can't rely on the handler, because it would only run at the end of the playbook`
			`- name: Restart sssd if needed`
			`service: name=sssd state=restarted`
			`when: ad_join.changed or ad_trusted_join.results \| selectattr('changed','equalto',True) \| list \| length > 0`
			`tags: auth`