|
|
|
---
|
|
|
|
|
|
|
|
- name: Build trusted domains list
|
|
|
|
set_fact: ad_trusted_domains_conf={{ ad_trusted_domains_conf | default([]) + [ad_default_trusted_domain | combine(item,recursive=True)] }}
|
|
|
|
with_items: "{{ ad_trusted_domains }}"
|
|
|
|
tags: auth
|
|
|
|
- set_fact: ad_trusted_domains={{ ad_trusted_domains_conf | default([]) }}
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- include_tasks: install_{{ ansible_os_family }}.yml
|
|
|
|
|
|
|
|
- name: Set LDAP base
|
|
|
|
set_fact: ad_ldap_base=DC={{ ad_realm | regex_replace('\.',',DC=') }}
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- include_tasks: pam_{{ ansible_os_family }}.yml
|
|
|
|
|
|
|
|
- name: Check if there's a secrets.tdb DB
|
|
|
|
stat: path=/var/lib/samba/private/secrets.tdb
|
|
|
|
register: ad_samba_secrets
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Deploy sssd configuration
|
|
|
|
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600
|
|
|
|
notify: restart sssd ad
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Deploy krb5 configuration
|
|
|
|
template: src=krb5.conf.j2 dest=/etc/krb5.conf
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Check if we already have our keytab file
|
|
|
|
stat: path=/etc/krb5.keytab
|
|
|
|
register: ad_keytab
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
# We need to have our correct hostname before joining the domain !!
|
|
|
|
- name: Set system hostname
|
|
|
|
hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Join the domain
|
|
|
|
command: adcli join {{ ad_realm | upper }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password
|
|
|
|
args:
|
|
|
|
stdin: "{{ ad_admin_pass }}"
|
|
|
|
no_log: True
|
|
|
|
when: not ad_keytab.stat.exists
|
|
|
|
register: ad_join
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Check if we're a DC
|
|
|
|
stat: path=/var/lib/samba/private/secrets.keytab
|
|
|
|
register: ad_dc_keytab
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Add a cron task to renew machine password
|
|
|
|
cron:
|
|
|
|
name: sssd_ad
|
|
|
|
cron_file: renew_ad_pass
|
|
|
|
minute: "{{ 59 | random(seed=inventory_hostname) }}"
|
|
|
|
hour: "{{ 23 | random(seed=inventory_hostname) }}"
|
|
|
|
day: "{{ 28 | random(seed=inventory_hostname) }}"
|
|
|
|
user: root
|
|
|
|
job: net ads changetrustpw
|
|
|
|
state: "{{ (ad_dc_keytab.stat.exists or not ad_samba_secrets.stat.exists) | ternary('absent','present') }}"
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Create keytabs dir
|
|
|
|
file: path=/var/lib/sss/keytabs state=directory owner=sssd mode=700
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Join trusted domains
|
|
|
|
command: adcli join {{ item.name | upper }} --login-user={{ item.admin_user }} --stdin-password --host-keytab=/var/lib/sss/keytabs/{{ item.name | upper }}.keytab
|
|
|
|
args:
|
|
|
|
stdin: "{{ item.admin_pass }}"
|
|
|
|
creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
|
|
|
|
become_user: sssd
|
|
|
|
with_items: "{{ ad_trusted_domains }}"
|
|
|
|
register: ad_trusted_join
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
- name: Start and enable services
|
|
|
|
service: name={{ item }} state=started enabled=True
|
|
|
|
with_items:
|
|
|
|
- sssd
|
|
|
|
- oddjobd
|
|
|
|
tags: auth
|
|
|
|
|
|
|
|
# On el8 for example, sssd is already installed and running on a default setup
|
|
|
|
# so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
|
|
|
|
# We can't rely on the handler, because it would only run at the end of the playbook
|
|
|
|
- name: Restart sssd if needed
|
|
|
|
service: name=sssd state=restarted
|
|
|
|
when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
|
|
|
|
tags: auth
|