diff --git a/roles/sssd_ad_auth/defaults/main.yml b/roles/sssd_ad_auth/defaults/main.yml index a3f8274..b5161d8 100644 --- a/roles/sssd_ad_auth/defaults/main.yml +++ b/roles/sssd_ad_auth/defaults/main.yml @@ -11,6 +11,9 @@ ad_default_shell: /bin/false # If access control should evaluate domain GPO. Can be disabled, eforcing or permissive. See man sssd-ad ad_gpo_access_control: permissive +# If set to True, ansible will re join the host to the domain +ad_force_join: False + # sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}" # ad_trusted_domains: diff --git a/roles/sssd_ad_auth/tasks/main.yml b/roles/sssd_ad_auth/tasks/main.yml index 97b1bfd..99aee4a 100644 --- a/roles/sssd_ad_auth/tasks/main.yml +++ b/roles/sssd_ad_auth/tasks/main.yml @@ -29,6 +29,11 @@ template: src=krb5.conf.j2 dest=/etc/krb5.conf tags: auth +- name: Remove current keytab + file: path=/etc/krb5.keytab state=absent + when: ad_force_join | bool + tags: auth + - name: Check if we already have our keytab file stat: path=/etc/krb5.keytab register: ad_keytab