sssd.yml 2.1 KB
Newer Older
1
2
3
4
---
# file: roles/ad-auth/tasks/sssd.yml

- name: ensure sssd is installed
5
  apt: name="{{ item }}" state=installed install_recommends=no
6
7
8
9
10
11
  with_items:
    - sssd
    - libpam-sss
    - libnss-sss
    - sssd-tools
    - realmd
12
13
14
    - policykit-1 # this is required for realm to discover realms...
    - adcli # this is required for realm to join realms...
    - packagekit # this is required for realm to i don't know and don't even care anymore...
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  notify:
    - clear sssd cache
  tags:
    - sssd
    - packages

- name: check if our realm is configured
  shell: realm list | grep "{{ domain }}"
  register: current_realms
  changed_when: "current_realms.rc != 0"
  failed_when: "current_realms.rc != 0 and current_realms.rc != 1"

- block:
    - name: discover our realm
      command: realm discover -v "{{ domain }}"
    - name: get a kerberos ticket
31
      shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
32
      when: debian_version == "jessie"
Lars Beckers's avatar
Lars Beckers committed
33
      no_log: True
34
35
36
37
38
39
40
    - name: ensure pexpect is installed
      apt: name=python-pexpect state=installed
      when: debian_version == "stretch"
    - name: get a kerberos ticket
      expect:
        command: kinit Administrator
        responses:
41
          "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
42
      when: debian_version == "stretch"
Lars Beckers's avatar
Lars Beckers committed
43
      no_log: True
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
    - name: leave any other realm
      command: realm leave
      register: result
      until: "result.rc != 0"
      retries: 9001
      delay: 0
      failed_when: "result.rc != 0 and result.rc != 1"
    - name: join our realm
      command: realm join -v "{{ domain }}"
      notify:
        - clear sssd cache
        - restart sssd
    - name: destroy kerberos ticket
      command: kdestroy
  when: "current_realms.rc != 0"

- name: ensure sssd is configured
  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
  notify:
    - restart sssd
    - clear sssd cache
  tags:
    - sssd
    - config

- name: ensure sssd is enabled and running
  service: name=sssd state=running enabled=yes
  tags:
    - sssd
    - service