sssd.yml 2.34 KB
Newer Older
1
2
3
4
---
# file: roles/ad-auth/tasks/sssd.yml

- name: ensure sssd is installed
5
  apt: name="{{ item }}" state=present install_recommends=no
6
7
8
9
10
11
  with_items:
    - sssd
    - libpam-sss
    - libnss-sss
    - sssd-tools
    - realmd
12
13
14
    - policykit-1 # this is required for realm to discover realms...
    - adcli # this is required for realm to join realms...
    - packagekit # this is required for realm to i don't know and don't even care anymore...
15
    - cracklib-runtime
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  notify:
    - clear sssd cache
  tags:
    - sssd
    - packages

- name: check if our realm is configured
  shell: realm list | grep "{{ domain }}"
  register: current_realms
  changed_when: "current_realms.rc != 0"
  failed_when: "current_realms.rc != 0 and current_realms.rc != 1"

- block:
    - name: discover our realm
      command: realm discover -v "{{ domain }}"
    - name: get a kerberos ticket
32
      shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
33
      when: debian_version == "jessie"
Lars Beckers's avatar
Lars Beckers committed
34
      no_log: True
35
    - name: ensure pexpect is installed
36
      apt: name=python-pexpect state=present
37
38
39
40
41
      when: debian_version == "stretch"
    - name: get a kerberos ticket
      expect:
        command: kinit Administrator
        responses:
42
          "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
43
      when: debian_version == "stretch"
Lars Beckers's avatar
Lars Beckers committed
44
      no_log: True
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
    - name: leave any other realm
      command: realm leave
      register: result
      until: "result.rc != 0"
      retries: 9001
      delay: 0
      failed_when: "result.rc != 0 and result.rc != 1"
    - name: join our realm
      command: realm join -v "{{ domain }}"
      notify:
        - clear sssd cache
        - restart sssd
    - name: destroy kerberos ticket
      command: kdestroy
  when: "current_realms.rc != 0"

- name: ensure sssd is configured
  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
  notify:
    - restart sssd
    - clear sssd cache
  tags:
    - sssd
    - config

- name: ensure sssd is enabled and running
71
  service: name=sssd state=started enabled=yes
72
73
74
75
  tags:
    - sssd
    - service

76
77
78
79
80
81
82
83
84
85
86
- name: ensure we have a cronjob which renews krb credenitials once a day
  template:
    src: templates/renew_krb5.j2
    dest: /etc/cron.daily/renew_krb5
    mode: 0755
    owner: root
    group: root
  tags:
    - sssd