sssd.yml 3.02 KB
Newer Older
1
2
3
4
---
# file: roles/ad-auth/tasks/sssd.yml

- name: ensure sssd is installed
Robin Sonnabend's avatar
Robin Sonnabend committed
5
6
7
8
9
10
11
  apt:
    name:
      - sssd
      - libpam-sss
      - libnss-sss
      - sssd-tools
      - realmd
Lars Beckers's avatar
Lars Beckers committed
12
13
14
15
16
      # yamllint disable rule:line-length
      - policykit-1  # this is required for realm to discover realms...
      - adcli  # this is required for realm to join realms...
      - packagekit  # this is required for realm to i don't know and don't even care anymore...
      # yamllint enable rule:line-length
Robin Sonnabend's avatar
Robin Sonnabend committed
17
18
      - cracklib-runtime
    state: present
Lars Beckers's avatar
Lars Beckers committed
19
    install_recommends: false
20
21
22
23
24
25
26
27
28
29
  notify:
    - clear sssd cache
  tags:
    - sssd

- name: check if our realm is configured
  shell: realm list | grep "{{ domain }}"
  register: current_realms
  changed_when: "current_realms.rc != 0"
  failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
Lars Beckers's avatar
Lars Beckers committed
30
31
  tags:
    - sssd
32
33
34
35

- block:
    - name: discover our realm
      command: realm discover -v "{{ domain }}"
Lars Beckers's avatar
Lars Beckers committed
36
37
38
      tags:
        - sssd

39
    - name: get a kerberos ticket
Lars Beckers's avatar
Lars Beckers committed
40
      # yamllint disable-line rule:line-length
41
      shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
42
      when: debian_version == "jessie"
Lars Beckers's avatar
Lars Beckers committed
43
44
45
46
      no_log: true
      tags:
        - sssd

47
    - name: ensure pexpect is installed
Lars Beckers's avatar
Lars Beckers committed
48
49
50
      apt:
        name: python-pexpect
        state: present
51
      when: debian_version == "stretch"
Lars Beckers's avatar
Lars Beckers committed
52
53
54
      tags:
        - sssd

55
56
57
58
    - name: get a kerberos ticket
      expect:
        command: kinit Administrator
        responses:
Lars Beckers's avatar
Lars Beckers committed
59
          # yamllint disable-line rule:line-length
60
          "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
61
      when: debian_version == "stretch"
Lars Beckers's avatar
Lars Beckers committed
62
63
64
65
      no_log: true
      tags:
        - sssd

66
67
68
69
70
71
72
    - name: leave any other realm
      command: realm leave
      register: result
      until: "result.rc != 0"
      retries: 9001
      delay: 0
      failed_when: "result.rc != 0 and result.rc != 1"
Lars Beckers's avatar
Lars Beckers committed
73
74
75
      tags:
        - sssd

76
77
78
79
80
    - name: join our realm
      command: realm join -v "{{ domain }}"
      notify:
        - clear sssd cache
        - restart sssd
Lars Beckers's avatar
Lars Beckers committed
81
82
83
      tags:
        - sssd

84
85
    - name: destroy kerberos ticket
      command: kdestroy
Lars Beckers's avatar
Lars Beckers committed
86
87
      tags:
        - sssd
88
89
90
  when: "current_realms.rc != 0"

- name: ensure sssd is configured
Lars Beckers's avatar
Lars Beckers committed
91
92
93
94
95
96
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: '0600'
97
98
99
100
101
102
  notify:
    - restart sssd
    - clear sssd cache
  tags:
    - sssd

103
104
105
106
107
108
109
110
111
# taken out of Debian's post install hooks
- name: ensure sssd is configured in nsswitch.conf
  shell: "sed -i --regexp-extended '/^(passwd|group|shadow|netgroup|services):/ {
  /\\bsss\\b/! s/$/ sss/  } ' /etc/nsswitch.conf"
  args:
    warn: false
  tags:
    - sssd

112
- name: ensure sssd is enabled and running
Lars Beckers's avatar
Lars Beckers committed
113
114
115
116
  service:
    name: sssd
    state: started
    enabled: true
117
118
119
  tags:
    - sssd

120
121
122
123
- name: ensure we have a cronjob which renews krb credenitials once a day
  template:
    src: templates/renew_krb5.j2
    dest: /etc/cron.daily/renew_krb5
Lars Beckers's avatar
Lars Beckers committed
124
    mode: '0755'
125
126
127
128
    owner: root
    group: root
  tags:
    - sssd