From 087965dc255e08482f034d72b652f1529068f6df Mon Sep 17 00:00:00 2001 From: Thomas Schneider <thomas@fsmpi.rwth-aachen.de> Date: Thu, 6 May 2021 13:46:24 +0200 Subject: [PATCH] ad-auth: Allow overriding DC and syncing w/ Samba in renew_krb5 --- ad-auth/defaults/main.yml | 4 ++++ ad-auth/templates/renew_krb5.j2 | 10 ++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ad-auth/defaults/main.yml b/ad-auth/defaults/main.yml index c866183..d404727 100644 --- a/ad-auth/defaults/main.yml +++ b/ad-auth/defaults/main.yml @@ -3,3 +3,7 @@ ad_admin_group: admin ad_admin_password: samba-admin ad_admin_password_content: "{{ lookup('passwordstore', ad_admin_password) }}" +# Set this to force a specific DC for the renew_krb5 cron job +# ad_auth_renew_force_dc: dc.example.org +# Sync client credentials with Samba (i.e., winbindd) +ad_auth_sync_samba: false diff --git a/ad-auth/templates/renew_krb5.j2 b/ad-auth/templates/renew_krb5.j2 index 903f8b0..c1cd985 100644 --- a/ad-auth/templates/renew_krb5.j2 +++ b/ad-auth/templates/renew_krb5.j2 @@ -1,3 +1,9 @@ #!/bin/bash -/usr/sbin/adcli update -D {{ domain }} - +/usr/sbin/adcli update \ +{% if ad_auth_renew_force_dc is defined %} + -S {{ ad_auth_renew_force_dc }} \ +{% endif %} +{% if ad_auth_sync_samba %} + --add-samba-data \ +{% endif %} + -D {{ domain }} -- GitLab