Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
samba
Commits
1793f1d7
Commit
1793f1d7
authored
May 22, 2017
by
Robin Sonnabend
Browse files
Merge branch 'master' of git.fsmpi.rwth-aachen.de:infra/ansible
parents
09114a76
ce7d939c
Changes
13
Hide whitespace changes
Inline
Side-by-side
ad-auth/tasks/sssd.yml
View file @
1793f1d7
...
...
@@ -9,6 +9,9 @@
-
libnss-sss
-
sssd-tools
-
realmd
-
policykit-1
# this is required for realm to discover realms...
-
adcli
# this is required for realm to join realms...
-
packagekit
# this is required for realm to i don't know and don't even care anymore...
notify
:
-
clear sssd cache
tags
:
...
...
@@ -34,7 +37,7 @@
expect
:
command
:
kinit Administrator
responses
:
"
Password
for
Administrator
@{{
domain.upper()
}}
"
:
"
{{
lookup('passwordstore',
'samba-admin')
}}"
"
Password
for
Administrator
.*
"
:
"
{{
lookup('passwordstore',
'samba-admin')
}}"
when
:
debian_version == "stretch"
-
name
:
leave any other realm
command
:
realm leave
...
...
ad-server/tasks/main.yml
View file @
1793f1d7
...
...
@@ -8,7 +8,7 @@
-
ad-server
-
name
:
ensure winbind is for some reasons installed
apt
:
name=
samba
state=latest
apt
:
name=
winbind
state=latest
tags
:
-
packages
-
ad-server
...
...
@@ -42,7 +42,7 @@
# TODO: Evaluate if internal DNS-backend is powerful enough for usecase otherwise bind9 is needed
-
name
:
ensure domain is provisioned
shell
:
samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=N
one
--adminpass={{ adminpass.password }} 2> /root/smb-provision.log
shell
:
samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=N
ONE
--adminpass={{ adminpass.password }} 2> /root/smb-provision.log
when
:
domain_provisioned.stat.exists == False
tags
:
-
ad-server
...
...
ad-server/templates/smb.conf.j2
View file @
1793f1d7
...
...
@@ -19,6 +19,7 @@
kdc:renewal lifetime = {{ renewal_lifetime }}
tls enabled = yes
tls cafile = /etc/ssl/certs/rwth_chain.pem
tls keyfile = {{smb_tls_key}}
tls certfile = {{smb_tls_cert}}
...
...
nfs-client/files/nfs-common
0 → 100644
View file @
1793f1d7
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=no
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
nfs-client/tasks/main.yml
View file @
1793f1d7
...
...
@@ -12,20 +12,29 @@
-
nfs-client
-
packages
#- name: ensure we use the idmapper
# copy: content="N" dest=/sys/module/nfs/parameters/nfs4_disable_idmapping
# notify:
# - restart nfs-common
# - restart autofs
# tags:
# - nfs-client
# - config
#
#- name: ensure we use the idmapper after a reboot
# copy: src=modprobe-nfs.conf dest=/etc/modprobe.d/nfs.conf owner=root group=root mode=0644
# tags:
# - nfs-client
# - config
-
name
:
ensure the nfs-common service is configured for nfs4
copy
:
src=nfs-common dest=/etc/default/nfs-common owner=root group=root mode=0644
notify
:
-
restart nfs-common
-
restart autofs
tags
:
-
nfs-client
-
config
-
name
:
ensure we use the idmapper
shell
:
echo "N" > /sys/module/nfs/parameters/nfs4_disable_idmapping
notify
:
-
restart nfs-common
-
restart autofs
tags
:
-
nfs-client
-
config
-
name
:
ensure we use the idmapper after a reboot
copy
:
src=modprobe-nfs.conf dest=/etc/modprobe.d/nfs.conf owner=root group=root mode=0644
tags
:
-
nfs-client
-
config
-
name
:
ensure the kernel key storage quote used for idmapping is sufficiently high
sysctl
:
name=kernel.keys.root_maxkeys state=present value=1000
# default is 200, this quote was reached
...
...
@@ -47,6 +56,12 @@
-
sysctl
-
config
-
name
:
ensure nfs-common is enabled
service
:
name=nfs-common state=running enabled=yes
tags
:
-
nfs-client
-
service
-
name
:
ensure there is a base directory for automount
file
:
state=directory path=/net owner=root group=root mode=0755
notify
:
...
...
nfs-server/files/auto.master
deleted
100644 → 0
View file @
09114a76
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
#/net -hosts
/net /etc/auto.nfs
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master
nfs-server/files/modprobe-nfs.conf
deleted
100644 → 0
View file @
09114a76
options
nfs
nfs4_disable_idmapping
=
N
nfs-server/files/nfs-common
0 → 100644
View file @
1793f1d7
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
nfs-server/files/nfs-kernel-server
0 → 100644
View file @
1793f1d7
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"
nfs-server/handlers/main.yml
View file @
1793f1d7
---
# file: roles/nfs-
client
/handlers/main.yml
# file: roles/nfs-
server
/handlers/main.yml
-
name
:
restart
autofs
service
:
name=
autofs
state=restarted
-
name
:
restart
nfs-server
service
:
name=
nfs-server
state=restarted
-
name
:
restart nfs-common
service
:
name=nfs-common state=restarted
-
name
:
reload sysctl
command
:
sysctl -p
nfs-server/tasks/main.yml
View file @
1793f1d7
...
...
@@ -6,7 +6,7 @@
with_items
:
-
nfs-common
-
nfs-kernel-server
-
msktutil
s
-
msktutil
-
librpcsecgss3
-
libgssrpc4
tags
:
...
...
@@ -51,13 +51,13 @@
-
service
-
name
:
ensure that there is a keytab available
file
:
path=/etc/krb5.keytab state=
present
file
:
path=/etc/krb5.keytab state=
file
tags
:
-
nfs-server
-
service-principal
-
name
:
check that we have a valid service principal
shell
:
klist -k /etc/krb5.keytab | grep nfs/{{ ansible_fqdn }}
shell
:
klist -k /etc/krb5.keytab | grep
"
nfs/{{ ansible_fqdn }}
"
register
:
principal
failed_when
:
False
tags
:
...
...
@@ -69,7 +69,7 @@
shell
:
samba-tool user list | grep nfs-user
register
:
nfsuser
failed_when
:
False
delegate_to
:
"
{{
authservers[0
]
}}"
delegate_to
:
"
{{
hostvars[groups['ad-server'][0]]['ansible_host'
]
}}"
tags
:
-
nfs-server
-
service-principal
...
...
@@ -77,22 +77,23 @@
-
name
:
ensure there is a nfs-user account
command
:
samba-tool user create nfs-user --random-password
when
:
nfsuser.rc ==
1
delegate_to
:
"
{{
authservers[0
]
}}"
delegate_to
:
"
{{
hostvars[groups['ad-server'][0]]['ansible_host'
]
}}"
tags
:
-
nfs-server
-
service-principal
-
name
:
create service principal
command
:
"
samba-tool
spn
add
nfs/{{
ansible_fqdn
}}
nfs-user
"
delegate_to
:
"
{{
authservers[0
]
}}"
command
:
samba-tool spn add
"
nfs/{{ ansible_fqdn }}
"
nfs-user
delegate_to
:
"
{{
hostvars[groups['ad-server'][0]]['ansible_host'
]
}}"
tags
:
-
nfs-server
-
service-principal
-
name
:
export keytab
command
:
"
samba-tool
domain
exportkeytab
/root/{{
ansible_fqdn
}}.keytab
--principal
nfs/{{
ansible_fqdn
}}"
command
:
samba-tool domain exportkeytab "/root/{{ ansible_fqdn }}.keytab" --principal "nfs/{{ ansible_fqdn }}"
args
:
creates
:
"
/root/{{
ansible_fqdn
}}.keytab"
delegate_to
:
"
{{
authservers[0
]
}}"
delegate_to
:
"
{{
hostvars[groups['ad-server'][0]]['ansible_host'
]
}}"
tags
:
-
nfs-server
-
service-principal
...
...
@@ -100,8 +101,8 @@
-
name
:
copy keytab
synchronize
:
src
:
"
/root/{{
ansible_fqdn
}}.keytab"
dest
:
"
{{
ansible_fqdn
}}:
/root/{{
ansible_fqdn
}}.keytab"
delegate_to
:
"
{{
authservers[0
]
}}"
dest
:
"
/root/{{
ansible_fqdn
}}.keytab"
delegate_to
:
"
{{
hostvars[groups['ad-server'][0]]['ansible_host'
]
}}"
tags
:
-
nfs-server
-
service-principal
...
...
@@ -113,14 +114,14 @@
-
service-principal
-
name
:
merge keytabs
-
expect
:
command
:
ktutil
responses
:
ktutil(.*)
:
-
rkt /etc/krb5.keytab
-
"
rkt
/root/{{
ansible_fqdn
}}.keytab"
-
wkt /etc/krb5.keytab
-
exit
expect
:
command
:
ktutil
responses
:
ktutil(.*)
:
-
rkt /etc/krb5.keytab
-
"
rkt
/root/{{
ansible_fqdn
}}.keytab"
-
wkt /etc/krb5.keytab
-
exit
notify
:
-
restart nfs-server
tags
:
...
...
@@ -129,7 +130,7 @@
-
name
:
remove keytab at kdc
file
:
path="/root/{{ ansible_fqdn }}.keytab" state=absent
delegate_to
:
"
{{
authservers[0
]
}}"
delegate_to
:
"
{{
hostvars[groups['ad-server'][0]]['ansible_host'
]
}}"
tags
:
-
nfs-server
-
service-principal
...
...
nfs-server/templates/auto.nfs.j2
deleted
100644 → 0
View file @
09114a76
{%- for share in nfs_shares %}
{{ share.netdir }} -{{ share.options }} {{ share.src }}
{% endfor -%}
nfs-server/templates/exports.j2
0 → 100644
View file @
1793f1d7
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
{%- for export in nfs_exports %}
{{ export.src }} {{ export.dest }}({{ export.options }})
{% endfor -%}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment