ad-auth: update usage of shell module and passwordstore

4a283d3e · Lars Beckers · 89ee8ec8 · 4a283d3e · 4a283d3e · 4a283d3e
Commit 4a283d3e authored 5 years ago by Lars Beckers
--- a/ad-auth/defaults/main.yml
+++ b/ad-auth/defaults/main.yml
@@ -2,3 +2,4 @@

 ad_admin_group: admin
 ad_admin_password: samba-admin
+ad_admin_password_content: "{{ lookup('passwordstore', ad_admin_password) }}"
--- a/ad-auth/handlers/main.yml
+++ b/ad-auth/handlers/main.yml
 ---
-# file: roles/ad-auth/handlers/main.yml

 - name: regenerate pam config
-  shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
+  command: pam-auth-update --force
+  environment:
+    DEBIAN_FRONTEND: noninteractive

 - name: clear sssd cache
  command: sss_cache -E
@@ -11,7 +12,9 @@
  failed_when: "result.rc != 0 and result.rc != 2"

 - name: restart sssd
-  service: name=sssd state=restarted
+  service:
+    name: sssd
+    state: restarted

 - name: check sudo config
  command: visudo -q -c -f /etc/sudoers
--- a/ad-auth/tasks/sssd.yml
+++ b/ad-auth/tasks/sssd.yml
@@ -23,7 +23,11 @@
    - sssd

 - name: check if our realm is configured
-  shell: realm list | grep "{{ domain }}"
+  shell: |
+    set -o pipefail
+    realm list | grep "{{ domain }}"
+  args:
+    executable: /bin/bash
  register: current_realms
  changed_when: "current_realms.rc != 0"
  failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
@@ -38,7 +42,7 @@

    - name: get a kerberos ticket
      # yamllint disable-line rule:line-length
-      shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
+      shell: echo "{{ ad_admin_password_content }}" | kinit Administrator
      when: debian_version == "jessie"
      no_log: true
      tags:
@@ -57,7 +61,7 @@
        command: kinit Administrator
        responses:
          # yamllint disable-line rule:line-length
-          "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
+          "Passwor(d|t) for Administrator.*": "{{ ad_admin_password_content }}"
      when: debian_version != "jessie"
      no_log: true
      tags:
@@ -101,7 +105,8 @@
    - sssd

 # taken out of Debian's post install hooks
- name: ensure sssd is configured in nsswitch.conf
+- name: ensure sssd is configured in nsswitch.conf  # noqa 301 306
+  # yamllint disable-line rule:line-length
  shell: "sed -i --regexp-extended '/^(passwd|group|shadow|netgroup|services):/ {
  /\\bsss\\b/! s/$/ sss/  } ' /etc/nsswitch.conf"
  args:
@@ -117,7 +122,7 @@
  tags:
    - sssd

- name: ensure we have a cronjob which renews krb credenitials once a day
+- name: ensure we have a cronjob which renews krb credentials once a day
  template:
    src: templates/renew_krb5.j2
    dest: /etc/cron.daily/renew_krb5