From 4a283d3e611ca0a15094809d79db591fcd438673 Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Wed, 11 Sep 2019 16:21:30 +0200
Subject: [PATCH] ad-auth: update usage of shell module and passwordstore

---
 ad-auth/defaults/main.yml |  1 +
 ad-auth/handlers/main.yml |  9 ++++++---
 ad-auth/tasks/sssd.yml    | 15 ++++++++++-----
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/ad-auth/defaults/main.yml b/ad-auth/defaults/main.yml
index 8ea448a..c866183 100644
--- a/ad-auth/defaults/main.yml
+++ b/ad-auth/defaults/main.yml
@@ -2,3 +2,4 @@
 
 ad_admin_group: admin
 ad_admin_password: samba-admin
+ad_admin_password_content: "{{ lookup('passwordstore', ad_admin_password) }}"
diff --git a/ad-auth/handlers/main.yml b/ad-auth/handlers/main.yml
index 735c7f6..9e5ae98 100644
--- a/ad-auth/handlers/main.yml
+++ b/ad-auth/handlers/main.yml
@@ -1,8 +1,9 @@
 ---
-# file: roles/ad-auth/handlers/main.yml
 
 - name: regenerate pam config
-  shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
+  command: pam-auth-update --force
+  environment:
+    DEBIAN_FRONTEND: noninteractive
 
 - name: clear sssd cache
   command: sss_cache -E
@@ -11,7 +12,9 @@
   failed_when: "result.rc != 0 and result.rc != 2"
 
 - name: restart sssd
-  service: name=sssd state=restarted
+  service:
+    name: sssd
+    state: restarted
 
 - name: check sudo config
   command: visudo -q -c -f /etc/sudoers
diff --git a/ad-auth/tasks/sssd.yml b/ad-auth/tasks/sssd.yml
index 28283d3..02bb6c2 100644
--- a/ad-auth/tasks/sssd.yml
+++ b/ad-auth/tasks/sssd.yml
@@ -23,7 +23,11 @@
     - sssd
 
 - name: check if our realm is configured
-  shell: realm list | grep "{{ domain }}"
+  shell: |
+    set -o pipefail
+    realm list | grep "{{ domain }}"
+  args:
+    executable: /bin/bash
   register: current_realms
   changed_when: "current_realms.rc != 0"
   failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
@@ -38,7 +42,7 @@
 
     - name: get a kerberos ticket
       # yamllint disable-line rule:line-length
-      shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
+      shell: echo "{{ ad_admin_password_content }}" | kinit Administrator
       when: debian_version == "jessie"
       no_log: true
       tags:
@@ -57,7 +61,7 @@
         command: kinit Administrator
         responses:
           # yamllint disable-line rule:line-length
-          "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
+          "Passwor(d|t) for Administrator.*": "{{ ad_admin_password_content }}"
       when: debian_version != "jessie"
       no_log: true
       tags:
@@ -101,7 +105,8 @@
     - sssd
 
 # taken out of Debian's post install hooks
-- name: ensure sssd is configured in nsswitch.conf
+- name: ensure sssd is configured in nsswitch.conf  # noqa 301 306
+  # yamllint disable-line rule:line-length
   shell: "sed -i --regexp-extended '/^(passwd|group|shadow|netgroup|services):/ {
   /\\bsss\\b/! s/$/ sss/  } ' /etc/nsswitch.conf"
   args:
@@ -117,7 +122,7 @@
   tags:
     - sssd
 
-- name: ensure we have a cronjob which renews krb credenitials once a day
+- name: ensure we have a cronjob which renews krb credentials once a day
   template:
     src: templates/renew_krb5.j2
     dest: /etc/cron.daily/renew_krb5
-- 
GitLab