Commit 4a283d3e authored by Lars Beckers's avatar Lars Beckers
Browse files

ad-auth: update usage of shell module and passwordstore

parent 89ee8ec8
...@@ -2,3 +2,4 @@ ...@@ -2,3 +2,4 @@
ad_admin_group: admin ad_admin_group: admin
ad_admin_password: samba-admin ad_admin_password: samba-admin
ad_admin_password_content: "{{ lookup('passwordstore', ad_admin_password) }}"
--- ---
# file: roles/ad-auth/handlers/main.yml
- name: regenerate pam config - name: regenerate pam config
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force command: pam-auth-update --force
environment:
DEBIAN_FRONTEND: noninteractive
- name: clear sssd cache - name: clear sssd cache
command: sss_cache -E command: sss_cache -E
...@@ -11,7 +12,9 @@ ...@@ -11,7 +12,9 @@
failed_when: "result.rc != 0 and result.rc != 2" failed_when: "result.rc != 0 and result.rc != 2"
- name: restart sssd - name: restart sssd
service: name=sssd state=restarted service:
name: sssd
state: restarted
- name: check sudo config - name: check sudo config
command: visudo -q -c -f /etc/sudoers command: visudo -q -c -f /etc/sudoers
...@@ -23,7 +23,11 @@ ...@@ -23,7 +23,11 @@
- sssd - sssd
- name: check if our realm is configured - name: check if our realm is configured
shell: realm list | grep "{{ domain }}" shell: |
set -o pipefail
realm list | grep "{{ domain }}"
args:
executable: /bin/bash
register: current_realms register: current_realms
changed_when: "current_realms.rc != 0" changed_when: "current_realms.rc != 0"
failed_when: "current_realms.rc != 0 and current_realms.rc != 1" failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
...@@ -38,7 +42,7 @@ ...@@ -38,7 +42,7 @@
- name: get a kerberos ticket - name: get a kerberos ticket
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator shell: echo "{{ ad_admin_password_content }}" | kinit Administrator
when: debian_version == "jessie" when: debian_version == "jessie"
no_log: true no_log: true
tags: tags:
...@@ -57,7 +61,7 @@ ...@@ -57,7 +61,7 @@
command: kinit Administrator command: kinit Administrator
responses: responses:
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
"Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}" "Passwor(d|t) for Administrator.*": "{{ ad_admin_password_content }}"
when: debian_version != "jessie" when: debian_version != "jessie"
no_log: true no_log: true
tags: tags:
...@@ -101,7 +105,8 @@ ...@@ -101,7 +105,8 @@
- sssd - sssd
# taken out of Debian's post install hooks # taken out of Debian's post install hooks
- name: ensure sssd is configured in nsswitch.conf - name: ensure sssd is configured in nsswitch.conf # noqa 301 306
# yamllint disable-line rule:line-length
shell: "sed -i --regexp-extended '/^(passwd|group|shadow|netgroup|services):/ { shell: "sed -i --regexp-extended '/^(passwd|group|shadow|netgroup|services):/ {
/\\bsss\\b/! s/$/ sss/ } ' /etc/nsswitch.conf" /\\bsss\\b/! s/$/ sss/ } ' /etc/nsswitch.conf"
args: args:
...@@ -117,7 +122,7 @@ ...@@ -117,7 +122,7 @@
tags: tags:
- sssd - sssd
- name: ensure we have a cronjob which renews krb credenitials once a day - name: ensure we have a cronjob which renews krb credentials once a day
template: template:
src: templates/renew_krb5.j2 src: templates/renew_krb5.j2
dest: /etc/cron.daily/renew_krb5 dest: /etc/cron.daily/renew_krb5
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment