Commit 6a60770c authored by Hinrikus Wolf's avatar Hinrikus Wolf

nfs-server: debugged

parent 578e378e
---
# file: roles/nfs-client/handlers/main.yml
# file: roles/nfs-server/handlers/main.yml
- name: restart autofs
service: name=autofs state=restarted
- name: restart nfs-server
service: name=nfs-server state=restarted
- name: restart nfs-common
service: name=nfs-common state=restarted
- name: reload sysctl
command: sysctl -p
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"
......@@ -6,7 +6,7 @@
with_items:
- nfs-common
- nfs-kernel-server
- msktutils
- msktutil
- librpcsecgss3
- libgssrpc4
tags:
......@@ -51,13 +51,13 @@
- service
- name: ensure that there is a keytab available
file: path=/etc/krb5.keytab state=present
file: path=/etc/krb5.keytab state=file
tags:
- nfs-server
- service-principal
- name: check that we have a valid service principal
shell: klist -k /etc/krb5.keytab | grep nfs/{{ ansible_fqdn }}
shell: klist -k /etc/krb5.keytab | grep "nfs/{{ ansible_fqdn }}"
register: principal
failed_when: False
tags:
......@@ -69,7 +69,7 @@
shell: samba-tool user list | grep nfs-user
register: nfsuser
failed_when: False
delegate_to: "{{ authservers[0] }}"
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
......@@ -77,22 +77,23 @@
- name: ensure there is a nfs-user account
command: samba-tool user create nfs-user --random-password
when: nfsuser.rc == 1
delegate_to: "{{ authservers[0] }}"
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
- name: create service principal
command: "samba-tool spn add nfs/{{ ansible_fqdn }} nfs-user"
delegate_to: "{{ authservers[0] }}"
command: samba-tool spn add "nfs/{{ ansible_fqdn }}" nfs-user
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
- name: export keytab
command: "samba-tool domain exportkeytab /root/{{ ansible_fqdn }}.keytab --principal nfs/{{ ansible_fqdn }}"
command: samba-tool domain exportkeytab "/root/{{ ansible_fqdn }}.keytab" --principal "nfs/{{ ansible_fqdn }}"
args:
creates: "/root/{{ ansible_fqdn }}.keytab"
delegate_to: "{{ authservers[0] }}"
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
......@@ -100,8 +101,8 @@
- name: copy keytab
synchronize:
src: "/root/{{ ansible_fqdn }}.keytab"
dest: "{{ ansible_fqdn }}:/root/{{ ansible_fqdn }}.keytab"
delegate_to: "{{ authservers[0] }}"
dest: "/root/{{ ansible_fqdn }}.keytab"
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
......@@ -113,14 +114,14 @@
- service-principal
- name: merge keytabs
- expect:
command: ktutil
responses:
ktutil(.*):
- rkt /etc/krb5.keytab
- "rkt /root/{{ ansible_fqdn }}.keytab"
- wkt /etc/krb5.keytab
- exit
expect:
command: ktutil
responses:
ktutil(.*):
- rkt /etc/krb5.keytab
- "rkt /root/{{ ansible_fqdn }}.keytab"
- wkt /etc/krb5.keytab
- exit
notify:
- restart nfs-server
tags:
......@@ -129,7 +130,7 @@
- name: remove keytab at kdc
file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
delegate_to: "{{ authservers[0] }}"
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
......
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
{%- for export in nfs_exports %}
{{ export.src }} {{ export.dest }}({{ export.options }})
{% endfor -%}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment