Merge branch 'fix-pam-auth' into 'master'

fix building pam config See merge request !7

Merge branch 'fix-pam-auth' into 'master'
fix building pam config See merge request !7
9bfa49aa · Lars Beckers · 43ad6950 · 42c343d7 · 9bfa49aa · 9bfa49aa
Commit 9bfa49aa authored Apr 19, 2022 by Lars Beckers
--- a/ad-auth/handlers/main.yml
+++ b/ad-auth/handlers/main.yml
 ---

- name: regenerate pam config
+# I kill that cat
+- name: disable pam-auth-update heuristic
+  file:
+    path: /var/lib/pam/
+    state: "{{ item }}"
+    mode: "0755"
+    owner: root
+    group: root
+  with_items:
+    - absent
+    - directory
+  listen: "regenerate pam config"
+
+- name: update pam
  command: pam-auth-update --force
  environment:
    DEBIAN_FRONTEND: noninteractive
+  listen: "regenerate pam config"

 - name: clear sssd cache
  command: sss_cache -E

--- a/ad-auth/tasks/pam.yml
+++ b/ad-auth/tasks/pam.yml
@@ -25,17 +25,34 @@
    - pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4'

 - name: ensure pam applies customized configs
-  copy:
-    src: "pam/{{ item }}"
+  template:
+    src: "pam/{{ item }}.j2"
    dest: "/usr/share/pam-configs/{{ item }}"
    owner: root
    group: root
    mode: '0644'
  notify:
+    - disable pam-auth-update heuristic
    - regenerate pam config
  with_items:
    - umask
    - sss-custom
    - unix-custom
-  tags:
-    - pam
+
+- name: ensure we readout current debconf
+  debconf:
+    name: libpam-runtime
+  register: debconf_libpam
+
+- name: ensure debconf is updated
+  debconf:
+    name: libpam-runtime
+    question: libpam-runtime/profiles
+    vtype: multiselect
+    value: >-
+      {{ debconf_libpam["current"]["libpam-runtime/profiles"].split(", ") |
+         map("regex_replace", '^(unix|sss)$', '\\1-custom') |
+         join(', ') }}
+  notify:
+    - disable pam-auth-update heuristic
+    - regenerate pam config
--- a/ad-auth/files/pam/sss-custom
+++ b/ad-auth/files/pam/sss-custom
-Name: SSS authentication
+Name: SSS authentication custom
 Default: yes
 Conflicts: sss
 Priority: 301

--- a/ad-auth/files/pam/umask
+++ b/ad-auth/files/pam/umask
--- a/ad-auth/files/pam/unix-custom
+++ b/ad-auth/files/pam/unix-custom
-Name: Unix authentication
+Name: Unix authentication custom
 Default: yes
 Conflicts: unix
 Priority: 300
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
+	[success=end default=ignore]	pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }} 
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
+	[success=end default=ignore]	pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -19,6 +19,7 @@ Session-Initial:
 	required	pam_unix.so
 Password-Type: Primary
 Password:
-	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
 Password-Initial:
-	[success=end default=ignore]	pam_unix.so obscure sha512
+	[success=end default=ignore]	pam_unix.so obscure {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
+