ensure no passwords are logged

ad-auth/tasks/sssd.yml

@@ -30,6 +30,7 @@
     - name: get a kerberos ticket
       shell: echo "{{ lookup('passwordstore', 'samba-admin') }}" | kinit Administrator
       when: debian_version == "jessie"
+      no_log: True
     - name: ensure pexpect is installed
       apt: name=python-pexpect state=installed
       when: debian_version == "stretch"
@@ -39,6 +40,7 @@
         responses:
           "Password for Administrator.*": "{{ lookup('passwordstore', 'samba-admin') }}"
       when: debian_version == "stretch"
+      no_log: True
     - name: leave any other realm
       command: realm leave
       register: result

ad-server/tasks/main.yml

@@ -32,6 +32,7 @@
   local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
   register: adminpass
   when: domain_provisioned.stat.exists == False
+  no_log: True
   tags:
     - ad-server
     - domain-provision
@@ -44,6 +45,7 @@
 - name: ensure domain is provisioned
   shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ adminpass.password }}  2> /root/smb-provision.log
   when: domain_provisioned.stat.exists == False
+  no_log: True
   tags: 
     - ad-server
     - domain-provision