From a1fb07a19bbedf16db018ec88911c88aa65cedba Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Thu, 1 Jun 2017 13:12:08 +0200
Subject: [PATCH] ensure no passwords are logged

---
 ad-auth/tasks/sssd.yml   | 2 ++
 ad-server/tasks/main.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/ad-auth/tasks/sssd.yml b/ad-auth/tasks/sssd.yml
index 35926a7..d2983b9 100644
--- a/ad-auth/tasks/sssd.yml
+++ b/ad-auth/tasks/sssd.yml
@@ -30,6 +30,7 @@
     - name: get a kerberos ticket
       shell: echo "{{ lookup('passwordstore', 'samba-admin') }}" | kinit Administrator
       when: debian_version == "jessie"
+      no_log: True
     - name: ensure pexpect is installed
       apt: name=python-pexpect state=installed
       when: debian_version == "stretch"
@@ -39,6 +40,7 @@
         responses:
           "Password for Administrator.*": "{{ lookup('passwordstore', 'samba-admin') }}"
       when: debian_version == "stretch"
+      no_log: True
     - name: leave any other realm
       command: realm leave
       register: result
diff --git a/ad-server/tasks/main.yml b/ad-server/tasks/main.yml
index 1322f31..fabc75d 100644
--- a/ad-server/tasks/main.yml
+++ b/ad-server/tasks/main.yml
@@ -32,6 +32,7 @@
   local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
   register: adminpass
   when: domain_provisioned.stat.exists == False
+  no_log: True
   tags:
     - ad-server
     - domain-provision
@@ -44,6 +45,7 @@
 - name: ensure domain is provisioned
   shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ adminpass.password }}  2> /root/smb-provision.log
   when: domain_provisioned.stat.exists == False
+  no_log: True
   tags: 
     - ad-server
     - domain-provision
-- 
GitLab