Select Git revision
admin_user_index.html
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
sssd.yml 2.12 KiB
---
# file: roles/ad-auth/tasks/sssd.yml
- name: ensure sssd is installed
apt: name="{{ item }}" state=present install_recommends=no
with_items:
- sssd
- libpam-sss
- libnss-sss
- sssd-tools
- realmd
- policykit-1 # this is required for realm to discover realms...
- adcli # this is required for realm to join realms...
- packagekit # this is required for realm to i don't know and don't even care anymore...
- cracklib-runtime
notify:
- clear sssd cache
tags:
- sssd
- packages
- name: check if our realm is configured
shell: realm list | grep "{{ domain }}"
register: current_realms
changed_when: "current_realms.rc != 0"
failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
- block:
- name: discover our realm
command: realm discover -v "{{ domain }}"
- name: get a kerberos ticket
shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
when: debian_version == "jessie"
no_log: True
- name: ensure pexpect is installed
apt: name=python-pexpect state=present
when: debian_version == "stretch"
- name: get a kerberos ticket
expect:
command: kinit Administrator
responses:
"Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
when: debian_version == "stretch"
no_log: True
- name: leave any other realm
command: realm leave
register: result
until: "result.rc != 0"
retries: 9001
delay: 0
failed_when: "result.rc != 0 and result.rc != 1"
- name: join our realm
command: realm join -v "{{ domain }}"
notify:
- clear sssd cache
- restart sssd
- name: destroy kerberos ticket
command: kdestroy
when: "current_realms.rc != 0"
- name: ensure sssd is configured
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
notify:
- restart sssd
- clear sssd cache
tags:
- sssd
- config
- name: ensure sssd is enabled and running