From 14822ebb47b11e8d2e0d287d5be8faae2f9ab969 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Mon, 28 Jul 2025 10:32:07 +0200
Subject: [PATCH] Revert "Switch to systemd automount ..." and "krb5.conf from
 ..."

SMB automount seems to have major problems with multiuser mounts.
For the first logged in user, everything seems to be fine.
For every following logged in user, strange things will happen (e.g. firefox has problems showing the webdev console).

This reverts following commits:
 - 9df6c93636d2089d4e8e86c2a3367c58e6d3933a (Switch to systemd automount for /srv/samba/schools/default-school)
 - f08c06d7a63fc4d61793339157e371c4141d3316 (krb5.conf from package krb5-user ist require)
---
 roles/lmn_mount/tasks/main.yml             | 61 +++++++++-------------
 roles/lmn_sssd/tasks/main.yml              | 22 --------
 roles/lmn_sssd/templates/kstart.service.j2 | 11 ----
 3 files changed, 26 insertions(+), 68 deletions(-)
 delete mode 100644 roles/lmn_sssd/templates/kstart.service.j2

diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index 3f0ecc5..c7f6361 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -24,28 +24,28 @@
     insertafter: "<!-- Volume definitions -->"
   when: web_dav is defined and web_dav | length > 0
 
-# - name: Configure pam_mount for LMN homes
-#   ansible.builtin.blockinfile:
-#     dest: /etc/security/pam_mount.conf.xml
-#     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
-#     block: |
-#       <volume
-#         fstype="cifs"
-#         server="{{ smb_server }}"
-#         path="{{ smb_share }}"
-#         mountpoint="/srv/samba/schools/default-school"
-#         options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
-#         ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
-#       </volume>
-#     insertafter: "<!-- Volume definitions -->"
-#   when: not nfs4
+- name: Configure pam_mount for LMN homes
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
+    block: |
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_share }}"
+        mountpoint="/srv/samba/schools/default-school"
+        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- Volume definitions -->"
+  when: not nfs4
 
-# - name: Prepare mount point for homes
-#   ansible.builtin.file:
-#     path: /srv/samba/schools/default-school/
-#     state: directory
-#     mode: '0755'
-#   when: not nfs4
+- name: Prepare mount point for homes
+  ansible.builtin.file:
+    path: /srv/samba/schools/default-school/
+    state: directory
+    mode: '0755'
+  when: not nfs4
 
 - name: Prepare persistent user cache base directory
   ansible.builtin.file:
@@ -75,11 +75,11 @@
     mode: "0755"
 
 
-# - name: Clean up all user processes after logout
-#   ansible.builtin.replace:
-#     path: /etc/security/pam_mount.conf.xml
-#     regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
-#     replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
+- name: Clean up all user processes after logout
+  ansible.builtin.replace:
+    path: /etc/security/pam_mount.conf.xml
+    regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
+    replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
 
 - name: Kill all user processes on logout
   ansible.builtin.lineinfile:
@@ -112,12 +112,3 @@
     state: present
     fstype: nfs4
   when: nfs4
-
-- name: Mount SMB home directory
-  ansible.posix.mount:
-    src: //fileserver.pn.steinbeis.schule/default-school
-    path: /srv/samba/schools/default-school
-    opts: "multiuser,sec=krb5i,mfsymlinks,nobrl,actimeo=600,cache=loose,_netdev,x-systemd.automount,x-systemd.idle-timeout=60s"
-    state: present
-    fstype: cifs
-  when: not nfs4
diff --git a/roles/lmn_sssd/tasks/main.yml b/roles/lmn_sssd/tasks/main.yml
index c34ada6..ed44ce5 100644
--- a/roles/lmn_sssd/tasks/main.yml
+++ b/roles/lmn_sssd/tasks/main.yml
@@ -5,8 +5,6 @@
       - sssd-ad
       - sssd-tools
       - adcli
-      - kstart
-      - krb5-user
 
 - name: Provide user identities from AD
   ansible.builtin.template:
@@ -24,23 +22,3 @@
   when: >
     ansible_cmdline.adpw | default('') | length > 0 or
     adpw.user_input | default('') | length > 0
-
-- name: Set CCache file name
-  ansible.builtin.lineinfile:
-    dest: /etc/krb5.conf
-    line: '        default_ccache_name = FILE:/tmp/krb5cc_%{uid}'
-    insertbefore: '\[realms\]'
-    state: present
-
-- name: Create kstart systemd service for obtaining machine ticket
-  ansible.builtin.template:
-    src: kstart.service.j2
-    dest: /etc/systemd/system/kstart.service
-    mode: '0644'
-  when: not nfs4
-
-- name: Enable kstart service
-  ansible.builtin.systemd:
-    name: kstart.service
-    enabled: true
-  when: not nfs4
diff --git a/roles/lmn_sssd/templates/kstart.service.j2 b/roles/lmn_sssd/templates/kstart.service.j2
deleted file mode 100644
index 1791753..0000000
--- a/roles/lmn_sssd/templates/kstart.service.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=K5Start Kerberos Ticket Renewal
-After=network.target
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -K 1 -u {{ ansible_hostname | upper }}$
-
-[Install]
-WantedBy=multi-user.target
-