Fix kerberox.

README.kerberox

@@ -1,11 +1,14 @@
 ## After installation of the clients, prepare and copy all machine
 ## credentials to the machines in the following way:
 
+## Log into the Kerberos KDC (kerberox).
+
 ## Find the kadmin password to be used soon:
-    sudo cat /root/kadmin.pwd
+     sudo cat /root/kadmin.pwd
 
 ## Then:
-    cd /home/ansible/debian-lan/
+     cd /home/ansible/debian-lan/
-    ansible-playbook --ask-become-pass kerberox-client.yml
+     ansible-playbook --ask-become-pass kerberox-client.yml \
+                      --ssh-common-args='-o StrictHostKeyChecking=no'
 
 ## Enter the 'BECOME' password and the kadmin password obtained above.

kerberox.yml

@@ -16,8 +16,12 @@
 
     ## LAN IP address range:
     ipaddr_lan: 192.168.0.10/24
-    dhcp_range: 192.168.0.50,192.168.0.99,2h
+    ipaddr_lan_threeoct: "{{ ipaddr_lan.split('.')[0:3] | join('.') }}"
-    in_inventory: 192.168.0.[50:99]
+    ipaddr_lan_ptr: "{{ (ipaddr_lan | ipaddr('revdns')).split('.')[1:] | join('.') }}"
+    ipaddr_lan_ptr_threeoct: "{{ ipaddr_lan_ptr.split('.')[0:3] | join('.') }}"
+    dhcp_start: 192.168.0.50
+    dhcp_stop: 192.168.0.150
+    in_inventory: 192.168.0.[50:150]
 
     di_dist: "{{ ansible_distribution_release }}"
     di_version: "{{ ansible_distribution_major_version }}"
@@ -47,8 +51,8 @@
   roles:
     - up2date_debian
     - firewalld2if
-    - netbootinstaller
     - dnsmasq
+    - netbootinstaller
     - aptcacher
     - role: krb5kdcldap
       when: not run_in_installer|default(false)|bool

roles/krb5kdcldap/tasks/main.yml

@@ -19,7 +19,6 @@
   file:
     path: /etc/krb5kdc
     state: directory
-    recurse: true
     mode: 0755
 
 - name: prepare kdc.conf
@@ -81,71 +80,83 @@
     bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
 - name: modify ACLs to account for KDC
-  ldap_attr:
+  ldap_attrs:
     dn: "olcDatabase={1}mdb,cn=config"
-    name: olcAccess
+    attributes:
-    values:
+      olcAccess:
-      - >-
+        - >-
-        to attrs=userPassword
+          to attrs=userPassword
-        by self write
+          by self write
-        by anonymous auth
+          by anonymous auth
-        by * none
+          by * none
-      - >-
+        - >-
-        to attrs=shadowLastChange
+          to attrs=shadowLastChange
-        by self write
+          by self write
-        by * read
+          by * read
-      - >-
+        - >-
-        to dn.subtree="cn=kerberos,{{ basedn }}"
+          to dn.subtree="cn=kerberos,{{ basedn }}"
-        by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
+          by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
-        by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
+          by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
-        by * none
+          by * none
-      - >-
+        - >-
-        to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
+          to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
-        by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
+          by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
-        by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
+          by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
-        by self read
+          by self read
-        by * auth
+          by * auth
-      - >-
+        - >-
-        to *
+          to *
-        by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
+          by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
-        by * read
+          by * read
+    ordered: true
     state: exact
   when: not krb5kdc.stat.exists
 
 - name: add KDC indexes to LDAP
-  ldap_attr:
+  ldap_attrs:
     dn: "olcDatabase={1}mdb,cn=config"
-    name: olcDbIndex
+    attributes:
-    values:
+      olcDbIndex:
-      - objectClass eq
+        - objectClass eq
-      - cn,uid eq
+        - cn,uid eq
-      - uidNumber,gidNumber eq
+        - uidNumber,gidNumber eq
-      - member,memberUid eq
+        - member,memberUid eq
-      - krbPrincipalName pres,sub,eq
+        - krbPrincipalName pres,sub,eq
     state: exact
   when: not krb5kdc.stat.exists
 
 - name: add AuthzRegexp to map access via kerberos/GSSAPI
-  ldap_attr:
+  ldap_attrs:
     dn: "cn=config"
-    name: olcAuthzRegexp
+    attributes:
-    values:
+      olcAuthzRegexp:
-      - "{0}uid=([^,]*),cn=gssapi,cn=auth     uid=$1,ou=people,{{ basedn }}"
+        - "{0}uid=([^,]*),cn=gssapi,cn=auth     uid=$1,ou=people,{{ basedn }}"
-      - "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
+        - "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
     state: exact
 
 - name: prepare password for kdc # noqa risky-shell-pipe
-  shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
+  shell:
+    >-
+      echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} |
+      xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile ;
+      chmod 0600 /etc/krb5kdc/service.keyfile
   no_log: true
   when: not krb5kdc.stat.exists
 
 - name: prepare password for kadmin # noqa risky-shell-pipe
-  shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
+  shell:
+    >-
+      echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} |
+      xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile ;
+      chmod 0600 /etc/krb5kdc/service.keyfile
   no_log: true
   when: not krb5kdc.stat.exists
 
 - name: dump kdc master password
-  shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ; chmod 0600 "{{ kdc_master_pwd_file }}"
+  shell:
+    >-
+      echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ;
+      chmod 0600 "{{ kdc_master_pwd_file }}"
   no_log: true
   when: not krb5kdc.stat.exists
 
@@ -200,11 +211,11 @@
     mode: '0640'
   notify: restart slapd
 
-- name: "make 'kerberos' an alias hostname resolvable from the LAN"
+- name: "make 'kerberos' and 'ldap' alias hostnames resolvable from the LAN"
   replace:
     path: /etc/hosts
     regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
-    replace: '\1 kerberos'
+    replace: '\1 kerberos ldap'
   when: not krb5kdc.stat.exists
 
 ########################

roles/ldap/handlers/main.cfg

@@ -1,4 +0,0 @@
----
-- name: restart slapd
-  systemd: name=slapd state=restarted
-  listen: restart slapd

roles/ldap/tasks/setup.yml

@@ -44,7 +44,9 @@
     name: openldap
     groups: ssl-cert
     append: true
-  notify: restart slapd
+
+- name: restart slapd with access to ssl-cert
+  systemd: name=slapd state=restarted
 
 - name: make initial slapd configuration available
   copy:

roles/prepare4clients/tasks/main.yml

@@ -83,7 +83,7 @@
          #MENU LABEL Debian daily (amd64) + preseed + kiosk.yml
          #kernel ::/d-i/n-a/daily/amd64/linux
          #append initrd=::/d-i/n-a/daily/amd64/initrd.gz auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kiosk.yml ---
-    marker: "# {mark} ANSIBLE MANAGED BLOCK kiosk"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK default"
   notify: "rebuild di-netboot-assistant menu"
 
 - name: add efi boot entries to di-netboot-assistant
@@ -118,7 +118,7 @@
       #             url=tftp://{{ ansible_hostname }} playbook=kiosk.yml ---
       #   initrd  /d-i/n-a/daily/amd64/initrd.gz
       #}
-    marker: "# {mark} ANSIBLE MANAGED BLOCK kiosk"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK default"
   notify: "rebuild di-netboot-assistant menu"
 
 ########  kerberox-client #######
@@ -146,7 +146,9 @@
     insertbefore: EOF
     block: |
       menuentry 'Debian {{ di_version }} (amd64) + preseed + kerberox-client.yml' {
+         regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
          linux   /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
+                   hostname=${oct4}${oct5}${oct6} domain={{ ansible_domain }} \
                    auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kerberox-client.yml ---
          initrd  /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
       }
@@ -222,6 +224,6 @@
     create: true
     mode: 0644
     block: |
-      [kerberox-client]
+      [kerberoxclient]
       {{ in_inventory }}
   when: krb5kdc.stat.exists or samba.stat.exists

roles/sambaldap/tasks/main.yml

@@ -31,7 +31,7 @@
   when: not samba_ldap.stat.exists
 
 - name: add indexes to LDAP
-  ldap_attr:
+  ldap_attrs:
     dn: "olcDatabase={1}mdb,cn=config"
     name: olcDbIndex
     values:
@@ -43,7 +43,7 @@
     state: present
 
 - name: modify ACLs to account for Samba
-  ldap_attr:
+  ldap_attrs:
     dn: "olcDatabase={1}mdb,cn=config"
     name: olcAccess
     values: