Add kerberize role (providing kerberized ssh so far).
This commit is contained in:
Andreas B. Mundt
parent
be829760c6
commit
61e4b1d852
5 changed files with 41 additions and 6 deletions
|
|
@ -20,6 +20,7 @@
|
|||
roles:
|
||||
- up2date-debian
|
||||
- lan-client
|
||||
- kerberize
|
||||
## Choose either gnome or KDE:
|
||||
#- gnome
|
||||
#- kde
|
||||
|
|
|
|||
|
|
@ -52,3 +52,4 @@
|
|||
- { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool }
|
||||
- { role: nfs-server, when: not run_in_installer|default(false)|bool }
|
||||
- prepare4clients
|
||||
- kerberize
|
||||
|
|
|
|||
5
roles/kerberize/handlers/main.yml
Normal file
5
roles/kerberize/handlers/main.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
- name: reload sshd
|
||||
systemd:
|
||||
name: sshd
|
||||
state: reloaded
|
||||
notify: "reload sshd"
|
||||
18
roles/kerberize/tasks/main.yml
Normal file
18
roles/kerberize/tasks/main.yml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
- name: kerberize sshd server
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "GSSAPIAuthentication yes"
|
||||
insertafter: "#GSSAPIAuthentication no"
|
||||
notify: "reload sshd"
|
||||
|
||||
- name: kerberize ssh client, authenticate
|
||||
lineinfile:
|
||||
dest: /etc/ssh/ssh_config
|
||||
line: "GSSAPIAuthentication yes"
|
||||
insertafter: "# GSSAPIAuthentication no"
|
||||
|
||||
- name: kerberize ssh client, delegate credentials
|
||||
lineinfile:
|
||||
dest: /etc/ssh/ssh_config
|
||||
line: "GSSAPIDelegateCredentials yes"
|
||||
insertafter: "# GSSAPIDelegateCredentials no"
|
||||
|
|
@ -56,19 +56,29 @@
|
|||
mode: 0600
|
||||
notify: restart sssd
|
||||
|
||||
|
||||
## Activate machine after installation:
|
||||
- name: create machine principal
|
||||
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
|
||||
- name: create machine principals
|
||||
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
|
||||
register: kerberize_result
|
||||
with_items:
|
||||
- nfs
|
||||
- host
|
||||
changed_when: kerberize_result.stderr is not search('already exists while creating')
|
||||
no_log: true
|
||||
when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
|
||||
|
||||
- name: add principal to keytab
|
||||
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
|
||||
- name: remove old keytab
|
||||
file:
|
||||
path: /etc/krb5.keytab
|
||||
state: absent
|
||||
when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
|
||||
|
||||
- name: add principals to keytab
|
||||
command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
|
||||
with_items:
|
||||
- nfs
|
||||
- host
|
||||
args:
|
||||
creates: /etc/krb5.keytab
|
||||
no_log: true
|
||||
notify: "restart rpc-gssd"
|
||||
when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue