diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index c7f6361..3f0ecc5 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -24,28 +24,28 @@
insertafter: ""
when: web_dav is defined and web_dav | length > 0
-- name: Configure pam_mount for LMN homes
- ansible.builtin.blockinfile:
- dest: /etc/security/pam_mount.conf.xml
- marker: ""
- block: |
- rootansibleDebian-gdmsddm{% if localuser %}{{ localuser }}{% endif %}
-
- insertafter: ""
- when: not nfs4
+# - name: Configure pam_mount for LMN homes
+# ansible.builtin.blockinfile:
+# dest: /etc/security/pam_mount.conf.xml
+# marker: ""
+# block: |
+# rootansibleDebian-gdmsddm{% if localuser %}{{ localuser }}{% endif %}
+#
+# insertafter: ""
+# when: not nfs4
-- name: Prepare mount point for homes
- ansible.builtin.file:
- path: /srv/samba/schools/default-school/
- state: directory
- mode: '0755'
- when: not nfs4
+# - name: Prepare mount point for homes
+# ansible.builtin.file:
+# path: /srv/samba/schools/default-school/
+# state: directory
+# mode: '0755'
+# when: not nfs4
- name: Prepare persistent user cache base directory
ansible.builtin.file:
@@ -75,11 +75,11 @@
mode: "0755"
-- name: Clean up all user processes after logout
- ansible.builtin.replace:
- path: /etc/security/pam_mount.conf.xml
- regexp: '^()$'
- replace: '\n'
+# - name: Clean up all user processes after logout
+# ansible.builtin.replace:
+# path: /etc/security/pam_mount.conf.xml
+# regexp: '^()$'
+# replace: '\n'
- name: Kill all user processes on logout
ansible.builtin.lineinfile:
@@ -112,3 +112,12 @@
state: present
fstype: nfs4
when: nfs4
+
+- name: Mount SMB home directory
+ ansible.posix.mount:
+ src: //fileserver.pn.steinbeis.schule/default-school
+ path: /srv/samba/schools/default-school
+ opts: "multiuser,sec=krb5i,mfsymlinks,nobrl,actimeo=600,cache=loose,_netdev,x-systemd.automount,x-systemd.idle-timeout=60s"
+ state: present
+ fstype: cifs
+ when: not nfs4
diff --git a/roles/lmn_sssd/tasks/main.yml b/roles/lmn_sssd/tasks/main.yml
index ed44ce5..26d8f9d 100644
--- a/roles/lmn_sssd/tasks/main.yml
+++ b/roles/lmn_sssd/tasks/main.yml
@@ -5,6 +5,7 @@
- sssd-ad
- sssd-tools
- adcli
+ - kstart
- name: Provide user identities from AD
ansible.builtin.template:
@@ -22,3 +23,23 @@
when: >
ansible_cmdline.adpw | default('') | length > 0 or
adpw.user_input | default('') | length > 0
+
+- name: Set CCache file name
+ ansible.builtin.lineinfile:
+ dest: /etc/krb5.conf
+ line: ' default_ccache_name = FILE:/tmp/krb5cc_%{uid}'
+ insertbefore: '\[realms\]'
+ state: present
+
+- name: Create kstart systemd service for obtaining machine ticket
+ ansible.builtin.template:
+ src: kstart.service.j2
+ dest: /etc/systemd/system/kstart.service
+ mode: '0644'
+ when: not nfs4
+
+- name: Enable kstart service
+ ansible.builtin.systemd:
+ name: kstart.service
+ enabled: true
+ when: not nfs4
diff --git a/roles/lmn_sssd/templates/kstart.service.j2 b/roles/lmn_sssd/templates/kstart.service.j2
new file mode 100644
index 0000000..1791753
--- /dev/null
+++ b/roles/lmn_sssd/templates/kstart.service.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=K5Start Kerberos Ticket Renewal
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -K 1 -u {{ ansible_hostname | upper }}$
+
+[Install]
+WantedBy=multi-user.target
+