From 9df6c93636d2089d4e8e86c2a3367c58e6d3933a Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 16 Jul 2025 08:02:37 +0200
Subject: [PATCH] Switch to systemd automount for
 /srv/samba/schools/default-school

Replaced pam_mount with systemd automount to manage the mounting of the default school Samba share.
This change improves system integration and simplifies the mount process by leveraging systemd's capabilities.
---
 roles/lmn_mount/tasks/main.yml             | 61 +++++++++++++---------
 roles/lmn_sssd/tasks/main.yml              | 21 ++++++++
 roles/lmn_sssd/templates/kstart.service.j2 | 11 ++++
 3 files changed, 67 insertions(+), 26 deletions(-)
 create mode 100644 roles/lmn_sssd/templates/kstart.service.j2

diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index c7f6361..3f0ecc5 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -24,28 +24,28 @@
     insertafter: "<!-- Volume definitions -->"
   when: web_dav is defined and web_dav | length > 0
 
-- name: Configure pam_mount for LMN homes
-  ansible.builtin.blockinfile:
-    dest: /etc/security/pam_mount.conf.xml
-    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
-    block: |
-      <volume
-        fstype="cifs"
-        server="{{ smb_server }}"
-        path="{{ smb_share }}"
-        mountpoint="/srv/samba/schools/default-school"
-        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
-        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
-      </volume>
-    insertafter: "<!-- Volume definitions -->"
-  when: not nfs4
+# - name: Configure pam_mount for LMN homes
+#   ansible.builtin.blockinfile:
+#     dest: /etc/security/pam_mount.conf.xml
+#     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
+#     block: |
+#       <volume
+#         fstype="cifs"
+#         server="{{ smb_server }}"
+#         path="{{ smb_share }}"
+#         mountpoint="/srv/samba/schools/default-school"
+#         options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
+#         ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+#       </volume>
+#     insertafter: "<!-- Volume definitions -->"
+#   when: not nfs4
 
-- name: Prepare mount point for homes
-  ansible.builtin.file:
-    path: /srv/samba/schools/default-school/
-    state: directory
-    mode: '0755'
-  when: not nfs4
+# - name: Prepare mount point for homes
+#   ansible.builtin.file:
+#     path: /srv/samba/schools/default-school/
+#     state: directory
+#     mode: '0755'
+#   when: not nfs4
 
 - name: Prepare persistent user cache base directory
   ansible.builtin.file:
@@ -75,11 +75,11 @@
     mode: "0755"
 
 
-- name: Clean up all user processes after logout
-  ansible.builtin.replace:
-    path: /etc/security/pam_mount.conf.xml
-    regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
-    replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
+# - name: Clean up all user processes after logout
+#   ansible.builtin.replace:
+#     path: /etc/security/pam_mount.conf.xml
+#     regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
+#     replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
 
 - name: Kill all user processes on logout
   ansible.builtin.lineinfile:
@@ -112,3 +112,12 @@
     state: present
     fstype: nfs4
   when: nfs4
+
+- name: Mount SMB home directory
+  ansible.posix.mount:
+    src: //fileserver.pn.steinbeis.schule/default-school
+    path: /srv/samba/schools/default-school
+    opts: "multiuser,sec=krb5i,mfsymlinks,nobrl,actimeo=600,cache=loose,_netdev,x-systemd.automount,x-systemd.idle-timeout=60s"
+    state: present
+    fstype: cifs
+  when: not nfs4
diff --git a/roles/lmn_sssd/tasks/main.yml b/roles/lmn_sssd/tasks/main.yml
index ed44ce5..26d8f9d 100644
--- a/roles/lmn_sssd/tasks/main.yml
+++ b/roles/lmn_sssd/tasks/main.yml
@@ -5,6 +5,7 @@
       - sssd-ad
       - sssd-tools
       - adcli
+      - kstart
 
 - name: Provide user identities from AD
   ansible.builtin.template:
@@ -22,3 +23,23 @@
   when: >
     ansible_cmdline.adpw | default('') | length > 0 or
     adpw.user_input | default('') | length > 0
+
+- name: Set CCache file name
+  ansible.builtin.lineinfile:
+    dest: /etc/krb5.conf
+    line: '        default_ccache_name = FILE:/tmp/krb5cc_%{uid}'
+    insertbefore: '\[realms\]'
+    state: present
+
+- name: Create kstart systemd service for obtaining machine ticket
+  ansible.builtin.template:
+    src: kstart.service.j2
+    dest: /etc/systemd/system/kstart.service
+    mode: '0644'
+  when: not nfs4
+
+- name: Enable kstart service
+  ansible.builtin.systemd:
+    name: kstart.service
+    enabled: true
+  when: not nfs4
diff --git a/roles/lmn_sssd/templates/kstart.service.j2 b/roles/lmn_sssd/templates/kstart.service.j2
new file mode 100644
index 0000000..1791753
--- /dev/null
+++ b/roles/lmn_sssd/templates/kstart.service.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=K5Start Kerberos Ticket Renewal
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -K 1 -u {{ ansible_hostname | upper }}$
+
+[Install]
+WantedBy=multi-user.target
+