From bbcf45bbebfbcf95fe04327643e5277d4497e488 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Mon, 18 Nov 2019 18:45:07 +0100 Subject: [PATCH] Implement basic LAN client. --- minimal-krb5.yml | 10 ++++ roles/lan-client/defaults/main.yml | 6 +++ roles/lan-client/handlers/main.yml | 14 ++++++ roles/lan-client/tasks/main.yml | 63 +++++++++++++++++++++++++ roles/lan-client/templates/sssd.conf.j2 | 24 ++++++++++ roles/ldap/tasks/main.yml | 1 + roles/nfs-server/tasks/main.yml | 10 +++- 7 files changed, 126 insertions(+), 2 deletions(-) create mode 100644 minimal-krb5.yml create mode 100644 roles/lan-client/defaults/main.yml create mode 100644 roles/lan-client/handlers/main.yml create mode 100644 roles/lan-client/tasks/main.yml create mode 100644 roles/lan-client/templates/sssd.conf.j2 diff --git a/minimal-krb5.yml b/minimal-krb5.yml new file mode 100644 index 0000000..ebba3a2 --- /dev/null +++ b/minimal-krb5.yml @@ -0,0 +1,10 @@ +--- +# This playbook does almost nothing. Useful for testing only preseeding. + +- name: apply a minimal configuration with kerberos LAN integration + hosts: all + remote_user: ansible + become: yes + roles: + - up2date-debian + - lan-client diff --git a/roles/lan-client/defaults/main.yml b/roles/lan-client/defaults/main.yml new file mode 100644 index 0000000..b52918d --- /dev/null +++ b/roles/lan-client/defaults/main.yml @@ -0,0 +1,6 @@ +lan_homes: /home/lan +ldap_domain: "{{ ansible_domain | default('intern', true) }}" +basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" +ldap_server: ldap +krb_server: kerberos +nfs_server: nfs diff --git a/roles/lan-client/handlers/main.yml b/roles/lan-client/handlers/main.yml new file mode 100644 index 0000000..ec16fb7 --- /dev/null +++ b/roles/lan-client/handlers/main.yml @@ -0,0 +1,14 @@ +- name: restart sssd + service: name=sssd state=restarted enabled=yes + listen: "restart sssd" + +- name: reload systemd + systemd: + daemon_reload: yes + listen: "reload systemd" + +- name: restart rpc-gssd + systemd: + name: rpc-gssd + state: restarted + notify: "restart rpc-gssd" diff --git a/roles/lan-client/tasks/main.yml b/roles/lan-client/tasks/main.yml new file mode 100644 index 0000000..1008bb7 --- /dev/null +++ b/roles/lan-client/tasks/main.yml @@ -0,0 +1,63 @@ +--- +- name: preseed krb5-config realm + debconf: + name: krb5-config + question: krb5-config/default_realm + value: "{{ ldap_domain | upper }}" + vtype: string + +- name: preseed krb5-config kerberos servers + debconf: + name: krb5-config + question: krb5-config/kerberos_servers + value: "{{ krb_server }}" + vtype: string + +- name: preseed krb5-config admin server + debconf: + name: krb5-config + question: krb5-config/admin_server + value: "{{ krb_server }}" + vtype: string + +- name: install needed packages + apt: + name: + - krb5-config + - krb5-user + - sssd-krb5 + - sssd-ldap + - nfs-common + state: latest + +- name: provide identities from directory + template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + mode: 0600 + notify: restart sssd + +- name: make sure the home mount directory exists + file: path={{ lan_homes }} state=directory recurse=yes + + +## Activate machine after installation: +- name: create machine principal + command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}" + no_log: true + when: not run_in_installer|default(false)|bool + +- name: add principal to keytab + command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}" + args: + creates: /etc/krb5.keytab + no_log: true + notify: "restart rpc-gssd" + when: not run_in_installer|default(false)|bool + +- name: automount + lineinfile: + dest: /etc/fstab + line: "{{ nfs_server}}:/home {{ lan_homes }} nfs4 sec=krb5p,_netdev,noauto,x-systemd.automount,x-systemd.idle-timeout=60 0 0" + notify: reload systemd + when: not run_in_installer|default(false)|bool diff --git a/roles/lan-client/templates/sssd.conf.j2 b/roles/lan-client/templates/sssd.conf.j2 new file mode 100644 index 0000000..4b5b285 --- /dev/null +++ b/roles/lan-client/templates/sssd.conf.j2 @@ -0,0 +1,24 @@ +[sssd] +domains = LDAP +services = nss, pam +config_file_version = 2 + +[nss] +filter_groups = root +filter_users = root + +[pam] + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://{{ ldap_server }}/ +ldap_search_base = {{ basedn }} + +auth_provider = krb5 +krb5_server = {{ krb_server }} +krb5_realm = {{ ldap_domain | upper }} +cache_credentials = true + +min_id = 10000 +max_id = 20000 +enumerate = False diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index 7d7eb84..36ca050 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -93,6 +93,7 @@ uidNumber: 10000 gidNumber: 10000 homeDirectory: "{{ lan_homes }}/foo" + loginShell: /bin/bash bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd }}" when: foo_pwd is defined diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml index d9ea5a3..3cb2f7f 100644 --- a/roles/nfs-server/tasks/main.yml +++ b/roles/nfs-server/tasks/main.yml @@ -29,8 +29,8 @@ dest: /etc/exports insertbefore: EOF block: | - {{ export_root }} *(sec=krb5p:krb5i:krb5:sys,rw,fsid=0,crossmnt,no_subtree_check) - {{ export_root }}/home/ *(sec=krb5p:krb5i,rw,no_subtree_check) + {{ export_root }} *(sec=krb5p,rw,fsid=0,crossmnt,no_subtree_check) + {{ export_root }}/home/ *(sec=krb5p,rw,no_subtree_check) notify: "restart nfs-kernel-server" @@ -63,3 +63,9 @@ mode: 0600 notify: restart sssd when: kadmin.stat.exists + +- name: copy home from /etc/skel for dummy user foo + shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo + args: + creates: "{{ lan_homes }}/foo" + when: foo_pwd is defined