Implement basic LAN client.

minimal-krb5.yml

@@ -0,0 +1,10 @@
+---
+# This playbook does almost nothing.  Useful for testing only preseeding.
+
+- name: apply a minimal configuration with kerberos LAN integration
+  hosts: all
+  remote_user: ansible
+  become: yes
+  roles:
+    - up2date-debian
+    - lan-client

roles/lan-client/defaults/main.yml

@@ -0,0 +1,6 @@
+lan_homes:  /home/lan
+ldap_domain: "{{ ansible_domain | default('intern', true) }}"
+basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+ldap_server: ldap
+krb_server: kerberos
+nfs_server: nfs

roles/lan-client/handlers/main.yml

@@ -0,0 +1,14 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+  listen: "reload systemd"
+
+- name: restart rpc-gssd
+  systemd:
+    name: rpc-gssd
+    state: restarted
+  notify: "restart rpc-gssd"

roles/lan-client/tasks/main.yml

@@ -0,0 +1,63 @@
+---
+- name: preseed krb5-config realm
+  debconf:
+    name: krb5-config
+    question: krb5-config/default_realm
+    value: "{{ ldap_domain | upper }}"
+    vtype: string
+
+- name: preseed krb5-config kerberos servers
+  debconf:
+    name: krb5-config
+    question: krb5-config/kerberos_servers
+    value: "{{ krb_server }}"
+    vtype: string
+
+- name: preseed krb5-config admin server
+  debconf:
+    name: krb5-config
+    question: krb5-config/admin_server
+    value: "{{ krb_server }}"
+    vtype: string
+
+- name: install needed packages
+  apt:
+    name:
+      - krb5-config
+      - krb5-user
+      - sssd-krb5
+      - sssd-ldap
+      - nfs-common
+    state: latest
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+- name: make sure the home mount directory exists
+  file: path={{ lan_homes }} state=directory recurse=yes
+
+
+## Activate machine after installation:
+- name: create machine principal
+  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
+  no_log: true
+  when: not run_in_installer|default(false)|bool
+
+- name: add principal to keytab
+  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
+  args:
+    creates: /etc/krb5.keytab
+  no_log: true
+  notify: "restart rpc-gssd"
+  when: not run_in_installer|default(false)|bool
+
+- name: automount
+  lineinfile:
+    dest: /etc/fstab
+    line: "{{ nfs_server}}:/home  {{ lan_homes }}  nfs4  sec=krb5p,_netdev,noauto,x-systemd.automount,x-systemd.idle-timeout=60  0  0"
+  notify: reload systemd
+  when: not run_in_installer|default(false)|bool

roles/lan-client/templates/sssd.conf.j2

@@ -0,0 +1,24 @@
+[sssd]
+domains = LDAP
+services = nss, pam
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ldap_server }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = krb5
+krb5_server = {{ krb_server }}
+krb5_realm = {{ ldap_domain | upper }}
+cache_credentials = true
+
+min_id = 10000
+max_id = 20000
+enumerate = False

roles/ldap/tasks/main.yml

@@ -93,6 +93,7 @@
       uidNumber: 10000
       gidNumber: 10000
       homeDirectory: "{{ lan_homes }}/foo"
+      loginShell: /bin/bash
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
   when: foo_pwd is defined

roles/nfs-server/tasks/main.yml

@@ -29,8 +29,8 @@
     dest: /etc/exports
     insertbefore: EOF
     block: |
-      {{ export_root }}         *(sec=krb5p:krb5i:krb5:sys,rw,fsid=0,crossmnt,no_subtree_check)
+      {{ export_root }}         *(sec=krb5p,rw,fsid=0,crossmnt,no_subtree_check)
-      {{ export_root }}/home/   *(sec=krb5p:krb5i,rw,no_subtree_check)
+      {{ export_root }}/home/   *(sec=krb5p,rw,no_subtree_check)
   notify: "restart nfs-kernel-server"
 
 
@@ -63,3 +63,9 @@
     mode: 0600
   notify: restart sssd
   when: kadmin.stat.exists
+
+- name: copy home from /etc/skel for dummy user foo
+  shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
+  args:
+    creates: "{{ lan_homes }}/foo"
+  when: foo_pwd is defined