Implement basic LAN client.
This commit is contained in:
Andreas B. Mundt
parent
ce6bd53319
commit
bbcf45bbeb
7 changed files with 126 additions and 2 deletions
10
minimal-krb5.yml
Normal file
10
minimal-krb5.yml
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
# This playbook does almost nothing. Useful for testing only preseeding.
|
||||
|
||||
- name: apply a minimal configuration with kerberos LAN integration
|
||||
hosts: all
|
||||
remote_user: ansible
|
||||
become: yes
|
||||
roles:
|
||||
- up2date-debian
|
||||
- lan-client
|
||||
6
roles/lan-client/defaults/main.yml
Normal file
6
roles/lan-client/defaults/main.yml
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
lan_homes: /home/lan
|
||||
ldap_domain: "{{ ansible_domain | default('intern', true) }}"
|
||||
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
|
||||
ldap_server: ldap
|
||||
krb_server: kerberos
|
||||
nfs_server: nfs
|
||||
14
roles/lan-client/handlers/main.yml
Normal file
14
roles/lan-client/handlers/main.yml
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
- name: restart sssd
|
||||
service: name=sssd state=restarted enabled=yes
|
||||
listen: "restart sssd"
|
||||
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
listen: "reload systemd"
|
||||
|
||||
- name: restart rpc-gssd
|
||||
systemd:
|
||||
name: rpc-gssd
|
||||
state: restarted
|
||||
notify: "restart rpc-gssd"
|
||||
63
roles/lan-client/tasks/main.yml
Normal file
63
roles/lan-client/tasks/main.yml
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
- name: preseed krb5-config realm
|
||||
debconf:
|
||||
name: krb5-config
|
||||
question: krb5-config/default_realm
|
||||
value: "{{ ldap_domain | upper }}"
|
||||
vtype: string
|
||||
|
||||
- name: preseed krb5-config kerberos servers
|
||||
debconf:
|
||||
name: krb5-config
|
||||
question: krb5-config/kerberos_servers
|
||||
value: "{{ krb_server }}"
|
||||
vtype: string
|
||||
|
||||
- name: preseed krb5-config admin server
|
||||
debconf:
|
||||
name: krb5-config
|
||||
question: krb5-config/admin_server
|
||||
value: "{{ krb_server }}"
|
||||
vtype: string
|
||||
|
||||
- name: install needed packages
|
||||
apt:
|
||||
name:
|
||||
- krb5-config
|
||||
- krb5-user
|
||||
- sssd-krb5
|
||||
- sssd-ldap
|
||||
- nfs-common
|
||||
state: latest
|
||||
|
||||
- name: provide identities from directory
|
||||
template:
|
||||
src: sssd.conf.j2
|
||||
dest: /etc/sssd/sssd.conf
|
||||
mode: 0600
|
||||
notify: restart sssd
|
||||
|
||||
- name: make sure the home mount directory exists
|
||||
file: path={{ lan_homes }} state=directory recurse=yes
|
||||
|
||||
|
||||
## Activate machine after installation:
|
||||
- name: create machine principal
|
||||
command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
no_log: true
|
||||
when: not run_in_installer|default(false)|bool
|
||||
|
||||
- name: add principal to keytab
|
||||
command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
args:
|
||||
creates: /etc/krb5.keytab
|
||||
no_log: true
|
||||
notify: "restart rpc-gssd"
|
||||
when: not run_in_installer|default(false)|bool
|
||||
|
||||
- name: automount
|
||||
lineinfile:
|
||||
dest: /etc/fstab
|
||||
line: "{{ nfs_server}}:/home {{ lan_homes }} nfs4 sec=krb5p,_netdev,noauto,x-systemd.automount,x-systemd.idle-timeout=60 0 0"
|
||||
notify: reload systemd
|
||||
when: not run_in_installer|default(false)|bool
|
||||
24
roles/lan-client/templates/sssd.conf.j2
Normal file
24
roles/lan-client/templates/sssd.conf.j2
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
[sssd]
|
||||
domains = LDAP
|
||||
services = nss, pam
|
||||
config_file_version = 2
|
||||
|
||||
[nss]
|
||||
filter_groups = root
|
||||
filter_users = root
|
||||
|
||||
[pam]
|
||||
|
||||
[domain/LDAP]
|
||||
id_provider = ldap
|
||||
ldap_uri = ldap://{{ ldap_server }}/
|
||||
ldap_search_base = {{ basedn }}
|
||||
|
||||
auth_provider = krb5
|
||||
krb5_server = {{ krb_server }}
|
||||
krb5_realm = {{ ldap_domain | upper }}
|
||||
cache_credentials = true
|
||||
|
||||
min_id = 10000
|
||||
max_id = 20000
|
||||
enumerate = False
|
||||
|
|
@ -93,6 +93,7 @@
|
|||
uidNumber: 10000
|
||||
gidNumber: 10000
|
||||
homeDirectory: "{{ lan_homes }}/foo"
|
||||
loginShell: /bin/bash
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: foo_pwd is defined
|
||||
|
|
|
|||
|
|
@ -29,8 +29,8 @@
|
|||
dest: /etc/exports
|
||||
insertbefore: EOF
|
||||
block: |
|
||||
{{ export_root }} *(sec=krb5p:krb5i:krb5:sys,rw,fsid=0,crossmnt,no_subtree_check)
|
||||
{{ export_root }}/home/ *(sec=krb5p:krb5i,rw,no_subtree_check)
|
||||
{{ export_root }} *(sec=krb5p,rw,fsid=0,crossmnt,no_subtree_check)
|
||||
{{ export_root }}/home/ *(sec=krb5p,rw,no_subtree_check)
|
||||
notify: "restart nfs-kernel-server"
|
||||
|
||||
|
||||
|
|
@ -63,3 +63,9 @@
|
|||
mode: 0600
|
||||
notify: restart sssd
|
||||
when: kadmin.stat.exists
|
||||
|
||||
- name: copy home from /etc/skel for dummy user foo
|
||||
shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
|
||||
args:
|
||||
creates: "{{ lan_homes }}/foo"
|
||||
when: foo_pwd is defined
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue