From ce6bd533195ff370ff141c61d082e625bd92db5e Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andi@debian.org>
Date: Mon, 18 Nov 2019 15:31:30 +0100
Subject: [PATCH] Minor fixes and improvements, mostly KDC/LDAP related.

---
 roles/dhcp-dns-dnsmasq/tasks/main.yml      |  5 +++
 roles/krb5-kdc-ldap/defaults/main.yml      | 10 ++++--
 roles/krb5-kdc-ldap/tasks/main.yml         | 36 +++++++++++++++++-----
 roles/krb5-kdc-ldap/templates/kadm5.acl.j2 |  1 +
 roles/ldap/defaults/main.yml               |  1 +
 roles/ldap/tasks/main.yml                  |  8 +++--
 roles/nfs-server/defaults/main.yml         |  2 +-
 roles/nfs-server/tasks/main.yml            |  8 ++---
 8 files changed, 52 insertions(+), 19 deletions(-)

diff --git a/roles/dhcp-dns-dnsmasq/tasks/main.yml b/roles/dhcp-dns-dnsmasq/tasks/main.yml
index 0a0997a..d0e4bf6 100644
--- a/roles/dhcp-dns-dnsmasq/tasks/main.yml
+++ b/roles/dhcp-dns-dnsmasq/tasks/main.yml
@@ -1,3 +1,7 @@
+- name: check if dnsmasq is already there
+  stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
+  register: dnsmasq
+
 - name: install dnsmasq package
   apt:
     name: dnsmasq
@@ -9,6 +13,7 @@
     line: "{{ item.1 }}\t{{ 'debian%03d' | format(item.0) }}"
   with_indexed_items: "{{ dhcp_list }}"
   notify: "restart dnsmasq"
+  when: not dnsmasq.stat.exists
 
 - name: configure dnsmasq
   template:
diff --git a/roles/krb5-kdc-ldap/defaults/main.yml b/roles/krb5-kdc-ldap/defaults/main.yml
index 7ea992c..8e22f30 100644
--- a/roles/krb5-kdc-ldap/defaults/main.yml
+++ b/roles/krb5-kdc-ldap/defaults/main.yml
@@ -1,5 +1,9 @@
 ---
-kdc_pwd: "{{ lookup('password', '/tmp/kdc.pwd length=24') }}"
-kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}"
 kdc_master_pwd: "{{ lookup('password', '/tmp/kdc_master.pwd length=24') }}"
-kdc_pwd_file: "/root/kdc-master.pwd"
+kdc_master_pwd_file: "/root/kdc-master.pwd"
+
+kdc_service_pwd: "{{ lookup('password', '/tmp/kdc-service.pwd length=24') }}"
+kadmin_service_pwd: "{{ lookup('password', '/tmp/kadmin-service.pwd length=24') }}"
+
+kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}"
+kadmin_pwd_file: "/root/kadmin.pwd"
diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml
index 63aaeb5..f306e5f 100644
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@@ -11,6 +11,9 @@
     src: krb5.conf.j2
     dest: /etc/krb5.conf
 
+- name: make sure krb5kdc exists
+  file: path=/etc/krb5kdc state=directory recurse=yes
+
 - name: prepare kdc.conf
   template:
     src: kdc.conf.j2
@@ -52,7 +55,7 @@
       - organizationalRole
       - simpleSecurityObject
     attributes:
-      userPassword: "{{ kdc_pwd }}"
+      userPassword: "{{ kdc_service_pwd }}"
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
   when: not krb5kdc.stat.exists
@@ -64,7 +67,7 @@
       - organizationalRole
       - simpleSecurityObject
     attributes:
-      userPassword: "{{ kadmin_pwd }}"
+      userPassword: "{{ kadmin_service_pwd }}"
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
   when: not krb5kdc.stat.exists
@@ -109,17 +112,17 @@
   when: not krb5kdc.stat.exists
 
 - name: prepare password for kdc
-  shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
+  shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
   no_log: true
   when: not krb5kdc.stat.exists
 
 - name: prepare password for kadmin
-  shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
+  shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
   no_log: true
   when: not krb5kdc.stat.exists
 
 - name: dump kdc master password
-  shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_pwd_file }}" ; chmod 0600 "{{ kdc_pwd_file }}"
+  shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ; chmod 0600 "{{ kdc_master_pwd_file }}"
   no_log: true
   when: not krb5kdc.stat.exists
 
@@ -137,18 +140,35 @@
   notify: "restart krb5-kdc"
   when: not krb5kdc.stat.exists
 
+- name: add root/admin as kadmin  
+  command: kadmin.local -q "addprinc -pw {{ kadmin_pwd }} root/admin"
+  when: not krb5kdc.stat.exists
+
+- name: dump kadmin password
+  shell: echo -n "{{ kadmin_pwd }}" > "{{ kadmin_pwd_file }}" ; chmod 0600 "{{ kadmin_pwd_file }}"
+  no_log: true
+  when: not krb5kdc.stat.exists
+  
 - name: add default policy to silence warning when using kadmin
   command: kadmin.local -q "add_policy default"
   when: not krb5kdc.stat.exists
 
-- name: create machine principal
-  command: kadmin.local -q "addprinc -randkey host/{{ ansible_hostname }}.{{ ldap_domain }}"
+- name: create machine principals
+  command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}"
+  with_items:
+    - host
+    - ldap
   when: not krb5kdc.stat.exists
 
 - name: add principal to the keytab
-  command: kadmin.local -q "ktadd host/{{ ansible_hostname }}.{{ ldap_domain }}"
+  command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}"
+  with_items:
+    - host
+    - ldap
   when: not krb5kdc.stat.exists
 
+##############
+  
 - name: kerberize dummy user foo
   command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo'
   when: foo_pwd is defined
diff --git a/roles/krb5-kdc-ldap/templates/kadm5.acl.j2 b/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
index c21d6b8..1ddf3ff 100644
--- a/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
+++ b/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
@@ -1,3 +1,4 @@
 ## access controls for the Kerberos KDC
+root/admin@{{ ldap_domain | upper }} *
 *@{{ ldap_domain | upper }} cil
 */*@{{ ldap_domain | upper }} i
diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml
index 8c16cfc..e3df005 100644
--- a/roles/ldap/defaults/main.yml
+++ b/roles/ldap/defaults/main.yml
@@ -2,3 +2,4 @@ ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
 ldap_pwd_file: "/root/ldap-admin.pwd"
 ldap_domain: "{{ ansible_domain | default('intern', true) }}"
 basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+lan_homes:  /home/lan
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 6b4a5d2..7d7eb84 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -37,11 +37,13 @@
   no_log: true
   when: not slapd.stat.exists
 
-- name: install slapd and python-ldap
+- name: install slapd, ldap-utils, ldapvi and python3-ldap
   apt:
     name:
       - slapd
-      - python-ldap
+      - ldap-utils
+      - ldapvi
+      - python3-ldap
     state: latest
 
 - name: make initial slapd configuration available
@@ -90,7 +92,7 @@
       userPassword: "{{ foo_pwd }}"
       uidNumber: 10000
       gidNumber: 10000
-      homeDirectory: /home/lan/foo
+      homeDirectory: "{{ lan_homes }}/foo"
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
   when: foo_pwd is defined
diff --git a/roles/nfs-server/defaults/main.yml b/roles/nfs-server/defaults/main.yml
index 08061b3..294950c 100644
--- a/roles/nfs-server/defaults/main.yml
+++ b/roles/nfs-server/defaults/main.yml
@@ -1,4 +1,4 @@
 export_root: /srv/nfs4
-export_dir:  /home/lan
+lan_homes:  /home/lan
 ldap_domain: "{{ ansible_domain | default('intern', true) }}"
 basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index 5b6a28a..d9ea5a3 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -14,12 +14,12 @@
   file: path={{ export_root }}/home/ state=directory recurse=yes
 
 - name: make sure the export exists
-  file: path={{ export_dir }} state=directory recurse=yes
+  file: path={{ lan_homes }} state=directory recurse=yes
 
 - name: bind mount exported dir
   mount:
     path: "{{ export_root }}/home/"
-    src: "{{ export_dir }}"
+    src: "{{ lan_homes }}"
     fstype: none
     state: mounted
     opts: bind
@@ -40,11 +40,11 @@
   register: kadmin
 
 - name: create machine principal
-  command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
   when: kadmin.stat.exists and not exports.stat.exists
 
 - name: add principal to the keytab
-  command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
   notify: "restart rpc-svcgssd"
   when: kadmin.stat.exists and not exports.stat.exists