Implement lmn-sssd and lmn-mount roles.

lmn-desktop.yml

@@ -4,7 +4,17 @@
   hosts: all
   remote_user: ansible
   become: yes
+  pre_tasks:
+    - pause:
+        prompt: "Enter global-admin active directory password to join domain:"
+        minutes: 5
+        echo: false
+      register: adpw
+      no_log: true
+      when: "ansible_cmdline.adpw is not defined"
+
   vars:
+    domain: "pn.steinbeis.schule"
     extra_pkgs:
       - webext-privacy-badger
       - webext-ublock-origin
@@ -35,6 +45,7 @@
       - console-setup
       - virt-manager
       - libreoffice-l10n-de
+      - krb5-user
     extra_pkgs_bpo: [ libreoffice ] # [ linux-image-amd64 ]  # [ libreoffice ]
     ansible_python_interpreter: "/usr/bin/python3"
 
@@ -43,8 +54,8 @@
     #- gnome
     - kde
     - up2date_debian
-#    - fvs-sssd
-#    - fvs-mount
+    - lmn-sssd
+    - lmn-mount
 #    - fvs-client
 
   tasks:
@@ -56,17 +67,3 @@
         shell: /bin/bash
         groups: libvirt
         append: yes
-    - name: add lmn key
-      ansible.builtin.apt_key:
-        url: https://deb.linuxmuster.net/pub.gpg
-        keyring: /etc/apt/trusted.gpg.d/linuxmuster.net.gpg
-    - name: add lmn repo
-      apt_repository:
-        repo: deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/linuxmuster.net.gpg] http://deb.linuxmuster.net/ lmn71 main
-        state: present
-        update_cache: true
-    - name: install
-      apt:
-        name: linuxmuster-linuxclient7
-        state: latest
-        

roles/lmn-mount/defaults/main.yml

@@ -0,0 +1,2 @@
+smb_server: "server"
+smb_home: "default-school/teachers/%(DOMAIN_USER)"

roles/lmn-mount/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: install needed packages
+  apt:
+    name:
+      - libpam-mount
+      - cifs-utils
+    state: latest
+
+- name: configure pam_mount
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    block: |
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_home }}"
+        mountpoint="/home/%(DOMAIN_USER)"
+        options="sec=krb5i,vers=3.0,cruid=%(USERUID),user=%(USER)"
+      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not></volume>
+    insertafter: "<!-- Volume definitions -->"

roles/lmn-sssd/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"

roles/lmn-sssd/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: install needed packages
+  apt:
+    name:
+      - sssd-ad
+      - sssd-tools
+      - adcli
+    state: latest
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+  ## Either one of the variables is defined:
+- name: join the domain
+  shell:
+    cmd: echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" | adcli join --stdin-password -U global-admin {{ domain | upper }}
+  when: ansible_cmdline.adpw | default('') | length > 0 or adpw.user_input | default('') | length > 0

roles/lmn-sssd/templates/sssd.conf.j2

@@ -0,0 +1,19 @@
+[sssd]
+domains = {{ domain }}
+config_file_version = 2
+
+[domain/{{ domain }}]
+default_shell = /bin/bash
+cache_credentials = True
+krb5_store_password_if_offline = True
+cache_credentials = True
+krb5_realm = {{ domain | upper }}
+id_provider = ad
+override_homedir = /home/%u
+ad_domain = {{ domain }}
+use_fully_qualified_names = False
+ldap_id_mapping = True
+access_provider = ad
+ad_gpo_access_control = permissive
+ad_gpo_ignore_unreadable = True
+ad_maximum_machine_account_password_age = 0