Compare commits
No commits in common. "14822ebb47b11e8d2e0d287d5be8faae2f9ab969" and "83744196e16850b39a384b1a88241ada7647eaf2" have entirely different histories.
14822ebb47
...
83744196e1
4 changed files with 753 additions and 707 deletions
1366
inventory.yml
1366
inventory.yml
File diff suppressed because it is too large
Load diff
|
|
@ -24,28 +24,28 @@
|
||||||
insertafter: "<!-- Volume definitions -->"
|
insertafter: "<!-- Volume definitions -->"
|
||||||
when: web_dav is defined and web_dav | length > 0
|
when: web_dav is defined and web_dav | length > 0
|
||||||
|
|
||||||
- name: Configure pam_mount for LMN homes
|
# - name: Configure pam_mount for LMN homes
|
||||||
ansible.builtin.blockinfile:
|
# ansible.builtin.blockinfile:
|
||||||
dest: /etc/security/pam_mount.conf.xml
|
# dest: /etc/security/pam_mount.conf.xml
|
||||||
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
|
# marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
|
||||||
block: |
|
# block: |
|
||||||
<volume
|
# <volume
|
||||||
fstype="cifs"
|
# fstype="cifs"
|
||||||
server="{{ smb_server }}"
|
# server="{{ smb_server }}"
|
||||||
path="{{ smb_share }}"
|
# path="{{ smb_share }}"
|
||||||
mountpoint="/srv/samba/schools/default-school"
|
# mountpoint="/srv/samba/schools/default-school"
|
||||||
options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
|
# options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
|
||||||
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
|
# ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
|
||||||
</volume>
|
# </volume>
|
||||||
insertafter: "<!-- Volume definitions -->"
|
# insertafter: "<!-- Volume definitions -->"
|
||||||
when: not nfs4
|
# when: not nfs4
|
||||||
|
|
||||||
- name: Prepare mount point for homes
|
# - name: Prepare mount point for homes
|
||||||
ansible.builtin.file:
|
# ansible.builtin.file:
|
||||||
path: /srv/samba/schools/default-school/
|
# path: /srv/samba/schools/default-school/
|
||||||
state: directory
|
# state: directory
|
||||||
mode: '0755'
|
# mode: '0755'
|
||||||
when: not nfs4
|
# when: not nfs4
|
||||||
|
|
||||||
- name: Prepare persistent user cache base directory
|
- name: Prepare persistent user cache base directory
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
|
@ -75,11 +75,11 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
|
|
||||||
- name: Clean up all user processes after logout
|
# - name: Clean up all user processes after logout
|
||||||
ansible.builtin.replace:
|
# ansible.builtin.replace:
|
||||||
path: /etc/security/pam_mount.conf.xml
|
# path: /etc/security/pam_mount.conf.xml
|
||||||
regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
|
# regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
|
||||||
replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
|
# replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
|
||||||
|
|
||||||
- name: Kill all user processes on logout
|
- name: Kill all user processes on logout
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
|
|
@ -112,3 +112,12 @@
|
||||||
state: present
|
state: present
|
||||||
fstype: nfs4
|
fstype: nfs4
|
||||||
when: nfs4
|
when: nfs4
|
||||||
|
|
||||||
|
- name: Mount SMB home directory
|
||||||
|
ansible.posix.mount:
|
||||||
|
src: //fileserver.pn.steinbeis.schule/default-school
|
||||||
|
path: /srv/samba/schools/default-school
|
||||||
|
opts: "multiuser,sec=krb5i,mfsymlinks,nobrl,actimeo=600,_netdev,x-systemd.automount,x-systemd.idle-timeout=60s{{ cifsopt | default('') }}"
|
||||||
|
state: present
|
||||||
|
fstype: cifs
|
||||||
|
when: not nfs4
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,8 @@
|
||||||
- sssd-ad
|
- sssd-ad
|
||||||
- sssd-tools
|
- sssd-tools
|
||||||
- adcli
|
- adcli
|
||||||
|
- kstart
|
||||||
|
- krb5-user
|
||||||
|
|
||||||
- name: Provide user identities from AD
|
- name: Provide user identities from AD
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
|
@ -22,3 +24,23 @@
|
||||||
when: >
|
when: >
|
||||||
ansible_cmdline.adpw | default('') | length > 0 or
|
ansible_cmdline.adpw | default('') | length > 0 or
|
||||||
adpw.user_input | default('') | length > 0
|
adpw.user_input | default('') | length > 0
|
||||||
|
|
||||||
|
- name: Set CCache file name
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/krb5.conf
|
||||||
|
line: ' default_ccache_name = FILE:/tmp/krb5cc_%{uid}'
|
||||||
|
insertbefore: '\[realms\]'
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create kstart systemd service for obtaining machine ticket
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: kstart.service.j2
|
||||||
|
dest: /etc/systemd/system/kstart.service
|
||||||
|
mode: '0644'
|
||||||
|
when: not nfs4
|
||||||
|
|
||||||
|
- name: Enable kstart service
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: kstart.service
|
||||||
|
enabled: true
|
||||||
|
when: not nfs4
|
||||||
|
|
|
||||||
11
roles/lmn_sssd/templates/kstart.service.j2
Normal file
11
roles/lmn_sssd/templates/kstart.service.j2
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
[Unit]
|
||||||
|
Description=K5Start Kerberos Ticket Renewal
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -K 1 -u {{ ansible_hostname | upper }}$
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
||||||
Loading…
Add table
Reference in a new issue