Revert "Switch to systemd automount ..." and "krb5.conf from ..."

SMB automount seems to have major problems with multiuser mounts. For the first logged in user, everything seems to be fine. For every following logged in user, strange things will happen (e.g. firefox has problems showing the webdev console). This reverts following commits: - 9df6c93636 (Switch to systemd automount for /srv/samba/schools/default-school) - f08c06d7a6 (krb5.conf from package krb5-user ist require)
Revert "Enable POSIX SMB mount option through cifsopt variable"
2025-07-28 10:32:07 +02:00 · 2025-07-28 10:21:47 +02:00
4 changed files with 707 additions and 753 deletions
--- a/inventory.yml
+++ b/inventory.yml
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@ -24,28 +24,28 @@
    insertafter: "<!-- Volume definitions -->"
  when: web_dav is defined and web_dav | length > 0

-# - name: Configure pam_mount for LMN homes
-#   ansible.builtin.blockinfile:
-#     dest: /etc/security/pam_mount.conf.xml
-#     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
-#     block: |
-#       <volume
-#         fstype="cifs"
-#         server="{{ smb_server }}"
-#         path="{{ smb_share }}"
-#         mountpoint="/srv/samba/schools/default-school"
-#         options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
-#         ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
-#       </volume>
-#     insertafter: "<!-- Volume definitions -->"
-#   when: not nfs4
+- name: Configure pam_mount for LMN homes
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
+    block: |
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_share }}"
+        mountpoint="/srv/samba/schools/default-school"
+        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- Volume definitions -->"
+  when: not nfs4

-# - name: Prepare mount point for homes
-#   ansible.builtin.file:
-#     path: /srv/samba/schools/default-school/
-#     state: directory
-#     mode: '0755'
-#   when: not nfs4
+- name: Prepare mount point for homes
+  ansible.builtin.file:
+    path: /srv/samba/schools/default-school/
+    state: directory
+    mode: '0755'
+  when: not nfs4

 - name: Prepare persistent user cache base directory
  ansible.builtin.file:
@ -75,11 +75,11 @@
    mode: "0755"


-# - name: Clean up all user processes after logout
-#   ansible.builtin.replace:
-#     path: /etc/security/pam_mount.conf.xml
-#     regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
-#     replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
+- name: Clean up all user processes after logout
+  ansible.builtin.replace:
+    path: /etc/security/pam_mount.conf.xml
+    regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
+    replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'

 - name: Kill all user processes on logout
  ansible.builtin.lineinfile:
@ -112,12 +112,3 @@
    state: present
    fstype: nfs4
  when: nfs4
-
- name: Mount SMB home directory
-  ansible.posix.mount:
-    src: //fileserver.pn.steinbeis.schule/default-school
-    path: /srv/samba/schools/default-school
-    opts: "multiuser,sec=krb5i,mfsymlinks,nobrl,actimeo=600,_netdev,x-systemd.automount,x-systemd.idle-timeout=60s{{ cifsopt | default('') }}"
-    state: present
-    fstype: cifs
-  when: not nfs4
--- a/roles/lmn_sssd/tasks/main.yml
+++ b/roles/lmn_sssd/tasks/main.yml
@ -5,8 +5,6 @@
      - sssd-ad
      - sssd-tools
      - adcli
-      - kstart
-      - krb5-user

 - name: Provide user identities from AD
  ansible.builtin.template:
@ -24,23 +22,3 @@
  when: >
    ansible_cmdline.adpw | default('') | length > 0 or
    adpw.user_input | default('') | length > 0
-
- name: Set CCache file name
-  ansible.builtin.lineinfile:
-    dest: /etc/krb5.conf
-    line: '        default_ccache_name = FILE:/tmp/krb5cc_%{uid}'
-    insertbefore: '\[realms\]'
-    state: present
-
- name: Create kstart systemd service for obtaining machine ticket
-  ansible.builtin.template:
-    src: kstart.service.j2
-    dest: /etc/systemd/system/kstart.service
-    mode: '0644'
-  when: not nfs4
-
- name: Enable kstart service
-  ansible.builtin.systemd:
-    name: kstart.service
-    enabled: true
-  when: not nfs4
--- a/roles/lmn_sssd/templates/kstart.service.j2
+++ b/roles/lmn_sssd/templates/kstart.service.j2
@ -1,11 +0,0 @@
-[Unit]
-Description=K5Start Kerberos Ticket Renewal
-After=network.target
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -K 1 -u {{ ansible_hostname | upper }}$
-
-[Install]
-WantedBy=multi-user.target
-