it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: it-team:83744196e16850b39a384b1a88241ada7647eaf2
Branches Tags
it-team:main
it-team:dev
it-team:bookworm
it-team:fvs
...
compare: it-team:14822ebb47b11e8d2e0d287d5be8faae2f9ab969
Branches Tags
it-team:dev
it-team:bookworm
it-team:main
it-team:fvs

2 commits
83744196e1 ... 14822ebb47

Author SHA1 Message Date
Raphael Dannecker
14822ebb47 Revert "Switch to systemd automount ..." and "krb5.conf from ..." 
SMB automount seems to have major problems with multiuser mounts.
For the first logged in user, everything seems to be fine.
For every following logged in user, strange things will happen (e.g. firefox has problems showing the webdev console).

This reverts following commits:
 - 9df6c93636 (Switch to systemd automount for /srv/samba/schools/default-school)
 - f08c06d7a6 (krb5.conf from package krb5-user ist require)
 2025-07-28 10:32:07 +02:00
Raphael Dannecker
5c1d2d0ce5 Revert "Enable POSIX SMB mount option through cifsopt variable" 
POSIX mode works only with linux 6.15

This reverts commit 83744196e1.
 2025-07-28 10:21:47 +02:00
4 changed files with 707 additions and 753 deletions
Show stats Expand all files Collapse all files

1366
inventory.yml
View file

File diff suppressed because it is too large Load diff

61
roles/lmn_mount/tasks/main.yml
View file

@ -24,28 +24,28 @@
insertafter: "<!-- Volume definitions -->" insertafter: "<!-- Volume definitions -->"
when: web_dav is defined and web_dav | length > 0 when: web_dav is defined and web_dav | length > 0
# - name: Configure pam_mount for LMN homes - name: Configure pam_mount for LMN homes
# ansible.builtin.blockinfile: ansible.builtin.blockinfile:
# dest: /etc/security/pam_mount.conf.xml dest: /etc/security/pam_mount.conf.xml
# marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->" marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
# block: | block: |
# <volume <volume
# fstype="cifs" fstype="cifs"
# server="{{ smb_server }}" server="{{ smb_server }}"
# path="{{ smb_share }}" path="{{ smb_share }}"
# mountpoint="/srv/samba/schools/default-school" mountpoint="/srv/samba/schools/default-school"
# options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}" options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
# ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not> ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
# </volume> </volume>
# insertafter: "<!-- Volume definitions -->" insertafter: "<!-- Volume definitions -->"
# when: not nfs4 when: not nfs4
# - name: Prepare mount point for homes - name: Prepare mount point for homes
# ansible.builtin.file: ansible.builtin.file:
# path: /srv/samba/schools/default-school/ path: /srv/samba/schools/default-school/
# state: directory state: directory
# mode: '0755' mode: '0755'
# when: not nfs4 when: not nfs4
- name: Prepare persistent user cache base directory - name: Prepare persistent user cache base directory
ansible.builtin.file: ansible.builtin.file:
@ -75,11 +75,11 @@
mode: "0755" mode: "0755"
# - name: Clean up all user processes after logout - name: Clean up all user processes after logout
# ansible.builtin.replace: ansible.builtin.replace:
# path: /etc/security/pam_mount.conf.xml path: /etc/security/pam_mount.conf.xml
# regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$' regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
# replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />' replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
- name: Kill all user processes on logout - name: Kill all user processes on logout
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -112,12 +112,3 @@
state: present state: present
fstype: nfs4 fstype: nfs4
when: nfs4 when: nfs4
- name: Mount SMB home directory
ansible.posix.mount:
src: //fileserver.pn.steinbeis.schule/default-school
path: /srv/samba/schools/default-school
opts: "multiuser,sec=krb5i,mfsymlinks,nobrl,actimeo=600,_netdev,x-systemd.automount,x-systemd.idle-timeout=60s{{ cifsopt | default('') }}"
state: present
fstype: cifs
when: not nfs4

22
roles/lmn_sssd/tasks/main.yml
View file

@ -5,8 +5,6 @@
- sssd-ad - sssd-ad
- sssd-tools - sssd-tools
- adcli - adcli
- kstart
- krb5-user
- name: Provide user identities from AD - name: Provide user identities from AD
ansible.builtin.template: ansible.builtin.template:
@ -24,23 +22,3 @@
when: > when: >
ansible_cmdline.adpw | default('') | length > 0 or ansible_cmdline.adpw | default('') | length > 0 or
adpw.user_input | default('') | length > 0 adpw.user_input | default('') | length > 0
- name: Set CCache file name
ansible.builtin.lineinfile:
dest: /etc/krb5.conf
line: ' default_ccache_name = FILE:/tmp/krb5cc_%{uid}'
insertbefore: '\[realms\]'
state: present
- name: Create kstart systemd service for obtaining machine ticket
ansible.builtin.template:
src: kstart.service.j2
dest: /etc/systemd/system/kstart.service
mode: '0644'
when: not nfs4
- name: Enable kstart service
ansible.builtin.systemd:
name: kstart.service
enabled: true
when: not nfs4

11
roles/lmn_sssd/templates/kstart.service.j2
View file

@ -1,11 +0,0 @@
[Unit]
Description=K5Start Kerberos Ticket Renewal
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -K 1 -u {{ ansible_hostname | upper }}$
[Install]
WantedBy=multi-user.target