lmn-client/roles/kerberize/tasks/main.yml

- name: kerberize sshd server
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "GSSAPIAuthentication yes"
    insertafter: "#GSSAPIAuthentication no"
  notify: "reload sshd"

- name: kerberize ssh client, authenticate
  lineinfile:
    dest: /etc/ssh/ssh_config
    line: "GSSAPIAuthentication yes"
    insertafter: "#   GSSAPIAuthentication no"

- name: kerberize ssh client, delegate credentials
  lineinfile:
    dest: /etc/ssh/ssh_config
    line: "GSSAPIDelegateCredentials yes"
    insertafter: "#   GSSAPIDelegateCredentials no"


- name: check if firefox is available
  stat: path=/etc/firefox-esr/firefox-esr.js
  register: firefox

- name: kerberize firefox for sites in the local domain
  lineinfile:
    dest: /etc/firefox-esr/firefox-esr.js
    line: "{{ item }}"
  with_items:
    - '// kerberize for sites in the local domain:'
    - 'pref("network.negotiate-auth.delegation-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
    - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
  when: firefox.stat.exists

- name: kerberize chromium for sites in the local domain
  copy:
    dest: /etc/chromium/policies/managed/idam.json
    content: |
      {
        "AuthServerAllowlist": "idam.steinbeis.schule"
      }