use files instead of templates

these files stay pretty static. Use configs from a working host Co-authored-by: Alicia Cozine <[email protected]> Co-authored-by: Angel Ruiz <[email protected]> Co-authored-by: Vickie Karasic <[email protected]>
pulibrary · Jan 2, 2025 · 1bcd222 · 1bcd222
1 parent 659327c
commit 1bcd222
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 7 deletions.
diff --git a/roles/ad_join/files/krb5.conf b/roles/ad_join/files/krb5.conf
@@ -0,0 +1,35 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    dns_lookup_realm = true
+    dns_lookup_kdc = true
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = yes
+    rdns = false
+    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+    spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
+    default_ccache_name = KEYRING:persistent:%{uid}
+udp_preference_limit = 0
+default_realm = PU.WIN.PRINCETON.EDU
+
+[realms]
+    PU.WIN.PRINCETON.EDU = {
+        kdc = pdom15.pu.win.princeton.edu
+        kdc = pdom12.pu.win.princeton.edu
+        kdc = pdom16.pu.win.princeton.edu
+        kdc = pdom11.pu.win.princeton.edu
+        admin_server = pdom15.pu.win.princeton.edu
+        auth_to_local = RULE:[1:$0](^.*@PU.WIN.PRINCETON.EDU$)s/@.*//
+      }
+
+[domain_realm]
+.pu.win.princeton.edu = PU.WIN.PRINCETON.EDU
+pu.win.princeton.edu = PU.WIN.PRINCETON.EDU
diff --git a/roles/ad_join/tasks/main.yml b/roles/ad_join/tasks/main.yml
@@ -37,23 +37,23 @@
     mode: "0600"
   notify: Restart sssd
 
-- name: Ad_join | template krb5.conf
-  ansible.builtin.template:
-    src: krb5.conf.j2
+- name: Ad_join | copy krb5.conf
+  ansible.builtin.copy:
+    src: krb5.conf
     dest: "{{ ad_join_krb5_config_file }}"
     owner: root
     group: root
     mode: "0644"
   notify: Restart sssd
 
 - name: Ad_join | discover the realm
-  ansible.builtin.command: "realm discover {{ ad_join_ad_domain }}"
-  register: realm_discover
+  ansible.builtin.command: "realm list"
+  register: realm_list
   changed_when: false
 
 - name: Ad_join | join the realm
-  ansible.builtin.command: "realm join --verbose --user={{ ad_join_admin_user }} --computer-ou='{{ ad_join_computer_ou }}' {{ ad_join_ad_domain }}"
-  when: "'already joined' not in realm_discover.stdout"
+  ansible.builtin.command: "realm join --verbose --user={{ ad_join_admin_user }} {{ ad_join_ad_domain }}"
+  when: "'kerberos-member' not in realm_list.stdout"
 
 - name: Ad_join | ensure sssd service is enabled and started
   ansible.builtin.service: