From 1bcd22255a8364f0e5d1969eee1d9fd437f9254f Mon Sep 17 00:00:00 2001
From: Francis Kayiwa <kayiwa@pobox.com>
Date: Thu, 2 Jan 2025 15:12:55 -0500
Subject: [PATCH] use files instead of templates

these files stay pretty static. Use configs from a working host

Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
Co-authored-by: Angel Ruiz <aruiz1789@users.noreply.github.com>
Co-authored-by: Vickie Karasic <vickiekarasic@users.noreply.github.com>
---
 roles/ad_join/files/krb5.conf | 35 +++++++++++++++++++++++++++++++++++
 roles/ad_join/tasks/main.yml  | 14 +++++++-------
 2 files changed, 42 insertions(+), 7 deletions(-)
 create mode 100644 roles/ad_join/files/krb5.conf

diff --git a/roles/ad_join/files/krb5.conf b/roles/ad_join/files/krb5.conf
new file mode 100644
index 000000000..2e4719e72
--- /dev/null
+++ b/roles/ad_join/files/krb5.conf
@@ -0,0 +1,35 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    dns_lookup_realm = true
+    dns_lookup_kdc = true
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = yes
+    rdns = false
+    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+    spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
+    default_ccache_name = KEYRING:persistent:%{uid}
+udp_preference_limit = 0
+default_realm = PU.WIN.PRINCETON.EDU
+
+[realms]
+    PU.WIN.PRINCETON.EDU = {
+        kdc = pdom15.pu.win.princeton.edu
+        kdc = pdom12.pu.win.princeton.edu
+        kdc = pdom16.pu.win.princeton.edu
+        kdc = pdom11.pu.win.princeton.edu
+        admin_server = pdom15.pu.win.princeton.edu
+        auth_to_local = RULE:[1:$0](^.*@PU.WIN.PRINCETON.EDU$)s/@.*//
+      }
+
+[domain_realm]
+.pu.win.princeton.edu = PU.WIN.PRINCETON.EDU
+pu.win.princeton.edu = PU.WIN.PRINCETON.EDU
diff --git a/roles/ad_join/tasks/main.yml b/roles/ad_join/tasks/main.yml
index 05d2c6c28..fb988550e 100644
--- a/roles/ad_join/tasks/main.yml
+++ b/roles/ad_join/tasks/main.yml
@@ -37,9 +37,9 @@
     mode: "0600"
   notify: Restart sssd
 
-- name: Ad_join | template krb5.conf
-  ansible.builtin.template:
-    src: krb5.conf.j2
+- name: Ad_join | copy krb5.conf
+  ansible.builtin.copy:
+    src: krb5.conf
     dest: "{{ ad_join_krb5_config_file }}"
     owner: root
     group: root
@@ -47,13 +47,13 @@
   notify: Restart sssd
 
 - name: Ad_join | discover the realm
-  ansible.builtin.command: "realm discover {{ ad_join_ad_domain }}"
-  register: realm_discover
+  ansible.builtin.command: "realm list"
+  register: realm_list
   changed_when: false
 
 - name: Ad_join | join the realm
-  ansible.builtin.command: "realm join --verbose --user={{ ad_join_admin_user }} --computer-ou='{{ ad_join_computer_ou }}' {{ ad_join_ad_domain }}"
-  when: "'already joined' not in realm_discover.stdout"
+  ansible.builtin.command: "realm join --verbose --user={{ ad_join_admin_user }} {{ ad_join_ad_domain }}"
+  when: "'kerberos-member' not in realm_list.stdout"
 
 - name: Ad_join | ensure sssd service is enabled and started
   ansible.builtin.service: