diff --git a/roles/ad_join/tasks/main.yml b/roles/ad_join/tasks/main.yml index c0c896614..05d2c6c28 100644 --- a/roles/ad_join/tasks/main.yml +++ b/roles/ad_join/tasks/main.yml @@ -16,14 +16,12 @@ src: "custom_pul_sssd.tar.gz" dest: "{{ ad_join_authselect_custom_path }}.tar.gz" mode: "0755" - become: true - name: Ad_join | extract custom PAM configuration ansible.builtin.unarchive: src: "{{ ad_join_authselect_custom_path }}.tar.gz" - dest: / + dest: /etc/authselect/custom/ remote_src: true - become: true - name: Ad_join | select the custom authselect profile with home directory creation ansible.builtin.command: "authselect select custom/{{ ad_join_authselect_profile_name }} {{ 'with-mkhomedir' if ad_join_create_home_dir else '' }}" @@ -46,6 +44,7 @@ owner: root group: root mode: "0644" + notify: Restart sssd - name: Ad_join | discover the realm ansible.builtin.command: "realm discover {{ ad_join_ad_domain }}" @@ -55,7 +54,6 @@ - name: Ad_join | join the realm ansible.builtin.command: "realm join --verbose --user={{ ad_join_admin_user }} --computer-ou='{{ ad_join_computer_ou }}' {{ ad_join_ad_domain }}" when: "'already joined' not in realm_discover.stdout" - # Consider using 'expect' for password prompt if not using Kerberos - name: Ad_join | ensure sssd service is enabled and started ansible.builtin.service: @@ -71,72 +69,7 @@ name: oddjobd enabled: true state: started - when: create_home_dir - -- name: Ad_join | add kdc lines to krb5.conf - ansible.builtin.lineinfile: - path: /etc/krb5.conf - line: " kdc = {{ item }}" - insertafter: '^ +admin_server =.*' - state: present - loop: - - pdom09.pu.win.princeton.edu - - pdom10.pu.win.princeton.edu - - pdom11.pu.win.princeton.edu - - pdom12.pu.win.princeton.edu - - pdom13.pu.win.princeton.edu - - pdom14.pu.win.princeton.edu - - pdom15.pu.win.princeton.edu - - pdom16.pu.win.princeton.edu - notify: Restart sssd - -- name: Ad_join | add auth_to_local line to krb5.conf - ansible.builtin.lineinfile: - path: /etc/krb5.conf - line: " auth_to_local = RULE:[1:$0](^.*@PU.WIN.PRINCETON.EDU$)s/@.*//" - insertafter: '^ +default_domain =.*' - state: present - notify: Restart sssd - -- name: Ad_join | disable ldap_id_use_start_tls in sssd.conf - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "domain/PU.WIN.PRINCETON.EDU" - option: ldap_id_use_start_tls - value: 'False' - no_extra_spaces: true - mode: "0600" - notify: Restart sssd - -- name: Ad_join | disable ldap_tls_reqcert in sssd.conf - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "domain/PU.WIN.PRINCETON.EDU" - option: ldap_tls_reqcert - value: 'never' - no_extra_spaces: true - mode: "0600" - notify: Restart sssd - -- name: Ad_join | remove ad_access_filter in sssd.conf - community.general.ini_file: - path: /etc/sssd/sssd.conf - section: "domain/PU.WIN.PRINCETON.EDU" - option: ad_access_filter - state: absent - mode: "0600" - notify: Restart sssd - -- name: Ad_join | ldap_disable_gc and ldap_search_base in sssd.conf - ansible.builtin.lineinfile: - path: /etc/sssd/sssd.conf - line: "{{ item }}" - insertafter: '^\[domain/PU\.WIN\.PRINCETON\.EDU\]' - state: present - with_items: - - " ldap_disable_gc = True" - - " ldap_search_base = dc=pu,dc=win,dc=princeton,dc=edu" - notify: Restart sssd + when: ad_join_create_home_dir - name: Ad_join | ensure the krb5 log file directory exists ansible.builtin.file: @@ -189,3 +122,12 @@ ansible.builtin.service: name: sssd state: restarted + +- name: Check sssd domain status + ansible.builtin.command: /usr/sbin/sssctl domain-status {{ ad_join_ad_domain }} + register: domain_status_result + ignore_errors: true + +- name: Display sssd domain status + ansible.builtin.debug: + var: domain_status_result.stdout_lines diff --git a/roles/ad_join/templates/krb5.conf.j2 b/roles/ad_join/templates/krb5.conf.j2 index e1cc49462..818088ba8 100644 --- a/roles/ad_join/templates/krb5.conf.j2 +++ b/roles/ad_join/templates/krb5.conf.j2 @@ -1,29 +1,40 @@ -# {{ ansible_managed | comment }} [logging] - default = FILE:/var/log/krb5libs.log - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmind.log +    default = FILE:/var/log/krb5libs.log +    kdc = FILE:/var/log/krb5kdc.log +    admin_server = FILE:/var/log/kadmind.log [libdefaults] - dns_lookup_realm = true - dns_lookup_kdc = true - ticket_lifetime = 24h - renew_lifetime = 7d - forwardable = yes - rdns = false - pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt - spake_preauth_groups = edwards25519 - dns_canonicalize_hostname = fallback - qualify_shortname = "" - default_ccache_name = KEYRING:persistent:%{uid} +    dns_lookup_realm = true +    dns_lookup_kdc = true +    ticket_lifetime = 24h +    renew_lifetime = 7d +    forwardable = yes +    rdns = false +    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt +    spake_preauth_groups = edwards25519 +    dns_canonicalize_hostname = fallback +    qualify_shortname = "" +    default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 default_realm = {{ ad_join_ad_realm }} [realms] - {{ ad_join_ad_realm }} = { - admin_server = pdom15.pu.win.princeton.edu - auth_to_local = RULE:[1:$0](^.*@PU.WIN.PRINCETON.EDU$)s/@.*// - } +    {{ ad_join_ad_realm }} = { +        kdc = pdom15.pu.win.princeton.edu +        kdc = pdom12.pu.win.princeton.edu +        kdc = pdom16.pu.win.princeton.edu +        kdc = pdom11.pu.win.princeton.edu + kdc = pdom09.pu.win.princeton.edu +        kdc = pdom10.pu.win.princeton.edu +        kdc = pdom11.pu.win.princeton.edu +        kdc = pdom12.pu.win.princeton.edu +        kdc = pdom13.pu.win.princeton.edu +        kdc = pdom14.pu.win.princeton.edu +        kdc = pdom15.pu.win.princeton.edu +        kdc = pdom16.pu.win.princeton.edu +        admin_server = pdom15.pu.win.princeton.edu +        auth_to_local = RULE:[1:$0](^.*@PU.WIN.PRINCETON.EDU$)s/@.*// +      } [domain_realm] .pu.win.princeton.edu = {{ ad_join_ad_realm }}