initial commit

3 files changed, 42 insertions, 0 deletions

diff --git a/roles/freeipa_keytab/defaults/main.yml b/roles/freeipa_keytab/defaults/main.yml
new file mode 100644
index 0000000..fab313e
--- /dev/null
+++ b/roles/freeipa_keytab/defaults/main.yml
@@ -0,0 +1,4 @@
+keytab_path: /etc/krb5.keytab
+keytab_owner: root
+keytab_group: root
+keytab_mode: '0600'
diff --git a/roles/freeipa_keytab/tasks/main.yml b/roles/freeipa_keytab/tasks/main.yml
new file mode 100644
index 0000000..3b09e44
--- /dev/null
+++ b/roles/freeipa_keytab/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: check if principal exists in keytab
+  shell:
+    cmd: >
+      klist -kt {{ keytab_path }}
+      | awk -v p={{ keytab_principal }}@{{ freeipa_realm }}
+      '$4 == p { rc=1 } END { exit !rc }'
+  failed_when: false
+  changed_when: false
+  register: keytab_principal_exists
+
+- name: retrieve keytab
+  shell:
+    cmd: >
+      kinit -fpa -l 1m {{ '-k' if use_system_keytab else ipa_user }} &&
+      ipa-getkeytab -p {{ keytab_principal }} -k {{ keytab_path }} &&
+      kdestroy
+    stdin: '{{ omit if use_system_keytab else ipa_pass }}'
+  when: keytab_principal_exists.rc != 0
+
+- name: set keytab owner
+  file:
+    path: '{{ keytab_path }}'
+    owner: '{{ keytab_owner }}'
+    group: '{{ keytab_group }}'
+    mode: '{{ keytab_mode }}'
+    setype: krb5_keytab_t
+
+- name: set selinux context for keytab
+  sefcontext:
+    target: '{{ keytab_path }}'
+    setype: krb5_keytab_t
+    state: present
+  register: keytab_sefcontext
+
+- name: apply selinux context to keytab
+  command: 'restorecon {{ keytab_path }}'
+  when: keytab_sefcontext.changed
diff --git a/roles/freeipa_keytab/vars/main.yml b/roles/freeipa_keytab/vars/main.yml
new file mode 100644
index 0000000..f99f769
--- /dev/null
+++ b/roles/freeipa_keytab/vars/main.yml
@@ -0,0 +1 @@
+use_system_keytab: "{{ keytab_principal is search('/' ~ ansible_fqdn) }}"