diff options
Diffstat (limited to 'roles/freeipa_client')
-rw-r--r-- | roles/freeipa_client/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf | 9 | ||||
-rw-r--r-- | roles/freeipa_client/handlers/main.yml | 14 | ||||
-rw-r--r-- | roles/freeipa_client/tasks/main.yml | 54 | ||||
-rw-r--r-- | roles/freeipa_client/vars/main.yml | 5 |
5 files changed, 83 insertions, 0 deletions
diff --git a/roles/freeipa_client/defaults/main.yml b/roles/freeipa_client/defaults/main.yml new file mode 100644 index 0000000..95fa912 --- /dev/null +++ b/roles/freeipa_client/defaults/main.yml @@ -0,0 +1 @@ +freeipa_autofs: yes diff --git a/roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf b/roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf new file mode 100644 index 0000000..2ef5e1e --- /dev/null +++ b/roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf @@ -0,0 +1,9 @@ +[service/nfs-client] + mechs = krb5 + cred_store = keytab:/etc/krb5.keytab + cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%u + cred_store = client_keytab:/var/lib/gssproxy/clients/%u.keytab + cred_usage = initiate + allow_any_uid = yes + trusted = yes + euid = 0 diff --git a/roles/freeipa_client/handlers/main.yml b/roles/freeipa_client/handlers/main.yml new file mode 100644 index 0000000..6f9bf27 --- /dev/null +++ b/roles/freeipa_client/handlers/main.yml @@ -0,0 +1,14 @@ +- name: restart gssproxy + systemd: + name: gssproxy + state: restarted + +- name: restart sssd + systemd: + name: sssd + state: restarted + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted diff --git a/roles/freeipa_client/tasks/main.yml b/roles/freeipa_client/tasks/main.yml new file mode 100644 index 0000000..8b98daa --- /dev/null +++ b/roles/freeipa_client/tasks/main.yml @@ -0,0 +1,54 @@ +- name: install freeipa pacakges + dnf: + name: '{{ freeipa_packages[ansible_distribution_major_version] }}' + state: present + +- name: initialize freeipa client + command: > + ipa-client-install + --unattended + --principal={{ ipa_user }} + --password={{ ipa_pass | quote }} + args: + creates: /etc/ipa/default.conf + +- name: configure autofs + command: ipa-client-automount --unattended + register: ipa_client_automount + failed_when: ipa_client_automount.rc not in [0, 3] + changed_when: ipa_client_automount.rc != 3 + when: freeipa_autofs + +- name: configure gssproxy + copy: + src: etc/gssproxy/99-nfs-client.conf + dest: /etc/gssproxy/99-nfs-client.conf + notify: restart gssproxy + +- name: enable krb5 hostname canonicalization + lineinfile: + path: /etc/krb5.conf + regexp: '^\s*{{ item }}\s*=' + line: ' {{ item }} = true' + insertafter: '\[libdefaults\]' + state: present + loop: + - rdns + - dns_canonicalize_hostname + +# Disabling this until they figure out this bug. I don't use containers, +# so the kernel KEYRING ccache is just fine. +# https://bugzilla.redhat.com/show_bug.cgi?id=2035496 +- name: uninstall sssd-kcm + dnf: + name: sssd-kcm + state: absent + notify: restart sssd + +- name: send sssd logs to journald + lineinfile: + create: yes + path: /etc/sysconfig/sssd + regexp: ^DEBUG_LOGGER= + line: DEBUG_LOGGER=--logger=journald + notify: restart sssd diff --git a/roles/freeipa_client/vars/main.yml b/roles/freeipa_client/vars/main.yml new file mode 100644 index 0000000..0dc5a8e --- /dev/null +++ b/roles/freeipa_client/vars/main.yml @@ -0,0 +1,5 @@ +freeipa_packages: + '8': + - '@idm:DL1/client' + '9': + - ipa-client |