From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/freeipa_keytab/defaults/main.yml |  4 ++++
 roles/freeipa_keytab/tasks/main.yml    | 37 ++++++++++++++++++++++++++++++++++
 roles/freeipa_keytab/vars/main.yml     |  1 +
 3 files changed, 42 insertions(+)
 create mode 100644 roles/freeipa_keytab/defaults/main.yml
 create mode 100644 roles/freeipa_keytab/tasks/main.yml
 create mode 100644 roles/freeipa_keytab/vars/main.yml

(limited to 'roles/freeipa_keytab')

diff --git a/roles/freeipa_keytab/defaults/main.yml b/roles/freeipa_keytab/defaults/main.yml
new file mode 100644
index 0000000..fab313e
--- /dev/null
+++ b/roles/freeipa_keytab/defaults/main.yml
@@ -0,0 +1,4 @@
+keytab_path: /etc/krb5.keytab
+keytab_owner: root
+keytab_group: root
+keytab_mode: '0600'
diff --git a/roles/freeipa_keytab/tasks/main.yml b/roles/freeipa_keytab/tasks/main.yml
new file mode 100644
index 0000000..3b09e44
--- /dev/null
+++ b/roles/freeipa_keytab/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: check if principal exists in keytab
+  shell:
+    cmd: >
+      klist -kt {{ keytab_path }}
+      | awk -v p={{ keytab_principal }}@{{ freeipa_realm }}
+      '$4 == p { rc=1 } END { exit !rc }'
+  failed_when: false
+  changed_when: false
+  register: keytab_principal_exists
+
+- name: retrieve keytab
+  shell:
+    cmd: >
+      kinit -fpa -l 1m {{ '-k' if use_system_keytab else ipa_user }} &&
+      ipa-getkeytab -p {{ keytab_principal }} -k {{ keytab_path }} &&
+      kdestroy
+    stdin: '{{ omit if use_system_keytab else ipa_pass }}'
+  when: keytab_principal_exists.rc != 0
+
+- name: set keytab owner
+  file:
+    path: '{{ keytab_path }}'
+    owner: '{{ keytab_owner }}'
+    group: '{{ keytab_group }}'
+    mode: '{{ keytab_mode }}'
+    setype: krb5_keytab_t
+
+- name: set selinux context for keytab
+  sefcontext:
+    target: '{{ keytab_path }}'
+    setype: krb5_keytab_t
+    state: present
+  register: keytab_sefcontext
+
+- name: apply selinux context to keytab
+  command: 'restorecon {{ keytab_path }}'
+  when: keytab_sefcontext.changed
diff --git a/roles/freeipa_keytab/vars/main.yml b/roles/freeipa_keytab/vars/main.yml
new file mode 100644
index 0000000..f99f769
--- /dev/null
+++ b/roles/freeipa_keytab/vars/main.yml
@@ -0,0 +1 @@
+use_system_keytab: "{{ keytab_principal is search('/' ~ ansible_fqdn) }}"
-- 
cgit