Created
December 15, 2021 21:52
-
-
Save don-rumata/d4f7ae3761608cde31033b4c894f6501 to your computer and use it in GitHub Desktop.
Install and configure AD authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Install and configure AD authentication | |
| hosts: all | |
| become: yes | |
| # become_method: sudo | |
| vars: | |
| domain_for_join: cchgeu | |
| fqdn_for_join: cchgeu.ru | |
| admin_group: depit-srv_admins | |
| full_netdom_join_user: '{{ netdom_join_user }}@{{ fqdn_for_join }}' | |
| vars_files: group_vars/passwd-netdom-join.yml | |
| # https://github.com/ansible/ansible/issues/10698 | |
| environment: | |
| LANG: C | |
| LC_ALL: C | |
| # vars_prompt: | |
| # - name: "netdom_join_user_password" | |
| # prompt: "Password for {{ domain_for_join }}\\{{ netdom_join_user }}" | |
| # private: yes | |
| tasks: | |
| - import_tasks: tasks/install-pexpect.yml | |
| # - import_tasks: tasks/install-python-pip.yml | |
| # https://askubuntu.com/a/200916/457538 | |
| - name: Config UGO 4 home dirs | |
| when: | |
| - ansible_system == 'Linux' | |
| become: yes | |
| block: | |
| - lineinfile: | |
| path: /etc/adduser.conf | |
| regexp: '^DIR_MODE=' | |
| line: DIR_MODE=0700 | |
| backup: yes | |
| - lineinfile: | |
| path: /etc/login.defs | |
| regexp: '^UMASK' | |
| line: UMASK 077 | |
| backup: yes | |
| tags: | |
| - linux | |
| - home | |
| - homedir | |
| - ugo | |
| - chmod | |
| - name: Install ad_auth required tools | |
| when: | |
| - ansible_system == 'Linux' | |
| - ansible_pkg_mgr == 'yum' | |
| yum: | |
| name: | |
| - adcli | |
| - libselinux-python | |
| - ntpdate | |
| - oddjob | |
| - oddjob-mkhomedir | |
| - pexpect | |
| # Пакет есть в epel. | |
| # - python-pip | |
| - realmd | |
| - samba-common | |
| - samba-common-tools | |
| - sssd | |
| - sudo | |
| state: latest | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - yum | |
| - name: Install ad_auth required tools | |
| when: | |
| - ansible_system == 'Linux' | |
| - ansible_pkg_mgr == 'apt' | |
| block: | |
| - apt: | |
| name: | |
| - adcli | |
| - oddjob | |
| - oddjob-mkhomedir | |
| - packagekit | |
| - realmd | |
| - samba-common | |
| - sssd | |
| - sssd-tools | |
| state: latest | |
| # "could not chdir to home directory /home" | |
| # https://serverfault.com/a/972885. Только дёргать надо "pam-auth-update". | |
| # UPD. Эта фигня в неинтерактивном режиме не пашет, сцуко. Тока если руками. | |
| - debconf: | |
| name: libpam-runtime | |
| question: libpam-runtime/profiles | |
| vtype: multiselect | |
| value: pwquality, unix, sss, systemd, mkhomedir, capability | |
| # https://github.com/ansible/ansible-modules-core/issues/1892#issuecomment-132754634 | |
| # - lineinfile: | |
| # dest: /etc/pam.d/common-session | |
| # line: "session optional\t\t\tpam_mkhomedir.so" | |
| # state: present | |
| - template: | |
| src: templates/etc/pam.d/common-session-4-ad-join.j2 | |
| dest: /etc/pam.d/common-session | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - deb | |
| - apt | |
| - debconf | |
| - name: Check if machine is bound | |
| when: | |
| - ansible_system == 'Linux' | |
| block: | |
| - shell: /bin/bash -c "realm list | grep sssd" | |
| register: realmd_bound | |
| changed_when: false | |
| ignore_errors: true | |
| - debug: | |
| msg: "{{ realmd_bound }}" | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - check | |
| # https://www.freedesktop.org/software/realmd/docs/realmd-conf.html | |
| - name: Join system to AD and put the computer object in the Linux OU | |
| when: | |
| - ansible_system == 'Linux' | |
| - realmd_bound.rc == 1 | |
| expect: | |
| command: realm join {{ fqdn_for_join }} --user={{ netdom_join_user }} --os-name {{ ansible_distribution }} --os-version {{ ansible_distribution_version }} | |
| responses: | |
| Password for *: "{{ netdom_join_user_password }}" | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - join | |
| - name: Add default_domain_suffix to sssd.conf | |
| when: | |
| - ansible_system == 'Linux' | |
| - realmd_bound.rc == 1 | |
| block: | |
| - file: | |
| path: /etc/sssd/sssd.conf | |
| state: touch | |
| - lineinfile: | |
| dest: /etc/sssd/sssd.conf | |
| line: 'default_domain_suffix = {{ fqdn_for_join }}' | |
| insertafter: '^\[sssd\]' | |
| - lineinfile: | |
| dest: /etc/sssd/sssd.conf | |
| line: access_provider = simple | |
| notify: | |
| - restart sssd | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - config | |
| # Штука рабочая, но как показали полевые испытания - в гуй пускает только членов группы, что есть не совсем круто. | |
| # - name: Restrict access based on specific ad group | |
| # when: | |
| # - ansible_system == 'Linux' | |
| # - realmd_bound.rc == 1 | |
| # command: realm permit -g {{ admin_group }}@{{ fqdn_for_join }} | |
| # with_items: "{{ inventory_hostname_short }}" | |
| # tags: | |
| # - linux | |
| # - ad | |
| # - active-directory | |
| # - realm | |
| # - sssd | |
| # - access | |
| # # https://www.cyberciti.biz/tips/checking-openssh-sshd-configuration-syntax-errors.html | |
| # # https://askubuntu.com/a/545379 | |
| # # https://ubuntuforums.org/showthread.php?t=2329949 | |
| # # https://www.configapp.com/2018/01/09/configuration-file-validation-check/ | |
| # # !!! TEST !!! | |
| # - name: Restrict access based on specific ad group | |
| # when: | |
| # - ansible_system == 'Linux' | |
| # - realmd_bound.rc == 1 | |
| # lineinfile: | |
| # line: AllowGroups {{ admin_group }}@{{ fqdn_for_join }} | |
| # path: /etc/ssh/sshd_config | |
| # # validate: /usr/sbin/sshd -t %s | |
| # state: present | |
| # backup: yes | |
| # with_items: "{{ inventory_hostname_short }}" | |
| # tags: | |
| # - linux | |
| # - ad | |
| # - active-directory | |
| # - ssh | |
| # - sshd | |
| # - access | |
| - name: Add ad group to sudoers | |
| when: | |
| - ansible_system == 'Linux' | |
| - realmd_bound.rc == 1 | |
| lineinfile: | |
| # dest: /etc/sudoers | |
| dest: /etc/sudoers.d/00-local-admins | |
| line: '%{{ admin_group }}@{{ fqdn_for_join }} ALL=(ALL) ALL' | |
| # insertafter: '^%wheel' | |
| create: yes | |
| with_items: "{{ inventory_hostname_short }}" | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - access | |
| - sudo | |
| - name: Force sync time for Greate Justice | |
| when: | |
| - ansible_system == 'Linux' | |
| - realmd_bound.rc == 1 | |
| cron: | |
| name: "Force sync time" | |
| minute: "5" | |
| job: "ntpdate -s time.cchgeu.ru" | |
| tags: | |
| - linux | |
| - ntp | |
| - time | |
| handlers: | |
| - name: restart sssd | |
| when: | |
| - ansible_system == 'Linux' | |
| - realmd_bound.rc == 1 | |
| service: | |
| name: sssd | |
| state: restarted | |
| tags: | |
| - linux | |
| - ad | |
| - active-directory | |
| - realm | |
| - sssd | |
| - access |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment