Dodan AD join za Linux... morda ne na pravo mesto

This commit is contained in:
polz 2022-11-16 16:51:26 +01:00
parent 8481701278
commit 3fd45fd333
13 changed files with 202 additions and 21 deletions

View file

@ -1 +0,0 @@
# TODO install NetBeans

View file

@ -1,15 +0,0 @@
- name: Add VS repository
block:
- name: VS repo - apt key
ansible.builtin.get_url:
url: https://packages.microsoft.com/keys/microsoft.asc
dest: /etc/apt/trusted.gpg.d/microsoft_key.asc
- name: VS repo - url
ansible.builtin.apt_repository:
repo: "deb https://packages.microsoft.com/repos/vscode stable main"
state: present
- name: Install VSCode
ansible.builtin.apt:
name: code
state: latest
# TODO: dodaj potrebne plugine

View file

@ -1,3 +1,20 @@
- name: Add Firefox not-a-snap repository
block:
- name: Pin Firefox PPA package priority
template:
src: mozilla-firefox-apt-preferences
dest: /etc/apt/preferences.d/mozilla-firefox
- name: Enable Firefox unattended upgrades
template:
src: mozilla-firefox-unattended-upgrades
dest: /etc/apt/apt.conf.d/51unattended-upgrades-firefox
- name: Add Firefox PPA
apt_repository:
repo: ppa:mozillateam/ppa
state: present
update_cache: True
validate_certs: False
- name: Install generally useful packages
apt:
name:
@ -33,19 +50,47 @@
- git-cola
- kdiff3
- thonny
- ttf-mscorefonts-installer
- libhivex-bin
state: latest
update_cache: yes
- name: Remove broken or unnecessary packages
apt:
name:
- xfce4-screensaver
- xscreensaver
state: absent
- name: Set up additional groups for students
vars:
additional_groups:
- wireshark
- kvm
- dialout
- libvirt
- vboxusers
- ubridge
- docker
block:
- name: create user@.service.d
file:
path: /etc/systemd/system/user@.service.d
state: directory
- name: override groups
- name: override groups in systemd
template:
src: systemd_group_override.conf
dest: /etc/systemd/system/user@.service.d/override.conf
- name: create /etc/security/group.conf
template:
src: security_group.conf
dest: /etc/security/group.conf
- name: create pam config for libpam_group
template:
src: pamconfig_groups
dest: /usr/share/pam-configs/groups
- name: enable libpam_group
shell: pam-auth-update --enable groups
- name: Set default keyboard layout to SI
template:
@ -60,3 +105,10 @@
src: intel-wol.rules
dest: /etc/udev/rules.d/79-wol.rules
- name: Join AD
shell: "realm join --user=ad.join@FRI1.UNI-LJ.SI --computer-ou=OU=Ucilnice FRI1.UNI-LJ.SI"
- name: Fix SSSD config
template:
src: sssd.conf
dest: /etc/sssd/sssd.conf

View file

@ -1 +0,0 @@
# TODO install MySQL ODBC adapter

View file

@ -1 +0,0 @@
# TODO install Pelles

View file

@ -1 +0,0 @@
# TODO install Weka 3

View file

@ -0,0 +1,3 @@
Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001

View file

@ -0,0 +1 @@
Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";

View file

@ -0,0 +1,6 @@
Name: Additional group management through /etc/security/groups.conf
Default: yes
Priority: 0
Auth-Type: Additional
Auth-Final:
optional pam_group.so

View file

@ -0,0 +1,108 @@
#
# This is the configuration file for the pam_group module.
#
#
# *** Please note that giving group membership on a session basis is
# *** NOT inherently secure. If a user can create an executable that
# *** is setgid a group that they are infrequently given membership
# *** of, they can basically obtain group membership any time they
# *** like. Example: games are allowed between the hours of 6pm and 6am
# *** user joe logs in at 7pm writes a small C-program toplay.c that
# *** invokes their favorite shell, compiles it and does
# *** "chgrp play toplay; chmod g+s toplay". They are basically able
# *** to play games any time... You have been warned. AGM
#
*;*;*;Al0000-2400;{{ additional_groups|join(',') }}
#
# The syntax of the lines is as follows:
#
# services;ttys;users;times;groups
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). From reading these comments, it is clear that
# text following a '#' is ignored to the end of the line.
#
# the combination of individual users/terminals etc is a logic list
# namely individual tokens that are optionally prefixed with '!' (logical
# not) and separated with '&' (logical and) and '|' (logical or).
#
# services
# is a logic list of PAM service names that the rule applies to.
#
# ttys
# is a logic list of terminal names that this rule applies to.
#
# users
# is a logic list of users or a netgroup of users to whom this
# rule applies.
#
# NB. For these items the simple wildcard '*' may be used only once.
# With netgroups no wildcards or logic operators are allowed.
#
# times
# It is used to indicate "when" these groups are to be given to the
# user. The format here is a logic list of day/time-range
# entries the days are specified by a sequence of two character
# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
# that repeated days are unset MoMo = no day, and MoWk = all weekdays
# bar Monday. The two character combinations accepted are
#
# Mo Tu We Th Fr Sa Su Wk Wd Al
#
# the last two being week-end days and all 7 days of the week
# respectively. As a final example, AlFr means all days except Friday.
#
# Each day/time-range can be prefixed with a '!' to indicate "anything
# but"
#
# The time-range part is two 24-hour times HHMM separated by a hyphen
# indicating the start and finish time (if the finish time is smaller
# than the start time it is deemed to apply on the following day).
#
# groups
# The (comma or space separated) list of groups that the user
# inherits membership of. These groups are added if the previous
# fields are satisfied by the user's request
#
# For a rule to be active, ALL of service+ttys+users must be satisfied
# by the applying process.
#
#
# Note, to get this to work as it is currently typed you need
#
# 1. to run an application as root
# 2. add the following groups to the /etc/group file:
# floppy, play, sound
#
#
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
# the user 'us' is given access to the floppy (through membership of
# the floppy group)
#
#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
#
# another example: running 'xsh' on tty* (any ttyXXX device),
# the user 'sword' is given access to games (through membership of
# the sound and play group) after work hours.
#
#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy
#
# yet another example: any member of the group 'admin' running
# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'
#
#xsh; tty* ;%admin;Al0000-2400;plugdev
#
# End of group.conf file
#

View file

@ -0,0 +1,30 @@
[sssd]
config_file_version = 2
domains = fri1.uni-lj.si
enable_files_domain = False
services = nss, pam
[nss]
filtered_groups = root
filtered_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/fri1.uni-lj.si]
ad_domain = fri1.uni-lj.si
ad_server = dcv1fri1.fri1.uni-lj.si,dcv2fri1.fri1.uni-lj.si
ad_maximum_machine_account_password_age = 0
ad_gpo_access_control = permissive
ad_enabled_domains = fri1.uni-lj.si, student.uni-lj.si, fkkt1.uni-lj.si, ef1.uni-lj.si, fe1.uni-lj.si, ff.uni-lj.si, fmf.uni-lj.si, fu.uni-lj.si, pef.uni-lj.si
krb5_realm = FRI1.UNI-LJ.SI
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

View file

@ -1,2 +1,2 @@
[Service]
SupplementaryGroups=wireshark kvm dialout libvirt vboxusers ubridge
SupplementaryGroups={{ additional_groups|join(' ') }}