2024-05-22 18:50:34 +00:00
|
|
|
- name: Install packages
|
|
|
|
package:
|
|
|
|
name:
|
|
|
|
- adcli
|
|
|
|
- python3-pexpect
|
|
|
|
- samba
|
|
|
|
- sssd
|
|
|
|
- sssd-tools
|
|
|
|
- winbind
|
|
|
|
|
|
|
|
- name: Configure sssd
|
|
|
|
template:
|
|
|
|
dest: /etc/sssd/sssd.conf
|
|
|
|
src: sssd.conf.j2
|
|
|
|
mode: 0600
|
|
|
|
notify: restart sssd
|
|
|
|
|
|
|
|
- name: Configure samba
|
|
|
|
template:
|
|
|
|
dest: /etc/samba/smb.conf
|
|
|
|
src: smb.conf.j2
|
|
|
|
mode: 0600
|
|
|
|
notify: reload smbd
|
|
|
|
|
|
|
|
- name: Enable pam_mkhomedir
|
|
|
|
lineinfile: # pam-auth-update doesn’t do shit for noninteractive sessions so do it manually
|
|
|
|
path: /etc/pam.d/common-session-noninteractive
|
|
|
|
line: session optional pam_mkhomedir.so
|
|
|
|
|
|
|
|
- name: Check domain membership
|
2024-05-28 10:51:44 +00:00
|
|
|
command: 'net ads testjoin'
|
2024-05-22 18:50:34 +00:00
|
|
|
changed_when: false
|
|
|
|
failed_when: false
|
|
|
|
register: ad_join
|
|
|
|
|
|
|
|
- name: Join host to AD domain
|
|
|
|
when: ad_join.rc != 0
|
|
|
|
block:
|
|
|
|
- pause:
|
|
|
|
prompt: 'AD username'
|
|
|
|
register: ad_user
|
|
|
|
|
|
|
|
- pause:
|
|
|
|
prompt: 'AD password'
|
|
|
|
echo: no
|
|
|
|
register: ad_pass
|
|
|
|
|
|
|
|
# work around https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52
|
|
|
|
- name: Get and store domain SID
|
|
|
|
expect:
|
|
|
|
command: net -U {{ ad_user.user_input }} rpc getsid -S {{ domain }} -D {{ domain }}
|
|
|
|
responses:
|
|
|
|
'Password for': '{{ ad_pass.user_input }}'
|
|
|
|
|
|
|
|
# work around https://bugzilla.redhat.com/show_bug.cgi?id=1665794
|
|
|
|
- name: Set missing keys in secrets.tdb
|
|
|
|
command: tdbtool /var/lib/samba/private/secrets.tdb store {{ item }}/{{ domain | upper | split('.') | first }} '\0'
|
|
|
|
loop:
|
|
|
|
- SECRETS/MACHINE_LAST_CHANGE_TIME
|
|
|
|
- SECRETS/MACHINE_PASSWORD
|
|
|
|
- SECRETS/MACHINE_PASSWORD.PREV
|
|
|
|
|
|
|
|
- name: Join AD with adcli
|
|
|
|
expect:
|
|
|
|
command: adcli join -v -U {{ ad_user.user_input | upper }} -D {{ domain | upper }} --add-samba-data
|
|
|
|
responses:
|
|
|
|
'Password for': '{{ ad_pass.user_input }}'
|
|
|
|
|
|
|
|
- name: Enable services
|
|
|
|
service:
|
|
|
|
name: '{{ item }}'
|
|
|
|
enabled: true
|
|
|
|
state: started
|
|
|
|
loop:
|
|
|
|
- smbd
|
|
|
|
- sssd
|
|
|
|
- winbind
|
|
|
|
|