juffaz/ansible-centos7-sssd

## ansible-centos7-sssd
---
## This playbook installs and configures AD authentication
- name: Install and configure AD authentication
  hosts: all
  gather_facts: no
  become: yes
##  become_method: sudo
  vars_prompt:
    - name: "bind_password"
      prompt: "Password for aplinux"
      private: yes

  tasks:
    - name: Install sssd
      yum: name={{item}} state=installed
      with_items:
        - sssd
        - realmd
        - oddjob
        - oddjob-mkhomedir
        - adcli
        - krb5-workstation
        - openldap-clients
        - policycoreutils-python
        - samba
        - samba-client
        - samba-common
        - samba-common-tools
        - ntpdate
        - ntp
      notify:
        - restart realmd

    - name: Check if machine is bound
      shell: /bin/bash -c "realm list | grep sssd"
      register: realmd_bound
      changed_when: false
      ignore_errors: true

    - name: Download pip
      get_url:  url=https://bootstrap.pypa.io/get-pip.py dest=/tmp/get-pip.py mode=755
      register: url-pip

    - name: Install python pip
      command: python /tmp/get-pip.py
      register: python-pip

    - name: Install pexpect using pip
      pip: name=pexpect
      register: pip-pexp

    - name: Inserting a line to hosts
      blockinfile:
        path: /etc/hosts
        block: |
          {{ item.ip }} {{ item.shortname }} {{ item.name }}
        marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.ip }}"
      with_items:
        - { name: dc1.domain.local, shortname: dc1, ip: 10.1.1.11 }
        - { name: dc2.domain.local, shortname: dc2, ip: 10.1.2.11 }


    - name: Add search to resolv conf
      shell: echo "search domain.local" > /etc/resolv.conf
      register: resolv

    - name: Add NS1 to resolv conf
      shell: echo "nameserver 10.1.1.11" >> /etc/resolv.conf
      register: resolv-ns1

    - name: Add NS2 to resolv conf
      shell: echo "nameserver 10.1.2.11" >> /etc/resolv.conf
      register: resolv-ns2

    - name: Join system to AD and add the computer object in the Linux OU
      expect:
        #command: /bin/bash -c "/usr/sbin/realm join --membership-software=samba --user=aplinux domain.local"
        command: /bin/bash -c "/usr/sbin/realm join  --user=aplinux domain.local"
        responses:
          Password for *: "{{ bind_password }}"
      when: realmd_bound|failed

    - name: change FQN string on sssd.conf
      replace: path=/etc/sssd/sssd.conf regexp='use_fully_qualified_names = True' replace='use_fully_qualified_names = False' backup=yes

    - name: change USER on sssd.conf
      replace: path=/etc/sssd/sssd.conf regexp='fallback_homedir = /home/%u@%d' replace='fallback_homedir = /home/%u' backup=yes

    - name: Add the LinuxAdmins AD Group to sudoers
      lineinfile:
        dest: /etc/sudoers
        line: '%linuxadmin        ALL=(ALL)       ALL'
        insertafter: '^%wheel'

    - name: sssd systemd restart
      systemd:
        state: restarted
        daemon_reload: yes
        name: sssd

    - name: make sure daemon is reloaded (ansible bug)
      shell: systemctl daemon-reload

  handlers:
    - name: restart realmd
      service:
        name: realmd
        state: restarted

    - name: restart sssd
      service:
        name: sssd
        state: restarted
	---
	## This playbook installs and configures AD authentication
	- name: Install and configure AD authentication
	hosts: all
	gather_facts: no
	become: yes
	## become_method: sudo
	vars_prompt:
	- name: "bind_password"
	prompt: "Password for aplinux"
	private: yes

	tasks:
	- name: Install sssd
	yum: name={{item}} state=installed
	with_items:
	- sssd
	- realmd
	- oddjob
	- oddjob-mkhomedir
	- adcli
	- krb5-workstation
	- openldap-clients
	- policycoreutils-python
	- samba
	- samba-client
	- samba-common
	- samba-common-tools
	- ntpdate
	- ntp
	notify:
	- restart realmd

	- name: Check if machine is bound
	shell: /bin/bash -c "realm list \| grep sssd"
	register: realmd_bound
	changed_when: false
	ignore_errors: true

	- name: Download pip
	get_url: url=https://bootstrap.pypa.io/get-pip.py dest=/tmp/get-pip.py mode=755
	register: url-pip

	- name: Install python pip
	command: python /tmp/get-pip.py
	register: python-pip

	- name: Install pexpect using pip
	pip: name=pexpect
	register: pip-pexp

	- name: Inserting a line to hosts
	blockinfile:
	path: /etc/hosts
	block: \|
	{{ item.ip }} {{ item.shortname }} {{ item.name }}
	marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.ip }}"
	with_items:
	- { name: dc1.domain.local, shortname: dc1, ip: 10.1.1.11 }
	- { name: dc2.domain.local, shortname: dc2, ip: 10.1.2.11 }


	- name: Add search to resolv conf
	shell: echo "search domain.local" > /etc/resolv.conf
	register: resolv

	- name: Add NS1 to resolv conf
	shell: echo "nameserver 10.1.1.11" >> /etc/resolv.conf
	register: resolv-ns1

	- name: Add NS2 to resolv conf
	shell: echo "nameserver 10.1.2.11" >> /etc/resolv.conf
	register: resolv-ns2

	- name: Join system to AD and add the computer object in the Linux OU
	expect:
	#command: /bin/bash -c "/usr/sbin/realm join --membership-software=samba --user=aplinux domain.local"
	command: /bin/bash -c "/usr/sbin/realm join --user=aplinux domain.local"
	responses:
	Password for *: "{{ bind_password }}"
	when: realmd_bound\|failed

	- name: change FQN string on sssd.conf
	replace: path=/etc/sssd/sssd.conf regexp='use_fully_qualified_names = True' replace='use_fully_qualified_names = False' backup=yes

	- name: change USER on sssd.conf
	replace: path=/etc/sssd/sssd.conf regexp='fallback_homedir = /home/%u@%d' replace='fallback_homedir = /home/%u' backup=yes

	- name: Add the LinuxAdmins AD Group to sudoers
	lineinfile:
	dest: /etc/sudoers
	line: '%linuxadmin ALL=(ALL) ALL'
	insertafter: '^%wheel'

	- name: sssd systemd restart
	systemd:
	state: restarted
	daemon_reload: yes
	name: sssd

	- name: make sure daemon is reloaded (ansible bug)
	shell: systemctl daemon-reload

	handlers:
	- name: restart realmd
	service:
	name: realmd
	state: restarted

	- name: restart sssd
	service:
	name: sssd
	state: restarted