Last active
August 28, 2022 15:04
-
-
Save juffaz/3a06718e07f6703ec0009b1a503e2639 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
## This playbook installs and configures AD authentication | |
- name: Install and configure AD authentication | |
hosts: all | |
gather_facts: no | |
become: yes | |
## become_method: sudo | |
vars_prompt: | |
- name: "bind_password" | |
prompt: "Password for aplinux" | |
private: yes | |
tasks: | |
- name: Install sssd | |
yum: name={{item}} state=installed | |
with_items: | |
- sssd | |
- realmd | |
- oddjob | |
- oddjob-mkhomedir | |
- adcli | |
- krb5-workstation | |
- openldap-clients | |
- policycoreutils-python | |
- samba | |
- samba-client | |
- samba-common | |
- samba-common-tools | |
- ntpdate | |
- ntp | |
notify: | |
- restart realmd | |
- name: Check if machine is bound | |
shell: /bin/bash -c "realm list | grep sssd" | |
register: realmd_bound | |
changed_when: false | |
ignore_errors: true | |
- name: Download pip | |
get_url: url=https://bootstrap.pypa.io/get-pip.py dest=/tmp/get-pip.py mode=755 | |
register: url-pip | |
- name: Install python pip | |
command: python /tmp/get-pip.py | |
register: python-pip | |
- name: Install pexpect using pip | |
pip: name=pexpect | |
register: pip-pexp | |
- name: Inserting a line to hosts | |
blockinfile: | |
path: /etc/hosts | |
block: | | |
{{ item.ip }} {{ item.shortname }} {{ item.name }} | |
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.ip }}" | |
with_items: | |
- { name: dc1.domain.local, shortname: dc1, ip: 10.1.1.11 } | |
- { name: dc2.domain.local, shortname: dc2, ip: 10.1.2.11 } | |
- name: Add search to resolv conf | |
shell: echo "search domain.local" > /etc/resolv.conf | |
register: resolv | |
- name: Add NS1 to resolv conf | |
shell: echo "nameserver 10.1.1.11" >> /etc/resolv.conf | |
register: resolv-ns1 | |
- name: Add NS2 to resolv conf | |
shell: echo "nameserver 10.1.2.11" >> /etc/resolv.conf | |
register: resolv-ns2 | |
- name: Join system to AD and add the computer object in the Linux OU | |
expect: | |
#command: /bin/bash -c "/usr/sbin/realm join --membership-software=samba --user=aplinux domain.local" | |
command: /bin/bash -c "/usr/sbin/realm join --user=aplinux domain.local" | |
responses: | |
Password for *: "{{ bind_password }}" | |
when: realmd_bound|failed | |
- name: change FQN string on sssd.conf | |
replace: path=/etc/sssd/sssd.conf regexp='use_fully_qualified_names = True' replace='use_fully_qualified_names = False' backup=yes | |
- name: change USER on sssd.conf | |
replace: path=/etc/sssd/sssd.conf regexp='fallback_homedir = /home/%u@%d' replace='fallback_homedir = /home/%u' backup=yes | |
- name: Add the LinuxAdmins AD Group to sudoers | |
lineinfile: | |
dest: /etc/sudoers | |
line: '%linuxadmin ALL=(ALL) ALL' | |
insertafter: '^%wheel' | |
- name: sssd systemd restart | |
systemd: | |
state: restarted | |
daemon_reload: yes | |
name: sssd | |
- name: make sure daemon is reloaded (ansible bug) | |
shell: systemctl daemon-reload | |
handlers: | |
- name: restart realmd | |
service: | |
name: realmd | |
state: restarted | |
- name: restart sssd | |
service: | |
name: sssd | |
state: restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment