From 8cf134b4b0530395685372113245bce668e66964 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Sun, 27 Oct 2019 15:28:55 +0100 Subject: [PATCH] Add minimal playbooks to setup IPA client on host --- deploy-keytab.yml | 67 ++++++++++++++++++++++++++++++++++++++++++++ setup-ipa-client.yml | 36 ++++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 deploy-keytab.yml create mode 100644 setup-ipa-client.yml diff --git a/deploy-keytab.yml b/deploy-keytab.yml new file mode 100644 index 0000000..a96c2ca --- /dev/null +++ b/deploy-keytab.yml @@ -0,0 +1,67 @@ +#* This playbook exports the kerberos host keytab from IPA and deploys +#* it on a host to /etc/krb5.keytab. +#* It requires your Ansible user to have SSH access to the IPA server +#* and a valid kerberos ticket with the required export permissions +#* already issued. +#* No arguments are needed. + +- name: Export Kerberos keytab from IPA and deploy it on host + hosts: host.Virtual,&os.debian_buster + + vars: + deploy_keytab__ipa_host_delegation: "{{ ipa.servers|first | default('ipa.' + ansible_domain) }}" + + tasks: + - name: Query keytab + become: True + stat: + path: /etc/krb5.keytab + register: deploy_keytab__register_keytab + + - name: Run tasks to install host keytab + block: + - name: Create temporary directory + delegate_to: "{{ deploy_keytab__ipa_host_delegation }}" + tempfile: + state: directory + prefix: "keytab." + register: deploy_keytab__register_tempdir + + - name: Export host keytab + delegate_to: "{{ deploy_keytab__ipa_host_delegation }}" + command: > + /usr/sbin/ipa-getkeytab + -s {{ deploy_keytab__ipa_host_delegation }} + -p host/{{ ansible_fqdn }} + -k {{ deploy_keytab__register_tempdir.path }}/krb5.keytab + + - name: Fetch keytab from IPA server + delegate_to: "{{ deploy_keytab__ipa_host_delegation }}" + fetch: + src: "{{ deploy_keytab__register_tempdir.path }}/krb5.keytab" + # copy file to playbook directory + dest: "./" + flat: yes + + - name: Copy keytab to host + become: True + copy: + src: "krb5.keytab" + dest: "/etc/krb5.keytab" + owner: root + group: root + mode: 0600 + + - name: Remove temporary directory + delegate_to: "{{ deploy_keytab__ipa_host_delegation }}" + file: + path: "{{ deploy_keytab__register_tempdir.path }}" + state: absent + + - name: Remove temporary keytab + delegate_to: localhost + file: + path: "krb5.keytab" + state: absent + + when: not deploy_keytab__register_keytab.stat.exists diff --git a/setup-ipa-client.yml b/setup-ipa-client.yml new file mode 100644 index 0000000..351a411 --- /dev/null +++ b/setup-ipa-client.yml @@ -0,0 +1,36 @@ +#* This playbook registers a new host on the IPA domain which will +#* create an internal DNS record and setup user authentication via +#* LDAP/Kerberos. +#* Use '-a' to pass parameters to ansible (as '-e'). +#* No arguments are mandatory. + +- name: Register host on IPA domain + hosts: host.Virtual,&os.debian_buster + + vars: + setup_ipa_client__ipa_host_delegation: "{{ ipa.servers|first | default('ipa.' + ansible_domain) }}" + + tasks: + - name: Check IPA server login + delegate_to: "{{ setup_ipa_client__ipa_host_delegation }}" + run_once: true + ping: + + - name: Check for valid kerberos ticket + delegate_to: "{{ setup_ipa_client__ipa_host_delegation }}" + changed_when: false + command: klist + + - name: Query IPA for host + delegate_to: "{{ setup_ipa_client__ipa_host_delegation }}" + # If host not joined yet, return code 2 + failed_when: setup_ipa_client__register__host_show.rc not in [0, 2] + command: ipa host-show "{{ ansible_fqdn }}" + register: setup_ipa_client__register__host_show + + - name: Add host to IPA + delegate_to: "{{ setup_ipa_client__ipa_host_delegation }}" + command: "ipa host-add --ip-address={{ ansible_default_ipv4.address }} {{ ansible_fqdn }}" + when: setup_ipa_client__register__host_show.rc != 0 + +- import_playbook: deploy-keytab.yml