add domain name to the search

we add the domain name to `/etc/resolv.conf`

roles/sssd_ad/handlers/main.yml

@@ -11,6 +11,11 @@
     state: restarted
 
 - name: restart SSSD
-  service:
+  ansible.builtin.service:
     name: sssd
     state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted

roles/sssd_ad/tasks/main.yml

@@ -4,18 +4,33 @@
     name: "{{ item }}"
     state: present
   loop:
-      - adcli
-      - krb5-user
-      - libnss-sss
-      - libpam-sss
-      - ldap-utils
-      - oddjob
-      - oddjob-mkhomedir
-      - packagekit
-      - realmd
-      - sssd
-      - sssd-tools
-      - samba-common-bin
+    - adcli
+    - krb5-user
+    - libnss-sss
+    - libpam-sss
+    - ldap-utils
+    - oddjob
+    - oddjob-mkhomedir
+    - packagekit
+    - realmd
+    - sssd
+    - sssd-tools
+    - samba-common-bin
+
+- name: Sssd_ad | set domain on interface
+  ansible.builtin.command: resolvectl domain {{ ansible_default_ipv4.interface }} {{ ad_domain }}
+  register: resolvectl_result
+  changed_when: "'Successfully' in resolvectl_result.stderr or ad_domain in resolvectl_result.stdout"
+  notify: Restart systemd-resolved
+  when: running_on_server
+
+- name: Sssd_ad | kerberos for TLS
+  ansible.builtin.template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 - name: Sssd_ad | Configure realmd for TLS
   ansible.builtin.template:
@@ -41,33 +56,29 @@
     group: root
     mode: "0644"
 
-- name: Sssd_ad | Ensure CA certificate is present
-  ansible.builtin.copy:
-    src: "{{ ad_ldap_cert }}"
-    dest: /usr/local/share/ca-certificates/ad_ca.crt
-    owner: root
-    group: root
-    mode: "0644"
-  when: ad_ldap_cert is defined
-
 - name: Sssd_ad | Update CA certificates
   ansible.builtin.command: update-ca-certificates
   changed_when: false
   when: ad_ldap_cert is defined
 
-- name: Sssd_ad | Restart SSSD service
-  ansible.builtin.service:
-    name: sssd
-    state: restarted
-    enabled: true
-
+# - name: Sssd_ad | set up keytab
+#  ansible.builtin.include_tasks: kerberoskey.yml
+  #  when: running_on_server
+  #
 - name: Sssd_ad | Join the AD domain using TLS
-  ansible.builtin.command: realm join --user={{ ad_admin_user }} {{ ad_domain }}
+  ansible.builtin.command: realm join --user={{ ad_admin_user }} {{ ad_domain }} --install=/
   register: realm_join_result
-  ignore_errors: false
+  changed_when: "'Successfully enrolled machine in realm' in realm_join_result.stdout or 'already enrolled' in realm_join_result.stderr_lines"
+  ignore_errors: true
   when: running_on_server
 
 - name: Sssd_ad | Display realm join result
   ansible.builtin.debug:
     var: realm_join_result.stdout
   when: running_on_server
+
+- name: Sssd_ad | Restart SSSD service
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+    enabled: true

roles/sssd_ad/templates/krb5.conf.j2

@@ -1,3 +1,18 @@
 [libdefaults]
     udp_preference_limit = 0
     default_realm = {{ ad_domain | upper }}
+    dns_lookup_realm = true
+    dns_lookup_kdc = true
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+
+[realms]
+    {{ ad_realm }} = {
+        kdc = {{ ad_domain }}
+        admin_server = {{ ad_domain }}
+      }
+
+[domain_realm]
+    .{{ ad_domain }} = {{ ad_realm }}
+    {{ ad_domain }} = {{ ad_realm }}

roles/sssd_ad/templates/sssd.conf.j2

@@ -3,11 +3,6 @@ services = nss, pam
 config_file_version = 2
 domains = {{ ad_domain }}
 
-[sssd]
-services = nss, pam
-config_file_version = 2
-domains = {{ ad_domain }}
-
 [domain/{{ ad_domain }}]
 ad_domain = {{ ad_domain }}
 krb5_realm = {{ ad_realm }}
@@ -23,7 +18,6 @@ timeout = 10
 enumerate = false
 fallback_homedir = /home/%u
 default_shell = /usr/bin/bash
-krb5_store_password_if_offline = True
 cache_credentials = True
 use_fully_qualified_names = False