WIP: Active directory roles #431
Conversation
| @@ -111,6 +111,22 @@ | |||
| register: sestatus | |||
|
|
|||
| # --- tasks after here require access to package repos --- | |||
| - hosts: cacerts | |||
There was a problem hiding this comment.
Active directory was using a custom CA
| --- | ||
|
|
||
| - name: Install dependencies | ||
| ansible.builtin.package: |
There was a problem hiding this comment.
can use dnf with a list for name to allow proper dependency resolution
There was a problem hiding this comment.
We only support Rocky, how come this is here?
| @@ -0,0 +1,14 @@ | |||
| --- | |||
| sssd_packages: | |||
| - 'sssd' | |||
There was a problem hiding this comment.
On RL9, package providing sssd appears to be called sssd-common. There is no sssd package. And sssd-common, sssd-client, sssd-kcm, sssd-nfs-idmap appear to be installed by default in genericcloud image
There was a problem hiding this comment.
Hmm that isn't right, both packages are available on both OS. Installing sssd installs sssd-common. However at least on RL9 installing sssd-common appears to be enough for ldap auth.
RL9: installing sssd = 49M download
RL9: installing sssd-common = 3.9M download
[root@9bb7a8d6a6a5 /]# cat /etc/redhat-release
Rocky Linux release 8.9 (Green Obsidian)
[root@9bb7a8d6a6a5 /]# dnf info sssd
Last metadata expiration check: 0:00:35 ago on Thu Sep 12 12:58:10 2024.
Available Packages
Name : sssd
Version : 2.9.4
Release : 4.el8_10
...
Description : Provides a set of daemons to manage access to remote directories and
: authentication mechanisms. It provides an NSS and PAM interface toward
: the system and a plug-gable back-end system to connect to multiple different
: account sources. It is also the basis to provide client auditing and policy
: services for projects like FreeIPA.
:
: The sssd sub-package is a meta-package that contains the daemon as well as all
: the existing back ends.
[root@9bb7a8d6a6a5 /]# dnf info sssd-common
Last metadata expiration check: 0:00:39 ago on Thu Sep 12 12:58:10 2024.
Available Packages
Name : sssd-common
Version : 2.9.4
Release : 4.el8_10
...
Description : Common files for the SSSD. The common package includes all the files needed
: to run a particular back end, however, the back ends are packaged in separate
: sub-packages such as sssd-ldap.
There was a problem hiding this comment.
So:
[root@stg-login-0 rocky]# dnf whatprovides /usr/sbin/sssd
Last metadata expiration check: 0:39:01 ago on Fri 13 Sep 2024 09:34:20 AM UTC.
sssd-common-2.9.4-6.el9_4.1.x86_64 : Common files for the SSSD
Repo : @System
Matched from:
Filename : /usr/sbin/sssd
...
[root@stg-login-0 rocky]# dnf whatprovides /usr/lib/systemd/system/sssd.service
Last metadata expiration check: 0:40:47 ago on Fri 13 Sep 2024 09:34:20 AM UTC.
sssd-common-2.9.4-6.el9_4.1.x86_64 : Common files for the SSSD
Repo : @System
Matched from:
Filename : /usr/lib/systemd/system/sssd.service
...
i.e. despite the package descriptions, sssd-common is the one which provides the unit file and the daemon binary.
| become: true | ||
| with_items: | ||
| - sssd-ldap | ||
| - openldap-clients |
There was a problem hiding this comment.
actually a dep of sssd-ldap, doesn't need to be explicitly specified
There was a problem hiding this comment.
and actually this isn't for ldap generally, only for sssd using ldap
environments/.gitignore
Outdated
There was a problem hiding this comment.
Nope, don't want to gitignore these generally, deployments might want to commit these.
| when: sssd_config is defined | ||
| notify: "Restart sssd" | ||
|
|
||
| - name: "Check if authconfig needs to be run to configure pam/nsswitch" |
There was a problem hiding this comment.
@jovial do you understand what this is actually doing?
| check_mode: no | ||
| failed_when: "authconfig_result.rc >= 2" | ||
|
|
||
| - name: "Configure nsswitch and pam for SSSD via authconfig" |
There was a problem hiding this comment.
Think this is the only part of this role not provided by alternative PR (TBD)
| @@ -0,0 +1,14 @@ | |||
| --- | |||
| sssd_packages: | |||
| - 'sssd' | |||
There was a problem hiding this comment.
So:
[root@stg-login-0 rocky]# dnf whatprovides /usr/sbin/sssd
Last metadata expiration check: 0:39:01 ago on Fri 13 Sep 2024 09:34:20 AM UTC.
sssd-common-2.9.4-6.el9_4.1.x86_64 : Common files for the SSSD
Repo : @System
Matched from:
Filename : /usr/sbin/sssd
...
[root@stg-login-0 rocky]# dnf whatprovides /usr/lib/systemd/system/sssd.service
Last metadata expiration check: 0:40:47 ago on Fri 13 Sep 2024 09:34:20 AM UTC.
sssd-common-2.9.4-6.el9_4.1.x86_64 : Common files for the SSSD
Repo : @System
Matched from:
Filename : /usr/lib/systemd/system/sssd.service
...
i.e. despite the package descriptions, sssd-common is the one which provides the unit file and the daemon binary.
| openhpc | ||
|
|
||
| [sshd:children] |
There was a problem hiding this comment.
I think the default here must be to NOT add sshd configuration.
There was a problem hiding this comment.
Also needs adding to the everything template, empty
|
|
||
| # TODO: Make idempotent | ||
| - name: "Configure nsswitch and pam for SSSD via authconfig" | ||
| command: "authselect select sssd{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}" |
There was a problem hiding this comment.
Hmm I get:
[root@stg-login-0 rocky]# authselect select sssd with-mkhomedir
[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!
[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!
[error] File that needs to be overwritten was found
[error] Refusing to activate profile unless this file is removed or overwrite is requested.
|
|
||
| - name: Disallow SSH password authentication | ||
| lineinfile: | ||
| dest: /etc/ssh/sshd_config |
There was a problem hiding this comment.
This doesn't work on RL9 - there's a /etc/ssh/sshd_config.d/50-cloud-init.conf which wins.
There was a problem hiding this comment.
darn it - a drop in config file does sound nicer
Usage is:
Add relevant hosts to inventory groups: sssd, kerberos_client (if using kerberos), ldap_client (if using ldap)
If using kerberos, place kerberos configuration here:
environments/<env>/templates/krb5.conf.j2Define sssd config in inventory
(/environments/<env>/inventory/group_vars/all/sssd.yml):Note: This needs to be in dictionary format. E.g for LDAP:
If using kerberos, you will need to join the node into AD via one of:
adcli preset-computerandadcli join.ktaddYou can then place the kerberos keytab in the following path (one per host):
There is a convenience playbook to collect these keytabs if joining on the host itself (ansible/adhoc/collect-kerberos-keytabs.yml). the workflow is: