diff --git a/.travis.yml b/.travis.yml index b85c6dd..8dfb9e7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,24 +1,32 @@ --- -services: docker +dist: bionic +language: python +python: "3.6" -env: - # Defaults. - - distro: centos7 - test_idempotence: false +# Use the new container infrastructure +sudo: true -script: - # Configure test script so we can run extra tests after playbook is run. - - export container_id=$(date +%s) - - export cleanup=false +# Install ansible +addons: + apt: + packages: + - python3-pip + +install: + # Install ansible + - pip3 install ansible - # Download test shim. - - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/sylus/e5d6eb8852d649ae78477b2daf86e707/raw - - chmod +x ${PWD}/tests/test.sh + # Check ansible version + - ansible --version - # Run tests. - - ${PWD}/tests/test.sh + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - "ansible-playbook tests/test.yml -i tests/inventory --syntax-check" + # - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become-user root" + # - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become-user root | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)" notifications: - slack: - secure: M+yCxKJqimIn8NeW0B9zZfjgLur6YnxqA5XoulSuuIwNHqkAR7d6EAsydwR8vEKTqVfKdOobMVmalOCcQOw6HSwnu49KYUAESYsL/yyvK/aHXM52y6XV1L6s+gtD6/eQo3VECR8xMAM2+GkzUGeaA2hWA13CwXo7aXcik0/q2KTJb1eTXDj1LYyjwPE6pmHcWsxE6bmGLTvaHDpWQpoSTD3tiJqvAIVNsSGm4HiZ0rlVS09hM+xU3OTVIfurYmWJI+Do1KceINrwDlbEZgsYGXLCg5Oah/DK5pAmKocF8BDNZx01AH3vqG2yQSoV4xpTF+NdfHh2XFY9If1Ugyv9xDAkLbCkMzhzh8UIvXNCWvWstKh6I8gnJPJGUst0FXk2clCx+ILl4wlMrdd0UcUA5GX6R6ELUfxfT//xVK5I5t0IbCqBB5Nl1bDf7ndeksYqlTxk4DoM6t5yGlhCRqNz5z1SxMe2wv4OQaIuuNsFVvQ9USPc7FKHKxQQBAOiT8b0QNuFm8U/nresytpZrMQ0vMnMA9iQz+xQvdKyVw1ZS2HPx05lWBv0CC3sDkPqXETohG7bC5hkSY4LPNNlqtu6oOtfmbCuDfbpjpzAm5NvtNcdMavAd/jtEfO7sSxAwW02wty4XilXk4INMOp+2z5W2vwkyMkpTsvsnm7Da6mPzMA= webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/LICENSE b/LICENSE index b6b5cb2..e598eed 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ MIT License Copyright (c) 2018 William Hearn +Copyright (c) 2019-2020 Kálmán Szalai - KAMI Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 54431ce..274754f 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,232 @@ -# Ansible role for Active Directory +# Ansible Role: Installs and configures Active Directory on Linux. -[![Build Status][travisci-badge]][travisci] +Travis status: [![Build Status](https://travis-ci.org/KAMI911/ansible-role-linux-ad.svg?branch=master)](https://travis-ci.org/KAMI911/ansible-role-linux-ad) +Code Climate status: [![Code Climate](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad/badges/gpa.svg)](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad) +Test Coverage status: [![Test Coverage](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad/badges/coverage.svg)](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad/coverage) - +## Table of Contents -[travisci]: https://travis-ci.org/govcloud/ansible-role-ad -[travisci-badge]: https://travis-ci.org/govcloud/ansible-role-ad.png?branch=master +1. [Requirements][Requirements] +2. [Installation][Installation] +3. [Role Variables][Role Variables] +4. [Dependencies][Dependencies] +5. [Example Playbook][Example Playbook] +6. [Licensing][Licensing] +7. [Author Information][Author Information] +8. [Support][Support] +9. [Contributing][Contributing] +10. [Donation][Donation] + +## Requirements + +None. + +## Installation + + ansible-galaxy install kami911.linux-ad + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + +### Port, connection, and firewall related options + + linux_ad_manage_firewalld: true + +Role manages the firewalld settings of required ports. + +### Debug settings + + linux_ad_authconfig_debug_mode: false + +Use authconfig debug mode. + + linux_ad_authconfig_debug_level: 3 + +Set authconfig debug level. + + linux_ad_authconfig_domain: 'cloud.department.ca' + +### Genereal AD settings + +Set authconfig (FQDN) domain name. + + linux_ad_authconfig_realm: 'CLOUD.DEPARTMENT.CA' + +Set authconfig realm name. + + linux_ad_authconfig_computer_ou: 'ou=computers,dc=cloud,dc=department,dc=ca' + +Set the Active Directory path to computers organization unit. + + linux_ad_authconfig_windomain: 'EXAMPLECOM' + +Set authconfig Windows domain name. + + linux_ad_authconfig_sssd_user: 'admin' + +Specify an already existing domain user that has 'add computer to domain' rights. + + linux_ad_authconfig_sssd_pass: 'pass' + +Specify the password of that domain user. + + linux_ad_authconfig_access_groups: [] + +An array/list of groups that have access to the host. + + linux_ad_authconfig_access_users: [] + +An array/list of users that have access to the host. + + linux_ad_ansible_distribution_major_version: '{{ ansible_lsb.major_release|int }}' + +Specify the main version of your Linux OS if something gets wrong and the version is not available. + + linux_ad_ad_info_ad_server: 'dc1.department.ca' + + linux_ad_ad_info_ad_backup_server: 'dc2.department.ca' + +Specify the primary and a backup Active Directory login server. + + linux_ad_rejoin: false + +Try to rejoint to the Active Directory via deleting /etc/krb5.keytab file. Default is false. + + linux_ad_home_dir: '/home/%d/%u' + +Home directory of the user. +Additionally you can use these variables: +%u -login name +%U - UID number +%d - domain name +%f - fully qualified user name (user@domain)) +%% - %. + + linux_ad_shell: '/bin/bash' + +Shell to use for freshly created users. + + linux_ad_use_fq_username: true + +Use fully qualified name for login name. When false you can login with username, when tru you can login with username@domain_name + + linux_ad_home_dir_base: + - '/home/{{ linux_ad_authconfig_domain }}' + +If you not using /home/%s as home directory, the script have to create all of required domains subdirectory (in this example case /home/cloud.department.ca/). Please list all possible domains here. + + linux_ad_home_dir_user: 'root' + +The user of the newly created subhome directory. + + linux_ad_home_dir_group: 'root' + +The group of the newly created subhome directory. + + linux_ad_home_dir_mode: 755 + +The mode of the newly created subhome directory. + + linux_ad_sudoers_d: + - file: linux_ad + host: ALL + runas: ALL + ugid: '%Enterprise\ Admins' + nopasswd: true + commands: + - 'ALL' + +Create sudoers file with these parameters. The file is filename of the created file in sudoers.d. + +## Dependencies + +None. + +## Example Playbook + + - hosts: all + roles: + - linux-ad + +## Licensing + +The lactransformer application and documantations are licensed under the terms of +the MIT / BSD, you will find a copy of this license in the +[LICENSE](LICENSE) file included in the source package. + +## Author Information + +This role was created in 2019-2020 by Kálmán Szalai - KAMI based on work of William Hearn (https://github.com/govcloud/ansible-role-ad) + +## Support + +If you have any question, do not hesitate and drop me a line. +If you found a bug, or have a feature request, you can [fill an issue](https://github.com/KAMI911/ansible-role-linux-ad/issues). + +### Using as a submudule of an AWX playbook + +#### Add as a submodule + +``` +git submodule add --force git@github.com:KAMI911/ansible-role-linux-ad.git roles/linux-ad +``` + +#### Update as sumodule + +Update only this submodule + +``` +git submodule update --remote roles/linux-ad/ +``` + +Update all submodules: + +``` +git submodule foreach git pull origin master +``` + +## Contributing + +There are many ways to contribute to ansible-role-linux-ad -- whether it be sending patches, +testing, reporting bugs, or reviewing and updating the documentation. Every +contribution is appreciated! + +Please continue reading in the [contributing chapter](CONTRIBUTING.md). + +### Fork me on Github + +https://github.com/KAMI911/ansible-role-linux-ad + +Add a new remote `upstream` with this repository as value. + +``` +git remote add upstream https://github.com/KAMI911/ansible-role-linux-ad.git +``` + +You can pull updates to your fork's master branch: + +``` +git fetch --all +git pull upstream HEAD +``` + +## Donation + +If you find this useful, please consider a donation: + +[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RLQZ58B26XSLA) + + + +[Requirements]: #requirements +[Installation]: #installation +[Role Variables]: #role_variables +[Dependencies]: #dependencies +[Example Playbook]: #example_playbook +[Licensing]: #licensing +[Author Information]: #author_information +[Support]: #support +[Contributing]: #contributing +[Donation]: #donation diff --git a/defaults/main.yml b/defaults/main.yml index e422c67..20126c7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,24 +1,48 @@ --- -authconfig_debug_mode: false -authconfig_debug_level: 3 +linux_ad_manage_firewalld: true -authconfig_domain: 'cloud.department.ca' -authconfig_realm: 'CLOUD.DEPARTMENT.CA' -authconfig_computer_ou: 'ou=computers,dc=cloud,dc=department,dc=ca' +linux_ad_authconfig_debug_mode: false +linux_ad_authconfig_debug_level: 3 -#authconfig_windomain: "EXAMPLECOM" +linux_ad_authconfig_domain: 'cloud.department.ca' +linux_ad_authconfig_realm: 'CLOUD.DEPARTMENT.CA' +linux_ad_authconfig_computer_ou: 'ou=computers,dc=cloud,dc=department,dc=ca' -authconfig_sssd_user: 'admin' -authconfig_sssd_pass: 'pass' +linux_ad_authconfig_windomain: 'EXAMPLECOM' + +linux_ad_authconfig_sssd_user: 'admin' +linux_ad_authconfig_sssd_pass: 'pass' # An array/list of groups that have access to the host -authconfig_access_groups: [] +linux_ad_authconfig_access_groups: [] # An array/list of users that have access to the host -authconfig_access_users: [] +linux_ad_authconfig_access_users: [] # This variable sometimes does not get set and shouldn't be relied on. -ansible_distribution_major_version: "" +linux_ad_ansible_distribution_major_version: '{{ ansible_distribution_major_version|int }}' + +linux_ad_ad_info_ad_server: 'dc1.department.ca' +linux_ad_ad_info_ad_backup_server: 'dc2.department.ca' + +linux_ad_rejoin: false + +# Home directory of the user. (You can use these variables: %u -login name, %U - UID number, %d - domain name, %f - fully qualified user name (user@domain)) +linux_ad_home_dir: '/home/%d/%u' +linux_ad_shell: '/bin/bash' +linux_ad_use_fq_username: true + +linux_ad_home_dir_base: + - '/home/{{ linux_ad_authconfig_domain }}' +linux_ad_home_dir_user: 'root' +linux_ad_home_dir_group: 'root' +linux_ad_home_dir_mode: 0755 -ad_info_ad_server: dc1.department.ca -ad_info_ad_backup_server: dc2.department.ca +linux_ad_sudoers_d: + - file: linux_ad + host: ALL + runas: ALL + ugid: '%Enterprise\ Admins' + nopasswd: true + commands: + - 'ALL' diff --git a/handlers/main.yml b/handlers/main.yml index c1a0285..0fe18b7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -30,19 +30,19 @@ enabled: yes state: restarted -# Service is dbus -- name: restart dbus +- name: restart oddjob service: - name: dbus + name: oddjobd enabled: yes state: restarted - when: ansible_os_family == 'RedHat' -- name: restart oddjob +# Service is dbus +- name: restart dbus service: - name: oddjobd + name: '{{ dbus_service }}' enabled: yes state: restarted + when: ansible_os_family == 'RedHat' or ansible_distribution == 'Ubuntu' - name: restart sshd service: @@ -58,5 +58,33 @@ state: restarted when: ansible_os_family == 'RedHat' +- name: restart ssh + service: + name: ssh + enabled: yes + state: restarted + when: ansible_os_family == 'Debian' + +- name: restart smbd + service: + name: smbd + enabled: yes + state: restarted + when: ansible_os_family == 'Debian' + +- name: restart nmbd + service: + name: nmbd + enabled: yes + state: restarted + when: ansible_os_family == 'Debian' + +- name: restart chrony + service: + name: chrony + enabled: yes + state: restarted + when: ansible_os_family == 'Debian' + - name: pam-auth-update command: /usr/sbin/pam-auth-update --package diff --git a/meta/main.yml b/meta/main.yml index f3dbd99..bc09f0b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,13 +1,26 @@ --- galaxy_info: - author: William Hearn - description: Install and configures Active Directory. + role_name: linux-ad + author: Kálmán Szalai - KAMI + description: Installs and configures Active Directory on Linux using sssd. Perfectly works with Ubuntu and Red Hat/CentOS also manages sudoers. license: MIT min_ansible_version: 2.0 platforms: - name: EL versions: - 7 + - 6 + - 8 + - name: Ubuntu + versions: + - xenial + - bionic galaxy_tags: - ad - activedirectory + - windows + - linux + - system + - sssd + - sudo + - sudoers diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..1a93dfb --- /dev/null +++ b/playbook.yml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - linux-ad diff --git a/roles/linux-ad b/roles/linux-ad new file mode 120000 index 0000000..b870225 --- /dev/null +++ b/roles/linux-ad @@ -0,0 +1 @@ +../ \ No newline at end of file diff --git a/tasks/common.yml b/tasks/common.yml new file mode 100644 index 0000000..cecc66b --- /dev/null +++ b/tasks/common.yml @@ -0,0 +1,35 @@ +--- +# Common files between the dists +- name: krb5.conf + template: + src: krb5.conf.j2 + dest: /etc/krb5.conf + owner: root + group: root + mode: 0644 + backup: yes + tags: + - aad_krb5_conf + - aad_sssd + +- name: sssd.conf + template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + owner: root + group: root + mode: 0600 + backup: yes + notify: restart sssd + tags: + - aad_sssd_conf + - aad_sssd + +- name: check sssd.conf configuration + shell: + cmd: "sssctl config-check" + register: result + failed_when: false + +- debug: + var: result.stdout diff --git a/tasks/main.yml b/tasks/main.yml index e385ce3..875807b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,13 +1,25 @@ --- -- set_fact: - distro: "{{ansible_os_family}}-{{ansible_distribution_major_version}}" +- name: setting distro fact + set_fact: + distro: "{{ ansible_os_family }}-{{ linux_ad_ansible_distribution_major_version }}" + when: ansible_os_family != 'Debian' + tags: + - aad_adjoin + - aad_sssd + - always + +- name: setting distro fact + set_fact: + distro: "{{ ansible_distribution }}-{{ linux_ad_ansible_distribution_major_version }}" + when: ansible_os_family == 'Debian' tags: - aad_adjoin - aad_sssd - always # load version-specific variables -- block: +- name: include vars + block: - include_vars: "{{ item }}" with_first_found: - "../vars/{{distro}}.yml" @@ -16,76 +28,37 @@ tags: - aad_adjoin - aad_sssd + - always + +- import_tasks: rejoin.yml + when: linux_ad_rejoin - import_tasks: redhat.yml when: ansible_os_family == 'RedHat' -# Common files between the dists -- name: krb5.conf - template: - src: krb5.conf.j2 - dest: /etc/krb5.conf - owner: root - group: root - mode: 0644 - backup: yes - tags: - - aad_krb5_conf - - aad_sssd +- import_tasks: ubuntu.yml + when: ansible_distribution == 'Ubuntu' -- name: sssd.conf - template: - src: sssd.conf.j2 - dest: /etc/sssd/sssd.conf - owner: root - group: root - mode: 0600 - backup: yes - notify: restart sssd - tags: - - aad_sssd_conf - - aad_sssd +- import_tasks: common.yml -- name: Install ssh legal thing - copy: - src: ssh_issue - dest: /etc/ssh/issue - owner: root - group: root - mode: 0644 - notify: restart sshd - tags: - - aad_ssh - - aad_sssd +- import_tasks: sshd.yml -- name: Update sshd_config for legal thing - lineinfile: - dest: /etc/ssh/sshd_config - line: 'Banner /etc/ssh/issue' - regexp: '^(#|)Banner\ .*' - notify: restart sshd - tags: - - aad_ssh - - aad_sssd +- import_tasks: sudoers.yml -- name: Update sshd_config to allow PasswordAuthentication - lineinfile: - dest: /etc/ssh/sshd_config - line: 'PasswordAuthentication yes' - regexp: '^(#|)PasswordAuthentication\ .*' - notify: restart sshd - tags: - - aad_ssh - - aad_sssd +- name: create Active Directory home directory + file: + path: '{{ item }}' + owner: '{{ linux_ad_home_dir_user }}' + group: '{{ linux_ad_home_dir_group }}' + mode: '{{ linux_ad_home_dir_mode }}' + recurse: yes + state: directory + with_items: '{{ linux_ad_home_dir_base | default([]) }}' + notify: + - "restart oddjob" -- name: Update sshd_config to remove old PasswordAuthentication no if exists - lineinfile: - dest: /etc/ssh/sshd_config - line: 'PasswordAuthentication no' - state: absent - notify: restart sshd - tags: - - aad_ssh - - aad_sssd +- name: manage firewalld + include_tasks: manage_firewalld.yml + when: linux_ad_manage_firewalld - meta: flush_handlers diff --git a/tasks/manage_firewalld.yml b/tasks/manage_firewalld.yml new file mode 100644 index 0000000..0b373d1 --- /dev/null +++ b/tasks/manage_firewalld.yml @@ -0,0 +1,30 @@ +--- +# +# Configure Samba firewalld +# + +- name: install firewalld package + package: + name: firewalld + state: present + +- name: ensure firewalld is running and enabled on boot + service: + name: firewalld + state: started + enabled: true + +- name: check firewalld status + shell: 'echo $(systemctl is-active firewalld)' + register: service_firewalld + +- debug: + msg: '{{service_firewalld}}' + +- name: 'configure firewalld for samba ports' + firewalld: + service: samba + permanent: true + immediate: true + state: enabled + when: service_firewalld.stdout == "active" diff --git a/tasks/redhat.yml b/tasks/redhat.yml index 0898fa8..0955043 100644 --- a/tasks/redhat.yml +++ b/tasks/redhat.yml @@ -1,22 +1,102 @@ --- - name: authconfig packages - yum: name={{ item }} - with_items: "{{ authconfig_packages }}" + yum: + name: '{{ authconfig_packages }}' + update_cache: true tags: - aad_agent - aad_packages - aad_sssd -- name: Join Domain - shell: "echo -n '{{ authconfig_sssd_pass }}' | adcli join --stdin-password --host-fqdn='{{ ansible_hostname }}.{{ authconfig_domain }}' --domain-ou='{{ authconfig_computer_ou }}' --login-user={{ authconfig_sssd_user }} -S {{ad_info_ad_server}} {{ authconfig_domain }}" - args: +- name: /etc/hosts entry + lineinfile: + dest: /etc/hosts + line: "{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ linux_ad_authconfig_domain }} {{ ansible_hostname }}" + +- name: smb.conf + template: + src: smb.conf.j2 + dest: /etc/samba/smb.conf + owner: root + group: root + mode: 0644 + backup: yes + tags: + - aad_smb_conf + - aad_samba + +- name: create /etc/krb5.conf.d folder + file: + path: /etc/krb5.conf.d/ + state: directory + when: ansible_os_family == 'RedHat' and linux_ad_ansible_distribution_major_version|int == '6' + +- name: discover Domain + shell: + cmd: "realm discover -v {{ linux_ad_authconfig_domain }}" + register: result + +- debug: + var: result.stdout + +- name: join Domain (net ads) + shell: + cmd: "echo -n '{{ linux_ad_authconfig_sssd_pass }}' | net ads join -D {{ linux_ad_authconfig_domain }} -U {{ linux_ad_authconfig_sssd_user }}" + creates: /etc/krb5.keytab + become: yes + notify: + - "restart chrony" + - "restart smbd" + - "restart nmbd" + - "restart sssd" + tags: + - aad_adjoin + - aad_agent + - aad_sssd + when: linux_ad_join_method == 'netads' + +- name: join Domain (realm) + shell: + cmd: "echo -n '{{ linux_ad_authconfig_sssd_pass }}' | realm join --computer-ou='{{ linux_ad_authconfig_computer_ou }}' --user='{{ linux_ad_authconfig_sssd_user }}' '{{ linux_ad_authconfig_domain }}'" + creates: /etc/krb5.keytab + become: yes + notify: + - "restart chrony" + - "restart smbd" + - "restart nmbd" + - "restart sssd" + tags: + - aad_adjoin + - aad_agent + - aad_sssd + when: linux_ad_join_method == 'realm' + +- name: join Domain (adcli) + shell: + cmd: "echo -n '{{ linux_ad_authconfig_sssd_pass }}' | adcli join --stdin-password --host-fqdn='{{ ansible_hostname }}.{{ linux_ad_authconfig_domain }}' --domain-ou='{{ linux_ad_authconfig_computer_ou }}' --login-user={{ linux_ad_authconfig_sssd_user }} -S {{ linux_ad_ad_info_ad_server }} {{ linux_ad_authconfig_domain }}" creates: /etc/krb5.keytab + become: yes + notify: + - "restart chrony" + - "restart smbd" + - "disable nmbd" + - "restart winbind" + - "restart sssd" tags: - aad_adjoin - aad_agent - aad_sssd + when: linux_ad_join_method == 'adcli' + +- name: list realms + shell: + cmd: "realm list" + register: result + +- debug: + var: result.stdout -# Save backup. +# Save backup - name: authconfig shell: "/usr/sbin/authconfig --savebackup=pre-authconfig-adcli" args: @@ -24,6 +104,7 @@ tags: - aad_authconfig - aad_sssd + when: linux_ad_ansible_distribution_major_version|int <= 7 and ansible_os_family == 'RedHat' # Parameter --nostart used since krb5.conf and sssd.conf don't exist yet. - name: authconfig @@ -36,11 +117,31 @@ - "disable nslcd" # Odd behavior if is running - "restart sssd" - "restart dbus" + - "restart logind" - "restart oddjob" + tags: + - aad_authconfig + - aad_sssd + when: linux_ad_ansible_distribution_major_version|int <= 7 and ansible_os_family == 'RedHat' + +# Parameter --nostart used since krb5.conf and sssd.conf don't exist yet. +- name: authselect + shell: "/usr/bin/authselect select sssd with-mkhomedir && touch /var/lib/authselect/ansible_configured" + args: + creates: /var/lib/authselect/ansible_configured + notify: + - "clear nscd" + - "clear ssh AllowGroups" + - "disable nslcd" # Odd behavior if is running + - "restart sssd" + - "restart dbus" - "restart logind" + - "restart oddjob" tags: + - aad_authselect - aad_authconfig - aad_sssd + when: linux_ad_ansible_distribution_major_version|int >= 8 and ansible_os_family == 'RedHat' # On RHEL nsswitch.conf is not updated. - name: nsswitch passwd @@ -69,8 +170,3 @@ tags: - aad_nsswitch - aad_sssd - -- name: /etc/hosts entry - lineinfile: - dest: /etc/hosts - line: "{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ authconfig_domain }} {{ ansible_hostname }}" diff --git a/tasks/rejoin.yml b/tasks/rejoin.yml new file mode 100644 index 0000000..c1110cb --- /dev/null +++ b/tasks/rejoin.yml @@ -0,0 +1,32 @@ +--- +- name: leave realms for rejoin + shell: + cmd: "realm leave" + register: result + when: linux_ad_rejoin + ignore_errors: yes + tags: + - aad_adjoin + - aad_adrejoin + +- name: leave realms for rejoin + shell: + cmd: "realm leave" + register: result + when: linux_ad_rejoin + ignore_errors: yes + tags: + - aad_adjoin + - aad_adrejoin + +- name: delete AD file for rejoin + file: + path: '{{ item }}' + state: absent + with_items: + - /var/lib/authconfig/ansible_configured + - /var/lib/authselect/ansible_configured + - /etc/krb5.keytab + tags: + - aad_adjoin + - aad_adrejoin diff --git a/tasks/sshd.yml b/tasks/sshd.yml new file mode 100644 index 0000000..f1c101c --- /dev/null +++ b/tasks/sshd.yml @@ -0,0 +1,42 @@ +--- +- name: Install ssh legal thing + copy: + src: ssh_issue + dest: /etc/ssh/issue + owner: root + group: root + mode: 0644 + notify: restart sshd + tags: + - aad_ssh + - aad_sssd + +- name: Update sshd_config for legal thing + lineinfile: + dest: /etc/ssh/sshd_config + line: 'Banner /etc/ssh/issue' + regexp: '^(#|)Banner\ .*' + notify: restart sshd + tags: + - aad_ssh + - aad_sssd + +- name: Update sshd_config to allow PasswordAuthentication + lineinfile: + dest: /etc/ssh/sshd_config + line: 'PasswordAuthentication yes' + regexp: '^(#|)PasswordAuthentication\ .*' + notify: restart sshd + tags: + - aad_ssh + - aad_sssd + +- name: Update sshd_config to remove old PasswordAuthentication no if exists + lineinfile: + dest: /etc/ssh/sshd_config + line: 'PasswordAuthentication no' + state: absent + notify: restart sshd + tags: + - aad_ssh + - aad_sssd \ No newline at end of file diff --git a/tasks/sudoers.yml b/tasks/sudoers.yml new file mode 100644 index 0000000..a1ecb24 --- /dev/null +++ b/tasks/sudoers.yml @@ -0,0 +1,19 @@ +--- +- name: creating sudoers.d configuration file + become: true + template: + src: sudoers_d.j2 + dest: "{{ '/etc/sudoers.d/' + item.file }}" + owner: root + group: root + mode: 0440 + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ linux_ad_sudoers_d }}" + loop_control: + label: "{{ item.file }}" + when: + - item.commands is defined + - item.file is defined + - item.ugid is defined + tags: + - sudo diff --git a/tasks/ubuntu.yml b/tasks/ubuntu.yml new file mode 100644 index 0000000..d57dd86 --- /dev/null +++ b/tasks/ubuntu.yml @@ -0,0 +1,125 @@ +--- +- name: auth packages + apt: + name: "{{ authconfig_packages }}" + update_cache: true + +- name: smb.conf + template: + src: smb.conf.j2 + dest: /etc/samba/smb.conf + owner: root + group: root + mode: 0644 + backup: yes + tags: + - aad_smb_conf + - aad_samba + +- name: /etc/hosts entry + lineinfile: + dest: /etc/hosts + line: "{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ linux_ad_authconfig_domain }} {{ ansible_hostname }}" + +- name: join Domain (net ads) + shell: + cmd: "echo -n '{{ linux_ad_authconfig_sssd_pass }}' | net ads join -D {{ linux_ad_authconfig_domain }} -U {{ linux_ad_authconfig_sssd_user }}" + creates: /etc/krb5.keytab + become: yes + notify: + - "restart chrony" + - "restart smbd" + - "restart nmbd" + - "restart sssd" + tags: + - aad_adjoin + - aad_agent + - aad_sssd + when: linux_ad_join_method == 'netads' + +- name: join Domain (realm) + shell: + cmd: "echo -n '{{ linux_ad_authconfig_sssd_pass }}' | realm join --computer-ou='{{ linux_ad_authconfig_computer_ou }}' login-user='{{ linux_ad_authconfig_sssd_user }}' '{{ linux_ad_authconfig_domain }}''" + creates: /etc/krb5.keytab + become: yes + notify: + - "restart chrony" + - "restart smbd" + - "restart nmbd" + - "restart sssd" + tags: + - aad_adjoin + - aad_agent + - aad_sssd + when: linux_ad_join_method == 'realm' + +- name: join Domain (adcli) + shell: + cmd: "echo -n '{{ linux_ad_authconfig_sssd_pass }}' | adcli join --stdin-password --host-fqdn='{{ ansible_hostname }}.{{ linux_ad_authconfig_domain }}' --domain-ou='{{ linux_ad_authconfig_computer_ou }}' --login-user={{ linux_ad_authconfig_sssd_user }} -S {{ linux_ad_ad_info_ad_server }} {{ linux_ad_authconfig_domain }}" + creates: /etc/krb5.keytab + become: yes + notify: + - "restart chrony" + - "restart smbd" + - "disable nmbd" + - "restart winbind" + - "restart sssd" + tags: + - aad_adjoin + - aad_agent + - aad_sssd + when: linux_ad_join_method == 'adcli' + +- name: list realms + shell: + cmd: "realm list" + register: result + +- debug: + var: result.stdout + +- name: add mkhomedir to common-session + lineinfile: + dest: /etc/pam.d/common-session + line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0027' + regexp: '.*pam_mkhomedir\.so.*' + insertafter: '.*pam_unix\.so.*' + tags: + - aad_pam + - aad_home + +- name: nsswitch passwd + lineinfile: + dest: /etc/nsswitch.conf + line: 'passwd: compat systemd sss' + regexp: '^passwd: .*' + tags: + - aad_nsswitch + - aad_sssd + +- name: nsswitch shadow + lineinfile: + dest: /etc/nsswitch.conf + line: 'shadow: compat sss' + regexp: '^shadow: .*' + tags: + - aad_nsswitch + - aad_sssd + +- name: nsswitch group + lineinfile: + dest: /etc/nsswitch.conf + line: 'group: compat systemd sss' + regexp: '^group: .*' + tags: + - aad_nsswitch + - aad_sssd + +- name: nsswitch netgroup + lineinfile: + dest: /etc/nsswitch.conf + line: 'netgroup: nis sss' + regexp: '^netgroup: .*' + tags: + - aad_nsswitch + - aad_sssd diff --git a/templates/krb5.conf.j2 b/templates/krb5.conf.j2 index 7f31f85..e3423fc 100644 --- a/templates/krb5.conf.j2 +++ b/templates/krb5.conf.j2 @@ -9,7 +9,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ admin_server = FILE:/var/log/kadmind.log [libdefaults] - default_realm = {{ authconfig_realm.upper() }} + default_realm = {{ linux_ad_authconfig_realm.upper() }} dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d @@ -18,9 +18,9 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ default_ccache_name = KEYRING:persistent:%{uid} [realms] - {{ authconfig_realm.upper() }} = { + {{ linux_ad_authconfig_realm.upper() }} = { } [domain_realm] - {{ authconfig_realm.lower() }} = {{ authconfig_realm.upper() }} - .{{ authconfig_realm.lower() }} = {{ authconfig_realm.upper() }} + {{ linux_ad_authconfig_realm.lower() }} = {{ linux_ad_authconfig_realm.upper() }} + .{{ linux_ad_authconfig_realm.lower() }} = {{ linux_ad_authconfig_realm.upper() }} diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2 new file mode 100644 index 0000000..b60f5f6 --- /dev/null +++ b/templates/smb.conf.j2 @@ -0,0 +1,8 @@ +[global] + +workgroup = {{ linux_ad_authconfig_windomain }} +client signing = yes +client use spnego = yes +kerberos method = secrets and keytab +realm = {{ linux_ad_authconfig_realm }} +security = ads diff --git a/templates/sssd.conf.j2 b/templates/sssd.conf.j2 index 10f6f33..6ae0639 100644 --- a/templates/sssd.conf.j2 +++ b/templates/sssd.conf.j2 @@ -1,66 +1,62 @@ ## {{ ansible_managed }} [ssh] -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} +{% if linux_ad_authconfig_debug_mode %} +debug_level = {{ linux_ad_authconfig_debug_level }} {% endif %} [sudo] -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} +{% if linux_ad_authconfig_debug_mode %} +debug_level = {{ linux_ad_authconfig_debug_level }} {% endif %} [nss] -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} +filter_users = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,nobody,syslog,sshd,vagrant,ubuntu,ansible +filter_groups = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,nobody,syslog,sshd,vagrant,ubuntu,ansible +{% if linux_ad_authconfig_debug_mode %} +debug_level = {{ linux_ad_authconfig_debug_level }} {% endif %} [pam] -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} -{% endif %} - -[ldap] -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} +{% if linux_ad_authconfig_debug_mode %} +debug_level = {{ linux_ad_authconfig_debug_level }} {% endif %} -filter_users = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,nobody,syslog,sshd,vagrant,ubuntu,ansible -filter_groups = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,nobody,syslog,sshd,vagrant,ubuntu,ansible - [sssd] -domains = {{authconfig_domain}} +domains = {{ linux_ad_authconfig_domain }} config_file_version = 2 services = nss, pam, ssh, sudo -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} +{% if linux_ad_authconfig_debug_mode %} +debug_level = {{ linux_ad_authconfig_debug_level }} {% endif %} -[domain/{{ authconfig_domain }}] -ad_hostname = {{ ansible_hostname }}.{{ authconfig_domain }} -ad_domain = {{ authconfig_domain }} -krb5_realm = {{ authconfig_realm }} +[domain/{{ linux_ad_authconfig_domain }}] +ad_hostname = {{ ansible_hostname }}.{{ linux_ad_authconfig_domain }} +ad_domain = {{ linux_ad_authconfig_domain }} +krb5_realm = {{ linux_ad_authconfig_realm }} realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True -default_shell = /bin/bash +default_shell = {{ linux_ad_shell }} ldap_id_mapping = True -use_fully_qualified_names = False -fallback_homedir = /home/%u +use_fully_qualified_names={% if linux_ad_use_fq_username is defined and linux_ad_use_fq_username is sameas true %}True{% else %}False{% endif %} + +fallback_homedir = {{ linux_ad_home_dir }} access_provider = ad +ad_gpo_ignore_unreadable = True -{% if authconfig_debug_mode %} -debug_level = {{ authconfig_debug_level }} +{% if linux_ad_authconfig_debug_mode %} +debug_level = {{ linux_ad_authconfig_debug_level }} {% endif %} -{% if ad_info_ad_server is defined %} -ad_server = {{ ad_info_ad_server }} +{% if linux_ad_ad_info_ad_server is defined %} +ad_server = {{ linux_ad_ad_info_ad_server }} {% endif %} -{% if ad_info_ad_backup_server is defined %} -ad_backup_server = {{ ad_info_ad_backup_server }} +{% if linux_ad_ad_info_ad_backup_server is defined %} +ad_backup_server = {{ linux_ad_ad_info_ad_backup_server }} {% endif %} -simple_allow_groups = {{ authconfig_access_groups| join(', ') }} -simple_allow_users = {{ authconfig_access_users | join(', ') }} +simple_allow_groups = {{ linux_ad_authconfig_access_groups| join(', ') }} +simple_allow_users = {{ linux_ad_authconfig_access_users | join(', ') }} diff --git a/templates/sudoers_d.j2 b/templates/sudoers_d.j2 new file mode 100644 index 0000000..2fe4eab --- /dev/null +++ b/templates/sudoers_d.j2 @@ -0,0 +1,8 @@ +## {{ ansible_managed }} + +{% for command in item.commands %} +{% set host = item.host if item.host is defined else 'ALL' %} +{% set runas = item.runas if item.runas is defined else 'ALL' %} +{% set nopasswd = "NOPASSWD: " if item.nopasswd | default(false) else "" %} +{{ item.ugid }} {{ host }} = ({{ runas }}) {{ nopasswd }}{{ command }} +{% endfor %} diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index 3646ff4..08203b1 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -2,4 +2,4 @@ - hosts: all roles: - - role_under_test + - ansible-role-linux-ad diff --git a/vars/Debian-10.yml b/vars/Debian-10.yml new file mode 100644 index 0000000..45fe3e8 --- /dev/null +++ b/vars/Debian-10.yml @@ -0,0 +1,19 @@ +--- +# Debian packages +authconfig_packages: + - 'realmd' + - 'adcli' + - 'packagekit' + - 'ldap-utils' + - 'krb5-user' + - 'libpam-krb5' + - 'sssd' + - 'sssd-tools' + - 'libpam-sss' + - 'libnss-sss' + - 'openssh-server' + - 'chrony' + - 'samba' + - 'samba-common-bin' + +dbus_service: 'dbus' diff --git a/vars/Debian-9.yml b/vars/Debian-9.yml new file mode 100644 index 0000000..45fe3e8 --- /dev/null +++ b/vars/Debian-9.yml @@ -0,0 +1,19 @@ +--- +# Debian packages +authconfig_packages: + - 'realmd' + - 'adcli' + - 'packagekit' + - 'ldap-utils' + - 'krb5-user' + - 'libpam-krb5' + - 'sssd' + - 'sssd-tools' + - 'libpam-sss' + - 'libnss-sss' + - 'openssh-server' + - 'chrony' + - 'samba' + - 'samba-common-bin' + +dbus_service: 'dbus' diff --git a/vars/RedHat-6.yml b/vars/RedHat-6.yml new file mode 100644 index 0000000..b6463e4 --- /dev/null +++ b/vars/RedHat-6.yml @@ -0,0 +1,14 @@ +--- +# CentOS / RHEL +authconfig_packages: + - 'sssd' + - 'sssd-tools' + - 'adcli' + - 'krb5-workstation' + - 'oddjob' + - 'oddjob-mkhomedir' + - 'authconfig' + - 'samba-common' + - 'nscd' + +dbus_service: 'messagebus' diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml index 121cd6c..dc3a2ed 100644 --- a/vars/RedHat-7.yml +++ b/vars/RedHat-7.yml @@ -1,7 +1,8 @@ --- -# Cent/EL 7 +# CentOS / RHEL authconfig_packages: - 'sssd' + - 'sssd-tools' - 'adcli' - 'realmd' - 'krb5-workstation' @@ -11,3 +12,5 @@ authconfig_packages: - 'samba-common' - 'samba-common-tools' - 'nscd' + +dbus_service: 'dbus' diff --git a/vars/RedHat-8.yml b/vars/RedHat-8.yml new file mode 100644 index 0000000..dc3a2ed --- /dev/null +++ b/vars/RedHat-8.yml @@ -0,0 +1,16 @@ +--- +# CentOS / RHEL +authconfig_packages: + - 'sssd' + - 'sssd-tools' + - 'adcli' + - 'realmd' + - 'krb5-workstation' + - 'oddjob' + - 'oddjob-mkhomedir' + - 'authconfig' + - 'samba-common' + - 'samba-common-tools' + - 'nscd' + +dbus_service: 'dbus' diff --git a/vars/Ubuntu-18.yml b/vars/Ubuntu-18.yml new file mode 100644 index 0000000..1cffe9d --- /dev/null +++ b/vars/Ubuntu-18.yml @@ -0,0 +1,19 @@ +--- +# Ubuntu packages +authconfig_packages: + - 'realmd' + - 'adcli' + - 'packagekit' + - 'ldap-utils' + - 'krb5-user' + - 'libpam-krb5' + - 'sssd' + - 'sssd-tools' + - 'libpam-sss' + - 'libnss-sss' + - 'openssh-server' + - 'chrony' + - 'samba' + - 'samba-common-bin' + +dbus_service: 'dbus' diff --git a/vars/main.yml b/vars/main.yml index 1b723b1..ed97d53 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1 @@ --- -# Path to the mkhomedir command -# Now set in vars/{{ ansible_distribution_major_version }}.yml