ansible/node: Support authselect

Signed-off-by: Martin Schwenke <martin@meltin.net>

diff --git a/ansible/node/roles/nas/tasks/redhat/samba_authselect.yml b/ansible/node/roles/nas/tasks/redhat/samba_authselect.yml
new file mode 100644 (file)
index 0000000..244b227
--- /dev/null
+++ b/ansible/node/roles/nas/tasks/redhat/samba_authselect.yml
@@ -0,0 +1,28 @@
+---
+
+#- name: realmd package
+#  package:
+#    name: realmd
+#    state: present
+
+- name: Set up NSS, PAM, KRB5, ...
+  fail:
+    msg: "Invalid auth_method: {{ auth_method }}"
+  when: auth_method != 'files' and auth_method != 'winbind'
+
+# FIXME: We don't generally use this so just select sssd for now
+- name: Set up NSS, PAM, ...
+  command: authselect select sssd
+  when: auth_method == 'files'
+
+# authselect-migration(7) says to use realm(8).  However, this wants
+# to join the domain and it isn't clear that it knows how to set this
+# up for the Samba registry
+- name: Set up NSS, PAM, KRB5, ...
+  command: authselect select -f winbind with-krb5
+  when: auth_method == 'winbind'
+
+- name: Install krb5.conf snippet
+  template:
+    src: krb5_conf.j2
+    dest: /etc/krb5.conf.d/autocluster-winbind

diff --git a/ansible/node/roles/nas/tasks/redhat/setup_samba_auth.yml b/ansible/node/roles/nas/tasks/redhat/setup_samba_auth.yml
index 4958ea416c0abb1a01bb353beffa4979b150cfce..1d3221741daf998de737d1acc502a985a21acd2d 100644 (file)
--- a/ansible/node/roles/nas/tasks/redhat/setup_samba_auth.yml
+++ b/ansible/node/roles/nas/tasks/redhat/setup_samba_auth.yml
@@ -1,3 +1,24 @@
 ---
 
+- name: check for authconfig
+  stat:
+    path: /usr/sbin/authconfig
+  register: aconfig
+
+- name: check for authselect
+  stat:
+    path: /usr/bin/authselect
+  register: aselect
+
+- name: fail if both authselect and authconfig are unavailable
+  fail: msg="Both authselect and authconfig are unavailable"
+  when: (aselect.stat.executable is undefined or
+         not aselect.stat.executable) and
+        (aconfig.stat.executable is undefined or
+         not aconfig.stat.executable)
+
+- include_tasks: samba_authselect.yml
+  when: aselect.stat.executable is defined and aselect.stat.executable
+
 - include_tasks: samba_authconfig.yml
+  when: aconfig.stat.executable is defined and aconfig.stat.executable

diff --git a/ansible/node/roles/nas/templates/krb5_conf.j2 b/ansible/node/roles/nas/templates/krb5_conf.j2
new file mode 100644 (file)
index 0000000..77b177a
--- /dev/null
+++ b/ansible/node/roles/nas/templates/krb5_conf.j2
@@ -0,0 +1,8 @@
+[realms]
+ {{ resolv_conf.domain }} = {
+  kdc = {{ kdc }}.{{ resolv_conf.domain }}
+ }
+
+[domain_realm]
+ {{ resolv_conf.domain }} = {{ resolv_conf.domain }}
+ .{{ resolv_conf.domain }} = {{ resolv_conf.domain }}