mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
349 lines
15 KiB
YAML
349 lines
15 KiB
YAML
---
|
|
# tasks file for ipaclient
|
|
|
|
- name: Install - Ensure that IPA client packages are installed
|
|
package:
|
|
name: "{{ item }}"
|
|
state: present
|
|
with_items: "{{ ipaclient_packages }}"
|
|
when: ipaclient_install_packages | bool
|
|
|
|
- name: Install - Include Python2/3 import test
|
|
import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
|
|
|
- name: Install - Set ipaclient_servers
|
|
set_fact:
|
|
ipaclient_servers: "{{ groups['ipaservers'] | list }}"
|
|
when: groups.ipaservers is defined and ipaclient_servers is not defined
|
|
|
|
- name: Install - Set ipaclient_servers from cluster inventory
|
|
set_fact:
|
|
ipaclient_servers: "{{ groups['ipaserver'] | list }}"
|
|
when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and
|
|
ipaclient_servers is not defined
|
|
|
|
- name: Install - Check that either principal or keytab is set
|
|
fail: msg="ipaadmin_principal and ipaadmin_keytab cannot be used together"
|
|
when: ipaadmin_keytab is defined and ipaadmin_principal is defined
|
|
|
|
- name: Install - Set default principal if no keytab is given
|
|
set_fact:
|
|
ipaadmin_principal: admin
|
|
when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
|
|
|
|
- name: Install - IPA client test
|
|
ipaclient_test:
|
|
### basic ###
|
|
domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
|
|
servers: "{{ ipaclient_servers | default(omit) }}"
|
|
realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
|
|
hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
|
|
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
|
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
force_ntpd: "{{ ipaclient_force_ntpd }}"
|
|
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
|
|
no_nisdomain: "{{ ipaclient_no_nisdomain }}"
|
|
kinit_attempts: "{{ ipaclient_kinit_attempts }}"
|
|
ca_cert_files: "{{ ipaclient_ca_cert_file | default(omit) }}"
|
|
configure_firefox: "{{ ipaclient_configure_firefox }}"
|
|
firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}"
|
|
ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
|
|
all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
|
|
on_master: "{{ ipaclient_on_master }}"
|
|
### sssd ###
|
|
enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
|
|
register: result_ipaclient_test
|
|
|
|
- block:
|
|
- name: Install - Cleanup leftover ccache
|
|
file:
|
|
path: "/etc/ipa/.dns_ccache"
|
|
state: absent
|
|
|
|
- name: Install - Configure NTP
|
|
ipaclient_setup_ntp:
|
|
### basic ###
|
|
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
|
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
# force_ntpd: "{{ ipaclient_force_ntpd }}"
|
|
on_master: "{{ ipaclient_on_master }}"
|
|
### additional ###
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
|
|
- name: Install - Test if IPA client has working krb5.keytab
|
|
ipaclient_test_keytab:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
kdc: "{{ result_ipaclient_test.kdc }}"
|
|
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
|
|
register: result_ipaclient_test_keytab
|
|
|
|
- name: Install - Disable One-Time Password for client with working
|
|
krb5.keytab
|
|
set_fact:
|
|
ipaclient_use_otp: "no"
|
|
when: ipaclient_use_otp | bool and
|
|
result_ipaclient_test_keytab.krb5_keytab_ok and
|
|
not ipaclient_force_join | bool
|
|
|
|
# The following block is executed when using OTP to enroll IPA client
|
|
# ie when ipaclient_use_otp is set.
|
|
# It connects to ipaserver and add the host with --random option in order
|
|
# to create a OneTime Password
|
|
# If a keytab is specified in the hostent, then the hostent will be disabled
|
|
# if ipaclient_use_otp is set.
|
|
- block:
|
|
- name: Install - Keytab or password is required for otp
|
|
fail: msg="Keytab or password is required for otp"
|
|
when: ipaadmin_keytab is undefined and ipaadmin_password is undefined
|
|
|
|
- name: Install - Save client ansible_python_interpreter setting
|
|
set_fact:
|
|
ipaclient_ansible_python_interpreter: "{{ ansible_python_interpreter }}"
|
|
|
|
- name: Install - Include Python2/3 import test
|
|
import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
|
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
|
|
|
|
- name: Install - Get One-Time Password for client enrollment
|
|
no_log: yes
|
|
ipaclient_get_otp:
|
|
state: present
|
|
principal: "{{ ipaadmin_principal | default('admin') }}"
|
|
password: "{{ ipaadmin_password | default(omit) }}"
|
|
keytab: "{{ ipaadmin_keytab | default(omit) }}"
|
|
fqdn: "{{ result_ipaclient_test.hostname }}"
|
|
lifetime: "{{ ipaclient_lifetime | default(omit) }}"
|
|
random: True
|
|
ansible_python_interpreter: "{{ ansible_python_interpreter }}"
|
|
register: result_ipaclient_get_otp
|
|
# If the host is already enrolled, this command will exit on error
|
|
# The error can be ignored
|
|
failed_when: result_ipaclient_get_otp is failed and
|
|
"Password cannot be set on enrolled host" not
|
|
in result_ipaclient_get_otp.msg
|
|
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
|
|
delegate_facts: yes
|
|
|
|
- name: Install - Store the previously obtained OTP
|
|
no_log: yes
|
|
set_fact:
|
|
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
|
|
if result_ipaclient_get_otp.host is defined }}"
|
|
|
|
- name: Install - Restore client ansible_python_interpreter setting
|
|
set_fact:
|
|
ansible_python_interpreter: "{{ ipaclient_ansible_python_interpreter }}"
|
|
|
|
when: ipaclient_use_otp | bool
|
|
|
|
- block:
|
|
# This block is executed only when
|
|
# not (not ipaclient_on_master | bool and
|
|
# not result_ipaclient_join.changed and
|
|
# not ipaclient_allow_repair | bool and
|
|
# (result_ipaclient_test_keytab.krb5_keytab_ok or
|
|
# (result_ipaclient_join.already_joined is defined and
|
|
# result_ipaclient_join.already_joined)))
|
|
|
|
- name: Install - Check if principal and keytab are set
|
|
fail: msg="Principal and keytab cannot be used together"
|
|
when: ipaadmin_principal is defined and ipaadmin_principal|length > 0
|
|
and ipaclient_keytab is defined and ipaclient_keytab|length > 0
|
|
|
|
- name: Install - Check if one of password and keytab are set
|
|
fail: msg="At least one of password or keytab must be specified"
|
|
when: not result_ipaclient_test_keytab.krb5_keytab_ok and
|
|
(ipaadmin_password is undefined or ipaadmin_password|length == 0)
|
|
and (ipaclient_keytab is undefined or ipaclient_keytab|lenth == 0)
|
|
when: not ipaclient_on_master | bool
|
|
|
|
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
|
|
command: >
|
|
/usr/sbin/ipa-rmkeytab
|
|
-k /etc/krb5.keytab
|
|
-r "{{ result_ipaclient_test.realm }}"
|
|
register: result_ipa_rmkeytab
|
|
# Do not fail on error codes 3 and 5:
|
|
# 3 - Unable to open keytab
|
|
# 5 - Principal name or realm not found in keytab
|
|
failed_when: result_ipa_rmkeytab.rc != 0 and
|
|
result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
|
|
when: ipaclient_use_otp | bool or ipaclient_force_join | bool
|
|
|
|
- name: Install - Backup and set hostname
|
|
ipaclient_set_hostname:
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
when: not ipaclient_on_master | bool
|
|
|
|
- name: Install - Join IPA
|
|
ipaclient_join:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
kdc: "{{ result_ipaclient_test.kdc }}"
|
|
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
force_join: "{{ ipaclient_force_join | default(omit) }}"
|
|
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and
|
|
ipaclient_keytab is not defined else '' }}"
|
|
password: "{{ ipaadmin_password | default(omit) }}"
|
|
keytab: "{{ ipaclient_keytab | default(omit) }}"
|
|
# ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
|
|
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
|
|
register: result_ipaclient_join
|
|
when: not ipaclient_on_master | bool and
|
|
(not result_ipaclient_test_keytab.krb5_keytab_ok or
|
|
ipaclient_force_join)
|
|
|
|
- block:
|
|
- fail:
|
|
msg: >
|
|
The krb5 configuration is not correct, please enable allow_repair
|
|
to fix this.
|
|
when: not result_ipaclient_test_keytab.krb5_conf_ok
|
|
- fail:
|
|
msg: "The IPA test failed, please enable allow_repair to fix this."
|
|
when: not result_ipaclient_test_keytab.ping_test_ok
|
|
- fail:
|
|
msg: >
|
|
The ca.crt file is missing, please enable allow_repair to fix this.
|
|
when: not result_ipaclient_test_keytab.ca_crt_exists
|
|
when: not ipaclient_on_master | bool and
|
|
not result_ipaclient_join.changed and
|
|
not ipaclient_allow_repair | bool and
|
|
(result_ipaclient_test_keytab.krb5_keytab_ok or
|
|
(result_ipaclient_join.already_joined is defined and
|
|
result_ipaclient_join.already_joined))
|
|
|
|
- block:
|
|
- name: Install - Configure IPA default.conf
|
|
ipaclient_ipa_conf:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
when: not ipaclient_on_master | bool
|
|
|
|
- name: Install - Configure SSSD
|
|
ipaclient_setup_sssd:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
on_master: "{{ ipaclient_on_master }}"
|
|
no_ssh: "{{ ipaclient_no_ssh }}"
|
|
no_sshd: "{{ ipaclient_no_sshd }}"
|
|
no_sudo: "{{ ipaclient_no_sudo }}"
|
|
all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
|
|
fixed_primary: "{{ ipassd_fixed_primary }}"
|
|
permit: "{{ ipassd_permit }}"
|
|
enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
|
|
preserve_sssd: "{{ ipassd_preserve_sssd }}"
|
|
no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
|
|
|
|
- name: Install - Configure krb5 for IPA realm
|
|
ipaclient_setup_krb5:
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
kdc: "{{ result_ipaclient_test.kdc }}"
|
|
dnsok: "{{ result_ipaclient_test.dnsok }}"
|
|
client_domain: "{{ result_ipaclient_test.client_domain }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
sssd: "{{ result_ipaclient_test.sssd }}"
|
|
force: "{{ ipaclient_force }}"
|
|
# on_master: "{{ ipaclient_on_master }}"
|
|
when: not ipaclient_on_master | bool
|
|
|
|
- name: Install - IPA API calls for remaining enrollment parts
|
|
ipaclient_api:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
# debug: yes
|
|
register: result_ipaclient_api
|
|
|
|
- name: Install - Fix IPA ca
|
|
ipaclient_fix_ca:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
allow_repair: "{{ ipaclient_allow_repair }}"
|
|
when: not ipaclient_on_master | bool and
|
|
result_ipaclient_test_keytab.krb5_keytab_ok and
|
|
not result_ipaclient_test_keytab.ca_crt_exists
|
|
|
|
- name: Install - Create IPA NSS database
|
|
ipaclient_setup_nss:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
realm: "{{ result_ipaclient_test.realm }}"
|
|
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
subject_base: "{{ result_ipaclient_api.subject_base }}"
|
|
principal: "{{ ipaadmin_principal | default(omit) }}"
|
|
mkhomedir: "{{ ipaclient_mkhomedir }}"
|
|
ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
|
|
on_master: "{{ ipaclient_on_master }}"
|
|
enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
|
|
all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
|
|
ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
|
|
request_cert: "{{ ipaclient_request_cert }}"
|
|
preserve_sssd: "{{ ipassd_preserve_sssd }}"
|
|
no_ssh: "{{ ipaclient_no_ssh }}"
|
|
no_sshd: "{{ ipaclient_no_sshd }}"
|
|
no_sudo: "{{ ipaclient_no_sudo }}"
|
|
fixed_primary: "{{ ipassd_fixed_primary }}"
|
|
permit: "{{ ipassd_permit }}"
|
|
no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
|
|
no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
|
|
|
|
- name: Install - Configure SSH and SSHD
|
|
ipaclient_setup_ssh:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
sssd: "{{ result_ipaclient_test.sssd }}"
|
|
no_ssh: "{{ ipaclient_no_ssh }}"
|
|
ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
|
|
no_sshd: "{{ ipaclient_no_sshd }}"
|
|
|
|
- name: Install - Configure automount
|
|
ipaclient_setup_automount:
|
|
servers: "{{ result_ipaclient_test.servers }}"
|
|
sssd: "{{ result_ipaclient_test.sssd }}"
|
|
automount_location: "{{ ipaautomount_location | default(omit) }}"
|
|
|
|
- name: Install - Configure firefox
|
|
ipaclient_setup_firefox:
|
|
firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}"
|
|
when: ipaclient_configure_firefox | bool
|
|
|
|
- name: Install - Configure NIS
|
|
ipaclient_setup_nis:
|
|
domain: "{{ result_ipaclient_test.domain }}"
|
|
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
|
|
when: not ipaclient_no_nisdomain | bool
|
|
|
|
when: not (not ipaclient_on_master | bool and
|
|
not result_ipaclient_join.changed and
|
|
not ipaclient_allow_repair | bool
|
|
and (result_ipaclient_test_keytab.krb5_keytab_ok
|
|
or (result_ipaclient_join.already_joined is defined
|
|
and result_ipaclient_join.already_joined)))
|
|
|
|
when: not ansible_check_mode and
|
|
not (result_ipaclient_test.client_already_configured and
|
|
not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
|
|
|
|
always:
|
|
- name: Cleanup leftover ccache
|
|
file:
|
|
path: "/etc/ipa/.dns_ccache"
|
|
state: absent
|