Update to 2021-12-01 19:13

roles/sssd_ad_auth/tasks/install_Debian.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Install sssd and the needed tools
+  apt:
+    name:
+      - sssd-ad
+      - libnss-sss
+      - libpam-sss
+      - oddjob-mkhomedir
+      - ca-certificates
+      - krb5-user
+      - sssd-tools
+      - adcli
+  notify:
+    - restart oddjobd
+    - restart sssd ad
+  tags: auth

roles/sssd_ad_auth/tasks/install_RedHat.yml

@@ -0,0 +1,10 @@
+---
+- name: Install packages
+  yum:
+    name:
+      - sssd-ad
+      - adcli
+      - oddjob-mkhomedir
+      - krb5-workstation
+      - authconfig
+  tags: auth

roles/sssd_ad_auth/tasks/main.yml

@@ -0,0 +1,100 @@
+---
+
+- name: Build trusted domains list
+  set_fact: ad_trusted_domains_conf={{ ad_trusted_domains_conf | default([]) + [ad_default_trusted_domain | combine(item,recursive=True)] }}
+  with_items: "{{ ad_trusted_domains }}"
+  tags: auth
+- set_fact: ad_trusted_domains={{ ad_trusted_domains_conf | default([]) }}
+  tags: auth
+
+- include: install_{{ ansible_os_family }}.yml
+
+- name: Set LDAP base
+  set_fact: ad_ldap_base=DC={{ ad_realm | regex_replace('\.',',DC=') }}
+  tags: auth
+
+- include_tasks: pam_{{ ansible_os_family }}.yml
+
+- name: Check if there's a secrets.tdb DB
+  stat: path=/var/lib/samba/private/secrets.tdb
+  register: ad_samba_secrets
+  tags: auth
+
+- name: Deploy sssd configuration
+  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600
+  notify: restart sssd ad
+  tags: auth
+
+- name: Deploy krb5 configuration
+  template: src=krb5.conf.j2 dest=/etc/krb5.conf
+  tags: auth
+
+- name: Remove current keytab
+  file: path=/etc/krb5.keytab state=absent
+  when: ad_force_join | bool
+  tags: auth
+
+- name: Check if we already have our keytab file
+  stat: path=/etc/krb5.keytab
+  register: ad_keytab
+  tags: auth
+
+  # We need to have our correct hostname before joining the domain !!
+- name: Set system hostname
+  hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
+  tags: auth
+
+- name: Join the domain
+  command: adcli join {{ ad_realm | upper }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password
+  args:
+    stdin: "{{ ad_admin_pass }}"
+  no_log: True
+  when: not ad_keytab.stat.exists
+  register: ad_join
+  tags: auth
+
+- name: Check if we're a DC
+  stat: path=/var/lib/samba/private/secrets.keytab
+  register: ad_dc_keytab
+  tags: auth
+
+- name: Add a cron task to renew machine password
+  cron:
+    name: sssd_ad
+    cron_file: renew_ad_pass
+    minute: "{{ 59 | random(seed=inventory_hostname) }}"
+    hour: "{{ 23 | random(seed=inventory_hostname) }}"
+    day: "{{ 28 | random(seed=inventory_hostname) }}"
+    user: root
+    job: net ads changetrustpw
+    state: "{{ (ad_dc_keytab.stat.exists or not ad_samba_secrets.stat.exists) | ternary('absent','present') }}"
+  tags: auth
+
+- name: Create keytabs dir
+  file: path=/var/lib/sss/keytabs state=directory owner=sssd mode=700
+  tags: auth
+
+- name: Join trusted domains
+  command: adcli join {{ item.name | upper }} --login-user={{ item.admin_user }} --stdin-password --host-keytab=/var/lib/sss/keytabs/{{ item.name | upper }}.keytab
+  args:
+    stdin: "{{ item.admin_pass }}"
+    creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
+  become_user: sssd
+  with_items: "{{ ad_trusted_domains }}"
+  register: ad_trusted_join
+  tags: auth
+
+- name: Start and enable services
+  service: name={{ item }} state=started enabled=True
+  with_items:
+    - sssd
+    - oddjobd
+  tags: auth
+
+  # On el8 for example, sssd is already installed and running on a default setup
+  # so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
+  # We can't rely on the handler, because it would only run at the end of the playbook
+- name: Restart sssd if needed
+  service: name=sssd state=restarted
+  when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: auth

roles/sssd_ad_auth/tasks/pam_Debian.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Deploy pam config
+  template: src=deb_pam_common_{{ item }}.j2 dest=/etc/pam.d/common-{{ item }}
+  with_items:
+    - account
+    - auth
+    - password
+    - session

roles/sssd_ad_auth/tasks/pam_RedHat.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Check if authconfig needs to update pam config
+  command: "grep -c -P '^auth\\s+sufficient\\s+pam_sss.so' /etc/pam.d/system-auth"
+  register: ad_authconfig_done
+  changed_when: False
+  failed_when: False
+  tags: auth
+
+- name: Configure the PAM stack
+  command: authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
+  when: ad_authconfig_done.stdout | int < 1
+  tags: auth