Update to 2021-12-01 19:13

roles/wb_ad_auth/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+ad_auth: False
+ad_domain: "{{ samba_domain }}"
+ad_realm: "{{ samba_realm }}"
+ad_admin: Administrator
+ad_admin_pass: "{{ samba_dc_admin_pass }}"
+ad_computer_ou: 
+ad_access_filter: "(memberOf=*)"
+# You can define a custom search base, with a scope and a filter for groups:
+# ad_ldap_group_search_base: CN=Groups,dc=ad,dc=domain,dc=com?sub?(|(cn=Domain Users)(cn=Domain Admins))
+
+# This is a list of groups to ignore. Because they would appear with a gid of 0, and would break all membership
+# This is ignored if ad_ldap_group_search_base is defined
+ad_ignore_groups:
+  - Pre-Windows 2000 Compatible Access
+  - Windows Authorization Access Group
+  - Administrators
+  - IIS_IUSRS
+  - Guests
+  - Users

roles/wb_ad_auth/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+
+  # Wipe the local cache
+- name: restart sssd
+  file: path=/var/lib/sss/db/cache_{{ ad_realm | upper }}.ldb state=absent
+  notify: really restart sssd
+
+- name: really restart sssd
+  service: name=sssd state=restarted

roles/wb_ad_auth/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+
+- name: Install packages
+  yum: name={{ item }} state=present
+  with_items:
+    - sssd-ad
+      #- sssd-libwbclient
+    - adcli
+    - oddjob-mkhomedir
+    - krb5-workstation
+  tags: auth
+
+- name: Set LDAP base
+  set_fact: ad_ldap_base=DC={{ ad_realm | regex_replace('\.',',DC=') }}
+  tags: auth
+
+- name: Check if authconfig needs to update pam config
+  command: "grep -c -P '^auth\\s+sufficient\\s+pam_sss.so' /etc/pam.d/system-auth"
+  register: ad_authconfig_done
+  changed_when: False
+  ignore_errors: True
+  tags: auth
+
+- name: Configure the PAM stack
+  command: authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
+  when: ad_authconfig_done.stdout | int < 1
+  tags: auth
+
+- name: Deploy sssd configuration
+  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600
+  notify: restart sssd
+  tags: auth
+
+- name: Deploy krb5 configuration
+  template: src=krb5.conf.j2 dest=/etc/krb5.conf
+  tags: auth
+
+- name: Check if running on a DC
+  stat: path=/var/lib/samba/private/secrets.keytab
+  register: ad_dc_keytab
+  tags: auth
+
+- name: Copy the keytab
+  copy: src=/var/lib/samba/private/secrets.keytab dest=/etc/krb5.keytab mode=600 remote_src=True
+  when: ad_dc_keytab.stat.exists
+  tags: auth
+
+- name: Check if we already have our keytab file
+  stat: path=/etc/krb5.keytab
+  register: ad_keytab
+  tags: auth
+
+- name: Join the domain
+  command: adcli join {{ ad_realm }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password
+  args:
+    stdin: "{{ ad_admin_pass }}"
+  when: not ad_keytab.stat.exists
+  tags: auth
+
+- name: Start and enable sssd
+  service: name=sssd state=started enabled=True
+  tags: auth

roles/wb_ad_auth/templates/krb5.conf

@@ -0,0 +1,5 @@
+[libdefaults]
+  default_realm = {{ ad_realm | upper }}
+  dns_lookup_realm = false
+  dns_lookup_kdc = true
+  rdns = false

roles/wb_ad_auth/templates/krb5.conf.j2

@@ -0,0 +1,5 @@
+[libdefaults]
+  default_realm = {{ ad_realm }}
+  dns_lookup_realm = false
+  dns_lookup_kdc = true
+  rdns = false

roles/wb_ad_auth/templates/sssd.conf.j2

@@ -0,0 +1,24 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = {{ ad_realm }}
+
+[nss]
+shell_fallback = /bin/false
+
+[pam]
+
+[domain/{{ ad_realm }}]
+id_provider = ad
+ad_hostname = {{ ansible_hostname }}.{{ ad_realm | lower }}
+fallback_homedir = /home/%d/%u
+default_shell = /bin/false
+cache_credentials = true
+enumerate = true
+access_provider = ad
+ad_access_filter = {{ ad_access_filter }}
+{% if ad_ldap_group_search_base is defined %}
+ldap_group_search_base = {{ ad_ldap_group_search_base }}
+{% elif ad_ignore_groups | length > 0 %}
+ldap_group_search_base = {{ ad_ldap_base }}?sub?(!(|(cn={{ ad_ignore_groups | join(')(cn=') }})))
+{% endif %}