infra/roles/kerberos5/tasks/master.yml

80 lines
2.2 KiB
YAML

---
- name: check required variables
fail: msg="{{ item }} is not defined"
when: item not in vars
with_items: "{{ krb5_required_vars }}"
# Install KDC and kadmin daemons
- name: Install Kerberos 5 KDC packages
apt_rpm:
pkg: "{{ krb5_packages | join(',')}}"
state: installed
update_cache: yes
when: krb5_packages | length > 0
# Configure /etc/hosts and avoid complex DNS configuration for KDC
- name: Configure /etc/hosts for Kerberos 5
template:
src: hosts.j2
dest: /etc/hosts
owner: root
group: root
mode: 0644
- name: Check local Kerberos 5 database existence
stat:
path: '{{ kdc_var_path }}/principal'
register: stat_kdc_db
# We need to initialize principal database on the new system in order
# 'krb5kdc` to work.
- name: Initialize Kerberos 5 local database
shell: "kdb5_util create -P '{{ krb5_admin_pass }}' -r {{ krb5_realm | upper }} -s"
when: stat_kdc_db.stat.exists == False
# We must configure Kerberos 5 realm properly for krb5kdc
- name: Configure krb5kdc
template:
src: kdc.conf.j2
dest: '{{ kdc_var_path }}/kdc.conf'
owner: root
group: root
mode: 0600
# We need to configure the principal to have ALL permissions. It's\
# like 'root' user but for Kerberos KDC.
- name: Configure kadmin user permissions
template:
src: kadm5.acl.j2
dest: '{{ kdc_var_path }}/kadm5.acl'
owner: root
group: root
mode: 0600
# Then we need at least one principal with administrative privileges
# in order to work with Kerberos database via `kadmin` daemon.
- name: Create Kerberos 5 admin principal
shell: "kadmin.local -q 'addprinc -pw {{ krb5_admin_pass }} admin/admin@{{ krb5_realm | upper }}'"
# Start krb5kdc finally
- name: Enable and start krb5kdc
systemd:
name: krb5kdc
enabled: yes
state: started
# kadmin daemon needs krb5kdc to work with so it starts after it
- name: Enable and start kadmin
systemd:
name: kadmin
enabled: yes
state: started
- name: register node in localhost hostvars
set_fact:
krb5_masters: "{{ hostvars['localhost']['krb5_masters'] | default([]) }} + [ '{{ inventory_hostname_short }}' ]"
delegate_to: localhost
delegate_facts: true