forked from saratov/infra
80 lines
2.2 KiB
YAML
80 lines
2.2 KiB
YAML
---
|
|
|
|
- name: check required variables
|
|
fail: msg="{{ item }} is not defined"
|
|
when: item not in vars
|
|
with_items: "{{ krb5_required_vars }}"
|
|
|
|
# Install KDC and kadmin daemons
|
|
- name: Install Kerberos 5 KDC packages
|
|
apt_rpm:
|
|
pkg: "{{ krb5_packages | join(',')}}"
|
|
state: installed
|
|
update_cache: yes
|
|
when: krb5_packages | length > 0
|
|
|
|
# Configure /etc/hosts and avoid complex DNS configuration for KDC
|
|
- name: Configure /etc/hosts for Kerberos 5
|
|
template:
|
|
src: hosts.j2
|
|
dest: /etc/hosts
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Check local Kerberos 5 database existence
|
|
stat:
|
|
path: '{{ kdc_var_path }}/principal'
|
|
register: stat_kdc_db
|
|
|
|
# We need to initialize principal database on the new system in order
|
|
# 'krb5kdc` to work.
|
|
- name: Initialize Kerberos 5 local database
|
|
shell: "kdb5_util create -P '{{ krb5_admin_pass }}' -r {{ krb5_realm | upper }} -s"
|
|
when: stat_kdc_db.stat.exists == False
|
|
|
|
# We must configure Kerberos 5 realm properly for krb5kdc
|
|
- name: Configure krb5kdc
|
|
template:
|
|
src: kdc.conf.j2
|
|
dest: '{{ kdc_var_path }}/kdc.conf'
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
# We need to configure the principal to have ALL permissions. It's\
|
|
# like 'root' user but for Kerberos KDC.
|
|
- name: Configure kadmin user permissions
|
|
template:
|
|
src: kadm5.acl.j2
|
|
dest: '{{ kdc_var_path }}/kadm5.acl'
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
# Then we need at least one principal with administrative privileges
|
|
# in order to work with Kerberos database via `kadmin` daemon.
|
|
- name: Create Kerberos 5 admin principal
|
|
shell: "kadmin.local -q 'addprinc -pw {{ krb5_admin_pass }} admin/admin@{{ krb5_realm | upper }}'"
|
|
|
|
# Start krb5kdc finally
|
|
- name: Enable and start krb5kdc
|
|
systemd:
|
|
name: krb5kdc
|
|
enabled: yes
|
|
state: started
|
|
|
|
# kadmin daemon needs krb5kdc to work with so it starts after it
|
|
- name: Enable and start kadmin
|
|
systemd:
|
|
name: kadmin
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: register node in localhost hostvars
|
|
set_fact:
|
|
krb5_masters: "{{ hostvars['localhost']['krb5_masters'] | default([]) }} + [ '{{ inventory_hostname_short }}' ]"
|
|
delegate_to: localhost
|
|
delegate_facts: true
|
|
|