Attachment 17463 Details for Bug 15138 – Ansible code to currently manipulate keytab...

Ansible code to currently manipulate keytab...

krb5-keytab-config.yml (text/plain), 3.17 KB, created by Matthew Grant on 2022-08-08 01:26:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Matthew Grant

Created: 2022-08-08 01:26:23 UTC

Size: 3.17 KB

patch

obsolete

>---
>- block: 
># Configure system keytab
>#
>  - name: About krb5_keytab_flush
>    debug:
>      msg: "If you want to flush /etc/krb5.keytab, set krb5_keytab_flush=true to flush it"
>
>  - name: Display krb5_keytab_flush
>    debug:
>      msg: "{{ krb5_keytab_flush|d(false) }}"
>
>  - name: Stat /etc/krb5.keytab
>    stat:
>      path: /etc/krb5.keytab
>    register: krb5_keytab_result_stat
>
>  - name: Flush /etc/krb5.keytab and all SPNs for host
>    command: "net ads keytab flush"
>    when: krb5_keytab_result_stat.stat.exists and krb5_keytab_flush|d(false)
>    register: krb5_keytab_result_flush
>
>  - name: Add canary SPN/principal so that floowing commands succeed
>    command: "net ads keytab add_update_ads host/{{ samba_netbios_name|lower }}"
>    changed_when: false
>    when: krb5_keytab_result_flush.changed
>
>  - name: Delete SPNs
>    command: "net ads setspn delete {{ item.spn }}"
>    changed_when: krb5_keytab_result_setspn_delete.rc == 0 and krb5_keytab_result_setspn_delete.stdout|regex_search('Unregistering SPN', multiline=True)
>    failed_when: krb5_keytab_result_setspn_add.rc not in [0, 255] and not krb5_keytab_result_setspn_delete.stdout|regex_search('Updated object', multiline=True)
>    when: item.state|d('present') == 'absent'
>    loop: "{{ krb5_keytab_var_spns | flatten }}"
>    register: krb5_keytab_result_setspn_delete
>
>  - name: Add extra SPNs
>    command: "net ads setspn add {{ item.spn }}"
>    changed_when: krb5_keytab_result_setspn_add.rc == 0 and krb5_keytab_result_setspn_add.stdout|regex_search('Registering SPN', multiline=True)
>    failed_when: krb5_keytab_result_setspn_add.rc not in [0, 255] and not krb5_keytab_result_setspn_add.stdout|regex_search('Registering SPN', multiline=True) and not krb5_keytab_result_setspn_add.stdout|regex_search('Duplicate SPN', multiline=True)
>    when: item.state|d('present') == 'present'
>    loop: "{{ krb5_keytab_var_spns | flatten }}"
>    register: krb5_keytab_result_setspn_add
>
>  - name: Build machines keytab
>    command: net ads keytab create -d 1
>    changed_when: false
>
>  - name: Cleanup canary SPN
>    command: "net ads setspn delete host/{{ samba_netbios_name|lower }}"
>    changed_when: false
>    when: krb5_keytab_result_flush.changed
>
>  - name: Replace canary SPN
>    command: "net ads setspn add HOST/{{ samba_netbios_name|upper }}"
>    changed_when: false
>    when: krb5_keytab_result_flush.changed
>
>  - name: Add system kerberos keytab group for accessing keytab
>    group:
>      name: "{{ krb5_keytab_group }}"
>      system: yes
>      state: present
>
>  - name: Set up /etc/krb5.keytab group and permissions
>    file:
>      path: /etc/krb5.keytab
>      owner: root
>      group: "{{ krb5_keytab_group }}"
>      mode: 0640
>
>  - name: Add system users to kerberos group
>    user:
>      name: '{{ item }}'
>      groups: "{{ krb5_keytab_group }}"
>      append: yes
>    loop: "{{ krb5_keytab_group_members }}"
>
>  - name: Add extra kerberos principals with SPN
>    command: "net ads keytab add_update_ads {{ item }}"
>    changed_when: false
>    loop: "{{ krb5_keytab_principals_with_spn }}"
>
>  - name: Add extra pure kerberos principals
>    command: "net ads keytab add {{ item }}"
>    changed_when: false
>    loop: "{{ krb5_keytab_principals }}"
>
>  tags:
>    - always
>...

Actions: View

Attachments on bug 15138: 17463