The Samba-Bugzilla – Attachment 17463 Details for
Bug 15138
net ads setspn add/delete over-enthusiastic checking - need to add placeholder host SPN
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Ansible code to currently manipulate keytab...
krb5-keytab-config.yml (text/plain), 3.17 KB, created by
Matthew Grant
on 2022-08-08 01:26:23 UTC
(
hide
)
Description:
Ansible code to currently manipulate keytab...
Filename:
MIME Type:
Creator:
Matthew Grant
Created:
2022-08-08 01:26:23 UTC
Size:
3.17 KB
patch
obsolete
>--- >- block: ># Configure system keytab ># > - name: About krb5_keytab_flush > debug: > msg: "If you want to flush /etc/krb5.keytab, set krb5_keytab_flush=true to flush it" > > - name: Display krb5_keytab_flush > debug: > msg: "{{ krb5_keytab_flush|d(false) }}" > > - name: Stat /etc/krb5.keytab > stat: > path: /etc/krb5.keytab > register: krb5_keytab_result_stat > > - name: Flush /etc/krb5.keytab and all SPNs for host > command: "net ads keytab flush" > when: krb5_keytab_result_stat.stat.exists and krb5_keytab_flush|d(false) > register: krb5_keytab_result_flush > > - name: Add canary SPN/principal so that floowing commands succeed > command: "net ads keytab add_update_ads host/{{ samba_netbios_name|lower }}" > changed_when: false > when: krb5_keytab_result_flush.changed > > - name: Delete SPNs > command: "net ads setspn delete {{ item.spn }}" > changed_when: krb5_keytab_result_setspn_delete.rc == 0 and krb5_keytab_result_setspn_delete.stdout|regex_search('Unregistering SPN', multiline=True) > failed_when: krb5_keytab_result_setspn_add.rc not in [0, 255] and not krb5_keytab_result_setspn_delete.stdout|regex_search('Updated object', multiline=True) > when: item.state|d('present') == 'absent' > loop: "{{ krb5_keytab_var_spns | flatten }}" > register: krb5_keytab_result_setspn_delete > > - name: Add extra SPNs > command: "net ads setspn add {{ item.spn }}" > changed_when: krb5_keytab_result_setspn_add.rc == 0 and krb5_keytab_result_setspn_add.stdout|regex_search('Registering SPN', multiline=True) > failed_when: krb5_keytab_result_setspn_add.rc not in [0, 255] and not krb5_keytab_result_setspn_add.stdout|regex_search('Registering SPN', multiline=True) and not krb5_keytab_result_setspn_add.stdout|regex_search('Duplicate SPN', multiline=True) > when: item.state|d('present') == 'present' > loop: "{{ krb5_keytab_var_spns | flatten }}" > register: krb5_keytab_result_setspn_add > > - name: Build machines keytab > command: net ads keytab create -d 1 > changed_when: false > > - name: Cleanup canary SPN > command: "net ads setspn delete host/{{ samba_netbios_name|lower }}" > changed_when: false > when: krb5_keytab_result_flush.changed > > - name: Replace canary SPN > command: "net ads setspn add HOST/{{ samba_netbios_name|upper }}" > changed_when: false > when: krb5_keytab_result_flush.changed > > - name: Add system kerberos keytab group for accessing keytab > group: > name: "{{ krb5_keytab_group }}" > system: yes > state: present > > - name: Set up /etc/krb5.keytab group and permissions > file: > path: /etc/krb5.keytab > owner: root > group: "{{ krb5_keytab_group }}" > mode: 0640 > > - name: Add system users to kerberos group > user: > name: '{{ item }}' > groups: "{{ krb5_keytab_group }}" > append: yes > loop: "{{ krb5_keytab_group_members }}" > > - name: Add extra kerberos principals with SPN > command: "net ads keytab add_update_ads {{ item }}" > changed_when: false > loop: "{{ krb5_keytab_principals_with_spn }}" > > - name: Add extra pure kerberos principals > command: "net ads keytab add {{ item }}" > changed_when: false > loop: "{{ krb5_keytab_principals }}" > > tags: > - always >...
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15138
: 17463