diff --git a/roles/keytab/service/defaults/main.yml b/roles/keytab/service/defaults/main.yml new file mode 100644 index 0000000000..e374bc0d1c --- /dev/null +++ b/roles/keytab/service/defaults/main.yml @@ -0,0 +1,3 @@ +owner_user: root +owner_group: root +kt_location: "/etc/krb5.{{service}}_{{host}}.keytab" diff --git a/roles/keytab/service/tasks/main.yml b/roles/keytab/service/tasks/main.yml new file mode 100644 index 0000000000..7aceb5af67 --- /dev/null +++ b/roles/keytab/service/tasks/main.yml @@ -0,0 +1,82 @@ +--- +# We need ipa-getkeytab +- name: Install ipa-client + yum: name=ipa-client state=present + +- name: Determine whether we need to get keytab + stat: path={{kt_location}} + register: keytab_status + tags: + - keytab + - config + - krb5 + +- name: Get admin ticket + delegate_to: "{{ ipa_server }}" + shell: echo "{{ipa_admin_password}}" | kinit admin + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists + +- name: Create host entry + delegate_to: "{{ ipa_server }}" + command: ipa host-add {{host}} + register: host_add_result + changed_when: "'Added host' in host_add_result.stdout" + failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)" + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists + +- name: Create service entry + delegate_to: "{{ ipa_server }}" + command: ipa service-add {{service}}/{{host}} + register: service_add_result + changed_when: "'Added service' in service_add_result.stdout" + failed_when: "not ('Added service' in service_add_result.stdout or 'already exists' in service_add_result.stderr)" + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists + +- name: Grant host access to keytab + delegate_to: "{{ ipa_server }}" + command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --hosts={{inventory_hostname}} + register: service_perm_add_result + changed_when: "'members added 1' in service_add_result.stdout" + failed_when: "not ('members added' in service_add_result.stdout)" + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists + +- name: Destroy kerberos ticket + delegate_to: "{{ ipa_server }}" + command: kdestroy -A + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists + +- name: Retrieve keytab + command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab {{kt_location}} --principal {{service}}/{{host}} + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists + +- name: Set keytab permissions + file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0600 + tags: + - keytab + - config + - krb5 + when: not keytab_status.stat.exists