Ryan Lerch
62952df107
Replaces many references to file: with ansible.builtin.file Signed-off-by: Ryan Lerch <rlerch@redhat.com>
130 lines
3.3 KiB
YAML
130 lines
3.3 KiB
YAML
---
|
|
# Get host keytab
|
|
- name: Determine whether we need to get host keytab
|
|
stat: path=/etc/krb5.keytab
|
|
register: host_keytab_status
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
|
|
- name: Get admin keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
shell: echo "{{ipa_admin_password}}" | kinit admin
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Create host entry
|
|
delegate_to: "{{ ipa_server }}"
|
|
command: ipa host-add --force {{inventory_hostname}}
|
|
register: host_add_result
|
|
changed_when: "'Added host' in host_add_result.stdout"
|
|
failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)"
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Create additional host entries
|
|
delegate_to: "{{ ipa_server }}"
|
|
command: ipa host-add --force {{item}}
|
|
with_items: "{{ additional_host_keytabs }}"
|
|
register: hosts_add_result
|
|
changed_when: "'Added host' in hosts_add_result.stdout"
|
|
failed_when: "not ('Added host' in hosts_add_result.stdout or 'already exists' in hosts_add_result.stderr)"
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Generate host keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt
|
|
register: getkeytab_result
|
|
changed_when: false
|
|
failed_when: "'successfully retrieved' not in getkeytab_result.stderr"
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Add additional host keytabs
|
|
delegate_to: "{{ ipa_server }}"
|
|
command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k /tmp/{{inventory_hostname}}.kt
|
|
with_items: "{{ additional_host_keytabs }}"
|
|
register: getkeytabs_result
|
|
changed_when: false
|
|
failed_when: "'successfully retrieved' not in getkeytabs_result.stderr"
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Destroy kerberos ticket
|
|
delegate_to: "{{ ipa_server }}"
|
|
command: kdestroy -A
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Get keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
command: base64 /tmp/{{inventory_hostname}}.kt
|
|
register: keytab
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Destroy stored keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.file: path=/tmp/{{inventory_hostname}}.kt state=absent
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Deploy base64 keytab
|
|
copy: dest=/etc/krb5.keytab.b64
|
|
content={{keytab.stdout}}
|
|
owner=root group=root mode=0600
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Base64-decode keytab
|
|
shell: "umask 077; base64 -d /etc/krb5.keytab.b64 >/etc/krb5.keytab"
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Set keytab permissions
|
|
ansible.builtin.file: path=/etc/krb5.keytab owner=root group=root mode=0600
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|
|
|
|
- name: Destroy encoded keytab
|
|
ansible.builtin.file: path=/etc/krb5.keytab.b64 state=absent
|
|
tags:
|
|
- base
|
|
- config
|
|
- krb5
|
|
when: not host_keytab_status.stat.exists
|