ansible/roles/keytab/service/tasks/main.yml

---
- name: Determine whether we need to get keytab
  stat: path={{kt_location}}
  register: keytab_status
  tags:
  - keytab
  - config
  - krb5

- name: Get admin ticket
  delegate_to: "{{ ipa_server }}"
  shell: echo "{{ipa_admin_password}}" | kinit admin
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Create host entry
  delegate_to: "{{ ipa_server }}"
  command: ipa host-add {{host}}
  register: host_add_result
  changed_when: "'Added host' in host_add_result.stdout"
  failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Create service entry
  delegate_to: "{{ ipa_server }}"
  command: ipa service-add {{service}}/{{host}}
  register: service_add_result
  changed_when: "'Added service' in service_add_result.stdout"
  failed_when: "not ('Added service' in service_add_result.stdout or 'already exists' in service_add_result.stderr)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Grant host access to keytab
  delegate_to: "{{ ipa_server }}"
  command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --hosts={{inventory_hostname}}
  register: service_perm_add_result
  changed_when: "'members added 1' in service_perm_add_result.stdout"
  failed_when: "not ('members added' in service_perm_add_result.stdout)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Grant admin access to keytab
  delegate_to: "{{ ipa_server }}"
  command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --users=admin
  register: service_perm_add_result
  changed_when: "'members added 1' in service_perm_add_result.stdout"
  failed_when: "not ('members added' in service_perm_add_result.stdout)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Retrieve keytab
  delegate_to: "{{ ipa_server }}"
  command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
  register: retrieve_result
  failed_when: "not ('Keytab successfully retrieved' in retrieve_result.stderr or 'krbPrincipalKey not found' in retrieve_result.stderr)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Create keytab if it did not exist
  delegate_to: "{{ ipa_server }}"
  command: ipa-getkeytab --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists and 'krbPrincipalKey not found' in retrieve_result.stderr

- name: Destroy admin ticket
  delegate_to: "{{ ipa_server }}"
  command: kdestroy -A
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Get keytab
  delegate_to: "{{ ipa_server }}"
  command: base64 /tmp/{{service}}_{{host}}.kt
  register: keytab
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Destroy stored keytab
  delegate_to: "{{ ipa_server }}"
  file: path=/tmp/{{service}}_{{host}}.kt state=absent
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Deploy base64 keytab
  copy: dest={{kt_location}}.b64
        content={{keytab.stdout}}
        owner={{owner_user}} group={{owner_group}} mode=0600
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Base64-decode keytab
  shell: "umask 077 && base64 -d {{kt_location}}.b64 >{{kt_location}}"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Destroy encoded keytab
  file: path={{kt_location}}.b64 state=absent
  tags:
  - keytab
  - config
  - krb5

- name: Set keytab permissions
  file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0600 state=file
  tags:
  - keytab
  - config
  - krb5
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`---`
			`- name: Determine whether we need to get keytab`
			`stat: path={{kt_location}}`
			`register: keytab_status`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`

			`- name: Get admin ticket`
			`delegate_to: "{{ ipa_server }}"`
			`shell: echo "{{ipa_admin_password}}" \| kinit admin`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

			`- name: Create host entry`
			`delegate_to: "{{ ipa_server }}"`
			`command: ipa host-add {{host}}`
			`register: host_add_result`
			`changed_when: "'Added host' in host_add_result.stdout"`
			`failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)"`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

			`- name: Create service entry`
			`delegate_to: "{{ ipa_server }}"`
			`command: ipa service-add {{service}}/{{host}}`
			`register: service_add_result`
			`changed_when: "'Added service' in service_add_result.stdout"`
			`failed_when: "not ('Added service' in service_add_result.stdout or 'already exists' in service_add_result.stderr)"`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

			`- name: Grant host access to keytab`
			`delegate_to: "{{ ipa_server }}"`
			`command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --hosts={{inventory_hostname}}`
			`register: service_perm_add_result`
Fix check Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:35:00 +00:00			`changed_when: "'members added 1' in service_perm_add_result.stdout"`
			`failed_when: "not ('members added' in service_perm_add_result.stdout)"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Grant admin access to keytab`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`delegate_to: "{{ ipa_server }}"`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --users=admin`
			`register: service_perm_add_result`
			`changed_when: "'members added 1' in service_perm_add_result.stdout"`
			`failed_when: "not ('members added' in service_perm_add_result.stdout)"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Retrieve keytab`
			`delegate_to: "{{ ipa_server }}"`
			`command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}`
			`register: retrieve_result`
			`failed_when: "not ('Keytab successfully retrieved' in retrieve_result.stderr or 'krbPrincipalKey not found' in retrieve_result.stderr)"`
Get and destroy host ticket Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:47:57 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Create keytab if it did not exist`
			`delegate_to: "{{ ipa_server }}"`
			`command: ipa-getkeytab --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists and 'krbPrincipalKey not found' in retrieve_result.stderr`

			`- name: Destroy admin ticket`
			`delegate_to: "{{ ipa_server }}"`
			`command: kdestroy -A`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Get keytab`
			`delegate_to: "{{ ipa_server }}"`
			`command: base64 /tmp/{{service}}_{{host}}.kt`
			`register: keytab`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`when: not keytab_status.stat.exists`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Destroy stored keytab`
			`delegate_to: "{{ ipa_server }}"`
			`file: path=/tmp/{{service}}_{{host}}.kt state=absent`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`when: not keytab_status.stat.exists`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Deploy base64 keytab`
			`copy: dest={{kt_location}}.b64`
			`content={{keytab.stdout}}`
			`owner={{owner_user}} group={{owner_group}} mode=0600`
Get and destroy host ticket Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:47:57 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Decode and destroy the b64-encoded keytab Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:19:45 +00:00			`- name: Base64-decode keytab`
			`shell: "umask 077 && base64 -d {{kt_location}}.b64 >{{kt_location}}"`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

			`- name: Destroy encoded keytab`
			`file: path={{kt_location}}.b64 state=absent`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`

Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`- name: Set keytab permissions`
Ansible has a bug where state=null becomes state=link, contrary to documentation Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-27 22:57:29 +00:00			`file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0600 state=file`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`