commit 47c0040e3672f1614547362a567512fa272daa9e
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 16:03:38 2017 +0100
Add keytab
roles/base/tasks/keytab.yml | 130 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 130 insertions(+), 0 deletions(-)
---
diff --git a/roles/base/tasks/keytab.yml b/roles/base/tasks/keytab.yml
new file mode 100644
index 0000000..a6f43cc
--- /dev/null
+++ b/roles/base/tasks/keytab.yml
@@ -0,0 +1,130 @@
+---
+# Get host keytab
+- name: Determine whether we need to get host keytab
+ stat: path=/etc/krb5.keytab
+ register: host_keytab_status
+ tags:
+ - base
+ - config
+ - krb5
+
+- name: Get admin keytab
+ delegate_to: "{{ ipa_server }}"
+ shell: echo "{{ipa_admin_password}}" | kinit admin
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Create host entry
+ delegate_to: "{{ ipa_server }}"
+ command: ipa host-add {{inventory_hostname}}
+ register: host_add_result
+ changed_when: "'Added host' in host_add_result.stdout"
+ failed_when: "not ('Added host' in host_add_result.stdout or 'already
exists' in host_add_result.stderr)"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Create additional host entries
+ delegate_to: "{{ ipa_server }}"
+ command: ipa host-add {{item}}
+ with_items: "{{ additional_host_keytabs }}"
+ register: hosts_add_result
+ changed_when: "'Added host' in hosts_add_result.stdout"
+ failed_when: "not ('Added host' in hosts_add_result.stdout or 'already
exists' in hosts_add_result.stderr)"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Generate host keytab
+ delegate_to: "{{ ipa_server }}"
+ command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k
/tmp/{{inventory_hostname}}.kt
+ register: getkeytab_result
+ changed_when: false
+ failed_when: "'successfully retrieved' not in
getkeytab_result.stderr"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Add additional host keytabs
+ delegate_to: "{{ ipa_server }}"
+ command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k
/tmp/{{inventory_hostname}}.kt
+ with_items: "{{ additional_host_keytabs }}"
+ register: getkeytabs_result
+ changed_when: false
+ failed_when: "'successfully retrieved' not in
getkeytabs_result.stderr"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Destroy kerberos ticket
+ delegate_to: "{{ ipa_server }}"
+ command: kdestroy -A
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Get keytab
+ delegate_to: "{{ ipa_server }}"
+ command: base64 /tmp/{{inventory_hostname}}.kt
+ register: keytab
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Destroy stored keytab
+ delegate_to: "{{ ipa_server }}"
+ file: path=/tmp/{{inventory_hostname}}.kt state=absent
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Deploy base64 keytab
+ copy: dest=/etc/krb5.keytab.b64
+ content={{keytab.stdout}}
+ owner=root group=root mode=0600
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Base64-decode keytab
+ shell: "umask 077; base64 -d /etc/krb5.keytab.b64 >/etc/krb5.keytab"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Set keytab permissions
+ file: path=/etc/krb5.keytab owner=root group=root mode=0600
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Destroy encoded keytab
+ file: path=/etc/krb5.keytab.b64 state=absent
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists