From bd8e23f211c4ca2b3f027eafc27320f47b8c741f Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 24 Aug 2017 12:38:15 +0200
Subject: [PATCH] New role for krb5

---
 roles/krb5/defaults/main.yml      | 14 ++++++++++++++
 roles/krb5/meta/main.yml          | 12 ++++++++++++
 roles/krb5/tasks/main.yml         | 20 ++++++++++++++++++++
 roles/krb5/templates/krb5.conf.j2 | 31 +++++++++++++++++++++++++++++++
 roles/krb5/vars/default.yml       |  2 ++
 5 files changed, 79 insertions(+)
 create mode 100644 roles/krb5/defaults/main.yml
 create mode 100644 roles/krb5/meta/main.yml
 create mode 100644 roles/krb5/tasks/main.yml
 create mode 100644 roles/krb5/templates/krb5.conf.j2
 create mode 100644 roles/krb5/vars/default.yml

diff --git a/roles/krb5/defaults/main.yml b/roles/krb5/defaults/main.yml
new file mode 100644
index 00000000..acc70a2a
--- /dev/null
+++ b/roles/krb5/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+krb5_conf: /etc/krb5.conf
+krb5_conf_d: /etc/krb5.conf.d/ #paths.COMMON_KRB5_CONF_DIR
+krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ #paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
+krb5_packages: krb5-workstation
+
+krb5_realm:
+krb5_servers:
+krb5_dns_lookup_realm: "false"
+krb5_dns_lookup_kdc: "false"
+krb5_default_ccache_name: KEYRING:persistent:%{uid}
+
+krb5_pkinit_anchors: FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
+krb5_pkinit_pool: FILE:/var/lib/ipa-client/pki/ca-bundle.pem
diff --git a/roles/krb5/meta/main.yml b/roles/krb5/meta/main.yml
new file mode 100644
index 00000000..e63afec2
--- /dev/null
+++ b/roles/krb5/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Thomas Woerner
+  description: A role to configure krb5
+  company: Red Hat, Inc
+
+  license: GPLv2+
+
+  min_ansible_version: 2.0
+
+  galaxy_tags: [ 'identity', 'ipa']
+
+dependencies: []
diff --git a/roles/krb5/tasks/main.yml b/roles/krb5/tasks/main.yml
new file mode 100644
index 00000000..722678b0
--- /dev/null
+++ b/roles/krb5/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Install {{ krb5_packages }}
+  package: name="{{ item }}" state=present
+  with_items: "{{ krb5_packages }}"
+
+# No backup in ipa-client-install mode
+#- name: Backup {{ krb5_conf }}
+#  copy:
+#    src: "{{ krb5_conf }}"
+#    dest: "{{ krb5_conf }}.bkp"
+#    force: no
+
+- name: Template krb5.conf
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    backup: yes
+    owner: root
+    group: root
+    mode: 0644
diff --git a/roles/krb5/templates/krb5.conf.j2 b/roles/krb5/templates/krb5.conf.j2
new file mode 100644
index 00000000..2401bd84
--- /dev/null
+++ b/roles/krb5/templates/krb5.conf.j2
@@ -0,0 +1,31 @@
+includedir {{ krb5_conf_d }}
+includedir {{ krb5_include_d }}
+
+[libdefaults]
+  default_realm = {{ krb5_realm | upper }}
+  dns_lookup_realm = {{ krb5_dns_lookup_realm }}
+  dns_lookup_kdc = {{ krb5_dns_lookup_kdc }}
+  rdns = false
+  dns_canonicalize_hostname = false
+  ticket_lifetime = 24h
+  forwardable = true
+  udp_preference_limit = 0
+  default_ccache_name = {{ krb5_default_ccache_name }}
+
+[realms]
+  {{ krb5_realm | upper }} = {
+{% for server in krb5_servers %}
+    kdc = {{ server }}:88
+    master_kdc = {{ server }}:88
+    admin_server = {{ server }}:749
+    kpasswd_server = {{ server }}:464
+{% endfor %}
+    default_domain = {{ krb5_realm | lower }}
+    pkinit_anchors = {{ krb5_pkinit_anchors }}
+    pkinit_pool = {{ krb5_pkinit_pool }}
+  }
+
+[domain_realm]
+  .{{ krb5_realm | lower }} = {{ krb5_realm | upper }}
+  {{ krb5_realm | lower }} = {{ krb5_realm | upper }}
+  {{ ansible_host | lower }} = {{ krb5_realm | upper }}
diff --git a/roles/krb5/vars/default.yml b/roles/krb5/vars/default.yml
new file mode 100644
index 00000000..fa18717b
--- /dev/null
+++ b/roles/krb5/vars/default.yml
@@ -0,0 +1,2 @@
+krb5_packages:
+  - krb5-workstation
-- 
GitLab