--- # tasks file for ipaclient - name: Install - Install IPA client package package: name: "{{ ipaclient_package }}" state: present - name: Install - IPA discovery ipadiscovery: domain: "{{ ipaclient_domain | default(omit) }}" servers: "{{ groups.ipaservers | default(omit) }}" realm: "{{ ipaclient_realm | default(omit) }}" hostname: "{{ ansible_fqdn }}" check: yes register: ipadiscovery # The following block is executed when using OTP to enroll IPA client # ie when neither ipaclient_password not ipaclient_keytab is set # It connects to ipaserver and add the host with --random option in order # to create a OneTime Password - block: - name: Install - Get a One-Time Password for client enrollment ipahost: state: present principal: "{{ ipaserver_principal | default('admin') }}" password: "{{ ipaserver_password | default(omit) }}" keytab: "{{ ipaserver_keytab | default(omit) }}" fqdn: "{{ ansible_fqdn }}" lifetime: "{{ ipaserver_lifetime | default(omit) }}" random: True register: ipahost_output # If the host is already enrolled, this command will exit on error # The error can be ignored failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg delegate_to: "{{ ipadiscovery.servers[0] }}" - name: Install - Store the previously obtained OTP set_fact: ipaclient_otp: "{{ipahost_output.host.randompassword if ipahost_output.host is defined else 'dummyotp' }}" when: ipaclient_password is not defined and ipaclient_keytab is not defined - name: Install - Join IPA ipajoin: servers: "{{ ipadiscovery.servers }}" domain: "{{ ipadiscovery.domain }}" realm: "{{ ipadiscovery.realm }}" kdc: "{{ ipadiscovery.kdc }}" basedn: "{{ ipadiscovery.basedn }}" hostname: "{{ ipadiscovery.hostname }}" force_join: "{{ ipaclient_force_join | default(omit) }}" principal: "{{ ipaclient_principal | default(omit) }}" password: "{{ ipaclient_password | default(omit) }}" keytab: "{{ ipaclient_keytab | default(omit) }}" #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}" kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}" - name: Install - Configure IPA default.conf include_role: name: ipaconf vars: ipaconf_server: "{{ ipadiscovery.servers[0] }}" ipaconf_domain: "{{ ipadiscovery.domain }}" ipaconf_realm: "{{ ipadiscovery.realm }}" ipaconf_hostname: "{{ ipadiscovery.hostname }}" ipaconf_basedn: "{{ ipadiscovery.basedn }}" - name: Install - Configure SSSD sssd: servers: "{{ ipadiscovery.servers }}" domain: "{{ ipadiscovery.domain }}" realm: "{{ ipadiscovery.realm }}" hostname: "{{ ipadiscovery.hostname }}" services: ["ssh", "sudo"] krb5_offline_passwords: yes #on_master: no #primary: no #permit: no #dns_updates: no #all_ip_addresses: no - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }}" include_role: name: krb5 vars: krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}" krb5_realm: "{{ ipadiscovery.realm }}" krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}" krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}" krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}" - name: Install - IPA API calls for remaining enrollment parts ipaapi: servers: "{{ ipadiscovery.servers }}" realm: "{{ ipadiscovery.realm }}" hostname: "{{ ipadiscovery.hostname }}" #debug: yes register: ipaapi - name: Install - Create IPA NSS database ipanss: servers: "{{ ipadiscovery.servers }}" domain: "{{ ipadiscovery.domain }}" realm: "{{ ipadiscovery.realm }}" basedn: "{{ ipadiscovery.basedn }}" hostname: "{{ ipadiscovery.hostname }}" subject_base: "{{ ipadiscovery.subject_base }}" principal: "{{ ipaclient_principal | default(omit) }}" mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}" ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}" #on_master: no - name: Install - IPA extras configuration ipaextras: servers: "{{ ipadiscovery.servers }}" domain: "{{ ipadiscovery.domain }}" ntp_servers: "{{ ipadiscovery.ntp_servers }}" ntp: "{{ ipaclient_ntp | default(omit) }}" #force_ntpd: no #sssd: yes #ssh: yes" #trust_sshfp: yes #sshd: yes #automount_location: #firefox: no #firefox_dir: #no_nisdomain: no #nisdomain: #on_master: no