Updated with ipaclient setup and bootstrap

roles/debian-freeipa-client/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+ipa_realm: "example.com"
+ipa_server: freeipa.example.com

roles/debian-freeipa-client/files/backup_excludes

@@ -0,0 +1,2 @@
+- lastlog
+- faillog

roles/debian-freeipa-client/files/mkhomedir

@@ -0,0 +1,8 @@
+Name: Create home directory during login
+Default: yes
+Priority: 127
+
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+        required pam_mkhomedir.so skel=/etc/skel/ umask=0022

roles/debian-freeipa-client/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: restart sssd
+  service: name=sssd state=restarted
+
+- name: restart sshd
+  service: name=sshd state=restarted
+
+- name: execute pam-auth-update
+  command: pam-auth-update --package
+
+- name: restart ntp
+  service: name=ntp state=restarted

roles/debian-freeipa-client/tasks/main.yml

@@ -0,0 +1,135 @@
+---
+
+- name: install kerberoes user utility
+  package:
+    name: krb5-user
+    state: present
+
+- name: check if we have a cached kerberos ticket
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: klist
+  run_once: yes
+  changed_when: false
+
+- name: check if the host exists in the directory
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
+  register: host_show
+  failed_when: host_show.rc == 1
+  changed_when: false
+
+- name: create the host principal
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
+            --sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
+            --os {{ ansible_distribution }}
+  when: host_show.rc != 0
+  tags: [install]
+
+- name: check if /etc/krb5.keytab exists
+  stat: path=/etc/krb5.keytab
+  register: keytab
+
+- name: generate the host keytab
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  tags: [install]
+
+- name: transfer the keytab over to the IPA client
+  synchronize:
+    src: /tmp/{{ ansible_hostname }}.keytab
+    dest: /etc/krb5.keytab
+    archive: no
+    ssh_args: -l root
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  notify: restart sssd
+  tags: [install]
+
+- name: remove the keytab file on the FreeIPA server
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  file:
+    path: /tmp/{{ ansible_hostname }}.keytab
+    state: absent
+  tags: [install]
+
+- name: create the directory /etc/sssd
+  file:
+    path: /etc/sssd
+    state: directory
+
+- name: configure sssd
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+  tags: [configure]
+
+- name: install sssd
+  apt: name=sssd state=present
+  tags: [install]
+
+- name: automatically create user home directories
+  copy:
+    src: mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+  notify: execute pam-auth-update
+
+- name: configure krb5
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+  tags: [configure]
+
+- name: set AuthorizedKeysCommand for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommand\b
+    line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set AuthorizedKeysCommandUser for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommandUser
+    line: AuthorizedKeysCommandUser nobody
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set GlobalKnownHostsFile for ssh
+  lineinfile:
+    regexp: GlobalKnownHostsFile
+    line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
+    dest: /etc/ssh/ssh_config
+
+- name: set ProxyCommand for ssh
+  lineinfile:
+    regexp: ProxyCommand
+    line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
+    dest: /etc/ssh/ssh_config
+  tags: [configure]
+
+- name: start and enable sssd
+  service: name=sssd state=started enabled=yes
+  tags: [serve]
+
+- name: exclude lastlog and faillog from backups
+  copy:
+    src: backup_excludes
+    dest: /var/log/.backup
+  tags: [configure]

roles/debian-freeipa-client/templates/krb5.conf.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+includedir /var/lib/sss/pubconf/krb5.include.d/
+
+[libdefaults]
+  default_realm = {{ ipa_realm }}
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  rdns = false
+  dns_canonicalize_hostname = false
+  ticket_lifetime = 24h
+  forwardable = true
+  
+
+[realms]
+  {{ ipa_realm |upper }} = {
+    kdc = {{ ipa_server }}:88
+    master_kdc = {{ ipa_server }}:88
+    admin_server = {{ ipa_server }}:749
+    kpasswd_server = {{ ipa_server }}:464
+    default_domain = {{ bind_localdomain }}
+  }
+
+
+[domain_realm]
+  .{{ bind_localdomain }} = {{ ipa_realm |upper}}
+  {{ bind_localdomain }} = {{ ipa_realm |upper}}
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmin.log

roles/debian-freeipa-client/templates/sssd.conf.j2

@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo, ssh
+domains = {{ ipa_realm }}
+
+[nss]
+
+[pam]
+
+[ssh]
+
+[sudo]
+
+[domain/{{ ipa_realm }}]
+cache_credentials = true
+krb5_store_password_if_offline = true
+id_provider = ipa
+auth_provider = ipa
+access_provider = ipa
+chpass_provider = ipa
+ldap_tls_cacert = /etc/ipa/ca.crt
+ipa_hostname = {{ ansible_fqdn }}

roles/lightbulb-ansiblered-deck

@@ -0,0 +1 @@
+/Users/ptoal/Dev/lightbulb-ansiblered-deck

roles/toal-common/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 # Ensure that virtual guests have the guest tools installed.
+- block:
   - name: Guest Tools Repository
     rhsm_repository:
       name: rhel-7-server-rh-common-rpms
@@ -9,7 +10,7 @@
     yum:
       name: ovirt-guest-agent
       state: present
-    when: ansible_virtualization_type == "RHEV"
     notify: Ovirt Agent Restart
+  when: ansible_virtualization_type == "RHEV"