From 0d648cc57066defd7320d747619dc916df659fed Mon Sep 17 00:00:00 2001
From: Ken Fong <xpk@headdesk.me>
Date: Wed, 23 Jan 2019 16:50:07 +0800
Subject: [PATCH] first commit

---
 README.md      |  39 +++++++++++++++
 tasks/main.yml | 128 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 167 insertions(+)
 create mode 100644 README.md
 create mode 100644 tasks/main.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b866891
--- /dev/null
+++ b/README.md
@@ -0,0 +1,39 @@
+# Ansible role for joining AD with adcli
+URL: https://xpk.headdesk.me/git/xpk/role.adcli.git
+
+Note that ad_netbios_name will default to inventory hostname if not supplied. That said, hostname must be specified in the inventory file.
+
+Writes adcli output to /var/log/adcli.log
+
+## Required variables:
+- ad_domain 
+- ad_dc1
+- ad_dc2
+- ad_joinusr
+- ad_joinpw
+
+## Optional variable:
+- ad_sudoers_group
+- ad_netbios_name (note this is a host variable, useful when hostname is longer than the netbios limit of 15 characters)
+
+## Sample playbook utilizing this role
+```
+- name: Join stupid AD
+  hosts: a-hostname-with-more-than-15-characters
+  become: yes
+  roles:
+    - role: adcli
+      vars:
+        - ad_domain: foo.local
+        - ad_dc1: 192.168.1.10
+        - ad_dc2: 192.168.1.11
+        - ad_joinusr: adjoin
+        - ad_joinpw: adjoin-password
+        - ad_sudoers_group: linuxadmins
+```
+
+## Sample inventory
+```
+a-hostname-with-more-than-15-characters ansible_host=192.168.1.101 ad_netbios_name=shorterMe
+```
+
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..b5f51ad
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,128 @@
+- name: Install packages
+  yum:
+    name:
+      - rkhunter
+      - ksh
+      - adcli
+      - sssd
+      - authconfig
+      - krb5-workstation
+      - oddjob-mkhomedir
+      - sssd-tools
+    state: latest
+
+- name: Delete existing keytab
+  file:
+    path: /etc/krb5.keytab
+    state: deleted
+  ignore_errors: yes
+
+- name: Wipe existing resolv.conf
+  copy:
+    content: ''
+    dest: /etc/resolv.conf
+
+- name: Create resolv.conf
+  blockinfile:
+    path: /etc/resolv.conf
+    marker: "###...{mark} adcli {mark}...###"
+    block: |
+      domain {{ ad_domain }}
+      nameserver {{ ad_dc1 }}
+      nameserver {{ ad_dc2 }}
+
+- name: Create parent home directory for ad users
+  file:
+    state: directory
+    path: "/home/{{ ad_domain }}"
+    mode: 0755
+
+- name: Wipe existing krb5.conf
+  copy:
+    content: ''
+    dest: /etc/krb5.conf
+    backup: yes
+
+- name: Create krb5.conf
+  blockinfile:
+    path: /etc/krb5.conf
+    marker: "###...{mark} adcli {mark}...###"
+    block: |
+      [libdefaults]
+      rdns = false
+      default_realm = {{ ad_domain|upper }}
+      dns_lookup_realm = true
+      dns_lookup_kdc = true
+      ticket_lifetime = 24h
+      renew_lifetime = 7d
+      forwardable = true
+
+- name: Join AD
+  shell: echo '{{ ad_joinpw }}' | adcli join --verbose --domain={{ ad_domain|upper }} -U {{ ad_joinusr }} --computer-name={{ ad_netbios_name | default(inventory_hostname) }} --stdin-password 2>&1 | tee /var/log/adcli.log
+
+- name: Run authconfig
+  shell: authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
+
+- name: Wipe existing sssd.conf
+  copy:
+    content: ''
+    dest: /etc/sssd/sssd.conf
+    backup: yes
+
+- name: Create sssd.conf
+  blockinfile:
+    path: /etc/sssd/sssd.conf
+    mode: 0600
+    marker: "###...{mark} adcli {mark}...###"
+    block: |
+      [sssd]
+      services = nss, pam, ssh, autofs
+      config_file_version = 2
+      domains = {{ ad_domain|upper }}
+      [nss]
+      filter_groups = dpadmin
+      [domain/{{ ad_domain|upper }}]
+      id_provider = ad
+      default_shell = /bin/bash
+      override_homedir = /home/%u
+      create_homedir = true
+      homedir_umask = 077
+      use_fully_qualified_names = false
+      ad_hostname = "{{ ad_netbios_name }}$"
+
+- name: Start sssd service
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  with_items:
+  - sssd
+  - oddjobd
+
+- name: Enable password auth on sshd
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: '^PasswordAuthentication.*$'
+    replace: 'PasswordAuthentication yes'
+
+- name: Restart sshd
+  service:
+    name: sshd
+    state: restarted
+
+- name: Add client group to sudoers
+  lineinfile:
+    path: /etc/sudoers.d/ad_sudoers
+    line: '%{{ ad_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
+    state: present
+    create: yes
+  when: ad_sudoers_group != ""
+
+- name: Check if {{ ad_joinusr }}@{{ ad_domain }} exists
+  shell: id {{ ad_joinusr }}@{{ ad_domain }}
+  register: idOut
+
+- debug:
+    var: idOut.stdout_lines
+
+