65 lines
1.6 KiB
YAML
65 lines
1.6 KiB
YAML
- name: Install packages
|
|
package:
|
|
name:
|
|
- krb5-kdc
|
|
- krb5-kpropd
|
|
state: present
|
|
|
|
# This is the key to unencrypt the database pushed by the primary
|
|
- name: Install stash file from primary
|
|
shell:
|
|
cmd: 'echo "{{ hostvars[groups["kerberos-kdc-primary"][0]]["kerberos_kdc_stash_file_contents"].content }}" | base64 -d > /etc/krb5kdc/stash'
|
|
creates: '/etc/krb5kdc/stash'
|
|
|
|
- name: Ensure stash file permsissions
|
|
file:
|
|
path: /etc/krb5kdc/stash
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
# Use the admin user to write out our host keytab
|
|
- name: Create host keytab
|
|
shell:
|
|
cmd: |
|
|
echo "ktadd host/{{ inventory_hostname }}" | kadmin -p admin/admin -w '{{ hostvars[groups["kerberos-kdc-primary"][0]]["kerberos_kdc_admin_password"] }}'
|
|
creates: '/etc/krb5.keytab'
|
|
|
|
# This specifies servers that are allowed to send us updates;
|
|
# i.e. the primary server
|
|
- name: Install kpropd ACL
|
|
template:
|
|
src: 'kpropd.acl.j2'
|
|
dest: '/etc/krb5kdc/kpropd.acl'
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Install kpropd service
|
|
copy:
|
|
src: krb5-kpropd.service
|
|
dest: /etc/systemd/system/krb5-kpropd.service
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
register: _kpropd_service_installed
|
|
|
|
- name: Reload systemd
|
|
systemd:
|
|
daemon_reload: yes
|
|
when: _kpropd_service_installed.changed
|
|
|
|
- name: Ensure kpropd running
|
|
systemd:
|
|
state: started
|
|
name: krb5-kpropd
|
|
enabled: yes
|
|
|
|
# Note we can't start until replicas are distributed; the main
|
|
# service-kerberos.yaml playbook handles this.
|
|
- name: Ensure krb5-kdc is enabled
|
|
systemd:
|
|
name: krb5-kdc
|
|
enabled: yes
|
|
masked: no
|