Rename some roles to make ansible-lint happy.

roles/lanclient/defaults/main.yml

@@ -0,0 +1,7 @@
+lan_homes: /home/lan
+basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+ldap_server: ldap
+krb_server: kerberos
+nfs_server: nfs
+min_id_sssd: 5000
+max_id_sssd: 20000

roles/lanclient/handlers/main.yml

@@ -0,0 +1,15 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
+
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+  listen: "reload systemd"
+
+- name: restart rpc-gssd
+  systemd:
+    name: rpc-gssd
+    daemon_reload: true
+    state: restarted
+  notify: "restart rpc-gssd"

roles/lanclient/tasks/main.yml

@@ -0,0 +1,99 @@
+---
+- name: check if domain name is available
+  fail: msg="The machine's domain must not be empty."
+  when: ansible_domain | length == 0
+
+- name: preseed krb5-config realm
+  debconf:
+    name: krb5-config
+    question: krb5-config/default_realm
+    value: "{{ ansible_domain | upper }}"
+    vtype: string
+
+- name: preseed krb5-config kerberos servers
+  debconf:
+    name: krb5-config
+    question: krb5-config/kerberos_servers
+    value: "{{ krb_server }}"
+    vtype: string
+
+- name: preseed krb5-config admin server
+  debconf:
+    name: krb5-config
+    question: krb5-config/admin_server
+    value: "{{ krb_server }}"
+    vtype: string
+
+- name: install needed packages
+  apt:
+    name:
+      - krb5-config
+      - krb5-user
+      - sssd-krb5
+      - sssd-ldap
+      - nfs-common
+    state: latest # noqa package-latest
+
+- name: add URI to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "URI ldap://ldap/"
+    insertafter: "#URI.*"
+
+- name: add BASE to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "BASE {{ basedn }}"
+    insertafter: "#BASE.*"
+
+- name: enable pam_umask
+  lineinfile:
+    dest: /etc/pam.d/common-session
+    line: "session optional pam_umask.so usergroups"
+
+## oddjob-mkhomedir works only with sec=sys for the NFSv4 share
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+## Activate machine after installation:
+- name: create machine principals
+  command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
+  register: kerberize_result
+  with_items:
+    - nfs
+    - host
+  changed_when: kerberize_result.stderr is not search('already exists while creating')
+  no_log: true
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
+
+- name: remove old keytab
+  file:
+    path: /etc/krb5.keytab
+    state: absent
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
+
+- name: add principals to keytab
+  command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
+  with_items:
+    - nfs
+    - host
+  args:
+  no_log: true
+  notify: "restart rpc-gssd"
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
+
+
+- name: make sure the home mount directory exists
+  file: path={{ lan_homes }} state=directory recurse=yes
+
+- name: automount
+  lineinfile:
+    dest: /etc/fstab
+    line: "{{ nfs_server }}:/home  {{ lan_homes }}  nfs4  sec=krb5p,_netdev,noauto,x-systemd.automount,x-systemd.idle-timeout=60  0  0"
+  notify: reload systemd
+  when: not run_in_installer|default(false)|bool

roles/lanclient/templates/sssd.conf.j2

@@ -0,0 +1,22 @@
+[sssd]
+domains = LDAP
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ldap_server }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = krb5
+krb5_server = {{ krb_server }}
+krb5_realm = {{ ansible_domain | upper }}
+cache_credentials = true
+
+min_id = {{ min_id_sssd }}
+max_id = {{ max_id_sssd }}