Implement lmn-sssd and lmn-mount roles.

roles/lmn-mount/defaults/main.yml

@@ -0,0 +1,2 @@
+smb_server: "server"
+smb_home: "default-school/teachers/%(DOMAIN_USER)"

roles/lmn-mount/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: install needed packages
+  apt:
+    name:
+      - libpam-mount
+      - cifs-utils
+    state: latest
+
+- name: configure pam_mount
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    block: |
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_home }}"
+        mountpoint="/home/%(DOMAIN_USER)"
+        options="sec=krb5i,vers=3.0,cruid=%(USERUID),user=%(USER)"
+      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not></volume>
+    insertafter: "<!-- Volume definitions -->"

roles/lmn-sssd/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"

roles/lmn-sssd/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: install needed packages
+  apt:
+    name:
+      - sssd-ad
+      - sssd-tools
+      - adcli
+    state: latest
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+  ## Either one of the variables is defined:
+- name: join the domain
+  shell:
+    cmd: echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" | adcli join --stdin-password -U global-admin {{ domain | upper }}
+  when: ansible_cmdline.adpw | default('') | length > 0 or adpw.user_input | default('') | length > 0

roles/lmn-sssd/templates/sssd.conf.j2

@@ -0,0 +1,19 @@
+[sssd]
+domains = {{ domain }}
+config_file_version = 2
+
+[domain/{{ domain }}]
+default_shell = /bin/bash
+cache_credentials = True
+krb5_store_password_if_offline = True
+cache_credentials = True
+krb5_realm = {{ domain | upper }}
+id_provider = ad
+override_homedir = /home/%u
+ad_domain = {{ domain }}
+use_fully_qualified_names = False
+ldap_id_mapping = True
+access_provider = ad
+ad_gpo_access_control = permissive
+ad_gpo_ignore_unreadable = True
+ad_maximum_machine_account_password_age = 0