Draft implementation of sambox-client.

2021-04-09 10:17:45 +02:00 · 2021-04-09 10:17:45 +02:00 · e55997a01c
commit e55997a01c
parent e5ae626936
10 changed files with 152 additions and 7 deletions
--- a/roles/smb-sshfs-client/defaults/main.yml
+++ b/roles/smb-sshfs-client/defaults/main.yml
@ -0,0 +1,5 @@
+basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+ldap_server: sambox
+home_server: sambox
+min_id_sssd: 5000
+max_id_sssd: 20000
--- a/roles/smb-sshfs-client/handlers/main.yml
+++ b/roles/smb-sshfs-client/handlers/main.yml
@ -0,0 +1,9 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+  listen: "reload systemd"
+
--- a/roles/smb-sshfs-client/tasks/main.yml
+++ b/roles/smb-sshfs-client/tasks/main.yml
@ -0,0 +1,58 @@
+---
+- fail: msg="The machine's domain must not be empty."
+  when: ansible_domain | length == 0
+
+- name: install needed packages
+  apt:
+    name:
+      - sssd-ldap
+      - libpam-mount  
+      - cifs-utils
+      - sshfs  
+    state: latest
+
+- name: add URI to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "URI ldap://ldap/"
+    insertafter: "#URI.*"
+
+- name: add BASE to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "BASE {{ basedn }}"
+    insertafter: "#BASE.*"
+
+- name: enable pam_umask
+  lineinfile:
+    dest: /etc/pam.d/common-session
+    line: "session optional	pam_umask.so usergroups"
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+- name: configure pam_mount
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    block: |
+      <!-- volume
+        fstype="cifs"
+        server="{{ home_server }}"
+        path="%(USER)"
+        mountpoint="/home/lan/%(USER)"
+        options="dir_mode=0750,file_mode=0640"
+      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume -->
+      <volume
+        fstype="fuse"
+        path="sshfs#%(USER)@{{ home_server }}:"
+        mountpoint="/home/lan/%(USER)"
+        options="allow_other,default_permissions,reconnect,password_stdin"
+        ssh="0" noroot="0"
+      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume>
+    insertafter: "<!-- Volume definitions -->"
+
+
--- a/roles/smb-sshfs-client/templates/sssd.conf.j2
+++ b/roles/smb-sshfs-client/templates/sssd.conf.j2
@ -0,0 +1,22 @@
+[sssd]
+domains = LDAP
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ldap_server }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = ldap
+cache_credentials = true
+
+min_id = {{ min_id_sssd }}
+max_id = {{ max_id_sssd }}
+
+ldap_tls_reqcert = allow