--- - name: install libpam-csc apt: name=libpam-csc state=latest - name: install required aptitude packages apt: name={{ item }} state=latest with_items: - krb5-user - ldap-utils - sssd - sssd-tools - kstart - sudo - name: install ubuntu sss pam and nss apt: name={{ item }} state=latest when: ansible_distribution == 'Ubuntu' with_items: - libnss-sss - libpam-sss - name: copy over auth and ssh configs copy: src={{ item.src }} dest={{ item.dest }} with_items: - { src: 'krb5.conf', dest: '/etc/krb5.conf' } - { src: 'ldap.conf', dest: '/etc/ldap/ldap.conf' } - { src: 'sssd.conf', dest: '/etc/sssd/sssd.conf' } - { src: 'sshd_config', dest: '/etc/ssh/sshd_config' } - { src: 'ssh_config', dest: '/etc/ssh/ssh_config' } - { src: 'GlobalSign_Intermediate_Root_SHA256_G2.pem', dest: '/etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem' } - { src: 'k5login', dest: '/root/.k5login' } - { src: 'ssh_known_hosts', dest: '/etc/ssh/ssh_known_hosts' } - name: make sssd.conf accessable only by root file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600 - name: configure PAM for syscom machine when: "'syscom' in group_names" blockinfile: dest: /etc/pam.d/common-account block: | # make sure user is up to date, except system accounts and syscom account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000 account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom account required pam_deny.so - name: configure PAM for regular machine when: "'syscom' not in group_names" blockinfile: dest: /etc/pam.d/common-account block: | # make sure user is up to date, except system accounts and syscom account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000 account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom account required pam_csc.so - name: restart services service: name={{ item }} state=restarted with_items: - sssd - ssh