ansible-playbooks/roles/auth/tasks/main.yml

---

- name: install libpam-csc
  apt: name=libpam-csc state=latest

- name: install required aptitude packages
  apt: name={{ item }} state=latest
  with_items:
      - krb5-user
      - ldap-utils
      - sssd
      - sssd-tools
      - kstart
      - sudo

- name: install ubuntu sss pam and nss
  apt: name={{ item }} state=latest
  when: ansible_distribution == 'Ubuntu'
  with_items:
      - libnss-sss
      - libpam-sss

- name: copy over auth and ssh configs
  copy: src={{ item.src }} dest={{ item.dest }}
  with_items:
      - { src: 'krb5.conf', dest: '/etc/krb5.conf' }
      - { src: 'ldap.conf', dest: '/etc/ldap/ldap.conf' }
      - { src: 'sssd.conf', dest: '/etc/sssd/sssd.conf' }
      - { src: 'sshd_config', dest: '/etc/ssh/sshd_config' }
      - { src: 'ssh_config', dest: '/etc/ssh/ssh_config' }
      - { src: 'GlobalSign_Intermediate_Root_SHA256_G2.pem', dest: '/etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem' }
      - { src: 'k5login', dest: '/root/.k5login' }
      - { src: 'ssh_known_hosts', dest: '/etc/ssh/ssh_known_hosts' }

- name: make sssd.conf accessable only by root
  file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600

- name: configure PAM for syscom machine
  when: "'syscom' in group_names"
  blockinfile:
    dest: /etc/pam.d/common-account
    block: |
        # make sure user is up to date, except system accounts and syscom
        account [success=2 default=ignore]      pam_succeed_if.so quiet uid < 10000
        account [success=1 default=ignore]      pam_succeed_if.so quiet user ingroup syscom
        account required        pam_deny.so        

- name: configure PAM for regular machine
  when: "'syscom' not in group_names"
  blockinfile:
    dest: /etc/pam.d/common-account
    block: |
        # make sure user is up to date, except system accounts and syscom
        account [success=2 default=ignore]      pam_succeed_if.so quiet uid < 10000
        account [success=1 default=ignore]      pam_succeed_if.so quiet user ingroup syscom
        account required        pam_csc.so        

- name: restart services
  service: name={{ item }} state=restarted
  with_items:
      - sssd
      - ssh