-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsite.yml
123 lines (103 loc) · 3.7 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
---
- name: wait for the systems to be available
hosts: all
become: false
gather_facts: false
tasks:
- name: wait for system to become available
wait_for_connection:
timeout: 3600
- name: setup ipa server
hosts: ipa01.linux.lab
become: false
gather_facts: true
tasks:
- name: update centos
package:
name: "*"
state: latest
- name: install yum-utils
package:
name: yum-utils
state: present
- name: check for reboot
command: needs-restarting -r
changed_when: false
failed_when: needsrestarting['rc'] > 1
register: needsrestarting
- name: reboot when needed
reboot:
when: needsrestarting['rc'] == 1
- name: enable idm module
command: dnf module enable idm:DL1 -y
args:
warn: false
- name: configure ipa server
include_role:
name: ipaserver
- name: ensure the dnsforwardzone has an entry for the ms-ad-dns
ipadnsforwardzone:
ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}"
state: present
name: "{{ ad_domain }}"
forwarders: "{{ ad_dns_servers }}"
forwardpolicy: first
skip_overlap_check: true
# the next task should do nothing since it is already taken care of by the ipaserver role
# but this is vital because ms-ad does not use dns-sec by default
# and you can't configure a trust if dns doesn't work
# so just in case you didn't use my config for setting up the ipaserver
- name: ensure dnsseq validation is off
lineinfile:
path: /etc/named.conf
backrefs: true
regexp: "(^.*dnssec-validation) yes(;.*$)"
line: \1 no;
notify: restart named-pkcs11
handlers:
- name: restart named-pkcs11
service:
name: named-pkcs11
state: restarted
- name: update windows and configure ad domain
hosts: ad01.windows.lab
become: false
gather_facts: true
tasks:
- name: call update windows ( this will take a very long time )
include_role:
name: update_windows
- name: call common window configuration
include_role:
name: windows_common_configuration
- name: call windows_domain_configuration
include_role:
name: windows_domain_configuration
# This one is not needed
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/c1987d42-1847-4cc9-acf7-aab2136d6952
#- name: add SRV record _kerberos._udp.{{ ad_domain }} to ad dns
# win_shell: >-
# if ( -not ( Resolve-DnsName -Name _kerberos._udp.dc._msdcs.{{ ad_domain }} -Type SRV )) {
# Add-DnsServerResourceRecord -Srv -Name "_kerberos._udp.dc" -ZoneName "_msdcs.{{ ad_domain }}"
# -DomainName "{{ inventory_hostname }}" -Priority 0 -Weight 100 -Port 88
# }
# This one is optional, tickets issued by AD DCs contain MS-PAC record which makes them
# to big for udp packets which causes kerberos to switch to tcp almost immediatly
- name: add SRV record _kerberos._udp.{{ ad_domain }} to ad dns
win_shell: >-
if ( -not ( Resolve-DnsName -Name _kerberos._udp.{{ ad_domain }} -Type SRV )) {
Add-DnsServerResourceRecord -Srv -Name "_kerberos._udp" -ZoneName "{{ ad_domain }}"
-DomainName "{{ inventory_hostname }}" -Priority 0 -Weight 100 -Port 88
}
- name: set masterservers var
set_fact:
masterservers: "{{ hostvars[groups['ipaserver'][0]]['ansible_default_ipv4']['address'] }}"
- name: add conditional forwarder to ad dns
win_shell: >-
if ( -not ( Resolve-DnsName -Name {{ groups['ipaserver'][0] }} -Type SRV )) {
Add-DnsServerConditionalForwarderZone -MasterServers {{ masterservers }} -Name {{ ipaserver_domain }}
}
- name: done message
debug:
msg: "done, you can now test the ad-trust module"