Whether to create the KV version 2 mount point in HashiCorp Vault for the safe mode password.
| bool | no | | true | +| vault_url |The URL for accessing HashiCorp Vault.
Alternatively, this can be configured through ansible.cfg or environment variables.
| str | no | | | +| vault_token |The token for accessing HashiCorp Vault.
Alternatively, this (or any other authentication method) can be configured through ansible.cfg or environment variables.
| str | no | | | +| dc_vault_create_mount_point |Whether to create the KV version 2 mount point in HashiCorp Vault for the safe mode password, if it doesn't exist.
| bool | no | | true | | dc_vault_managed_safe_mode_password |Whether to manage the safe mode password in HashiCorp Vault.
| bool | no | | true | -| dc_vault_safe_mode_mount_point |The KV version 2 mount point in HashiCorp Vault for the safe mode password.
| str | no | | os | -| dc_vault_safe_mode_path |The path within the mount point in HashiCorp Vault for the safe mode password.
| str | no | | {{ inventory_hostname }}/safe_mode | -| dc_safe_mode_password |The safe mode password for the domain controller.
If `dc_vault_managed_safe_mode_password` is `true`, this value is ignored.
| str | no | | | +| dc_vault_safe_mode_mount_point |The KV version 2 mount point in HashiCorp Vault for storing the safe mode password.
| str | no | | os | +| dc_vault_safe_mode_path |The path within the KV version 2 mount point in HashiCorp Vault for storing the safe mode password.
| str | no | | {{ inventory_hostname }}/safe_mode | +| dc_safe_mode_password |The safe mode password for the domain controller.
If *dc_vault_managed_safe_mode_password* is `true`, this is required.
If *dc_vault_managed_safe_mode_password* is `false` and the secret is already stored in HashiCorp Vault, this is ignored.
If *dc_vault_managed_safe_mode_password* is `false` and the secret is not stored in HashiCorp Vault, this password used and stored in HashiCorp Vault.
| str | no | | | | dc_first_domain_controller |Whether the server is the first domain controller in the domain.
| bool | no | | false | -| dc_domain_name |The name of the domain to which the domain controller will belong.
| str | yes | | | -| dc_domain_admin_user |The user account to use for configuring the domain controller.
| str | yes | | | -| dc_domain_admin_password |The password for the user account to use for configuring the domain controller.
| str | yes | | | +| dc_domain_name |The name of the domain for which the server will serve as domain controller.
| str | yes | | | +| dc_domain_admin_user |The user account to use for configuring the domain controller.
If *dc_first_domain_controller* is `true`, this is ignored.
Otherwise, this is required and the user account must have the necessary permissions to promote the server to a domain controller.
| str | no | | | +| dc_domain_admin_password |The password for the *dc_domain_admin_user* user account.
| str | no | | | | dc_database_path |The path to the database files for the domain controller.
| path | no | | C:\Windows\NTDS | | dc_domain_log_path |The path to the log files for the domain controller.
| path | no | | C:\Windows\Logs | | dc_sysvol_path |The path to the SYSVOL files for the domain controller.
| path | no | | C:\Windows\SYSVOL | -| dc_dns_forwarders |A list of DNS forwarders for the domain controller.
| list of 'str' | no | | ["8.8.8.8", "4.2.2.2"] | -| dc_dns_servers |A list of DNS servers for the domain controller.
| list of 'str' | yes | | | -| dc_is_domain_naming_master |Whether the domain controller is the domain naming master.
| bool | no | | false | -| dc_is_schema_master |Whether the domain controller is the schema master.
| bool | no | | false | -| dc_is_infrastructure_master |Whether the domain controller is the infrastructure master.
| bool | no | | false | -| dc_is_pdc_emulator |Whether the domain controller is the PDC emulator.
| bool | no | | false | -| dc_is_rid_master |Whether the domain controller is the RID master.
| bool | no | | false | +| dc_dns_forwarders |A list of DNS forwarder IP addresses for the domain controller.
| list of 'str' | no | | ["8.8.8.8", "4.2.2.2"] | +| dc_dns_servers |A list of DNS server IP addresses for the domain controller.
| list of 'str' | yes | | | +| dc_is_domain_naming_master |Whether the domain controller should hold the Domain Naming Master FSMO role.
| bool | no | | false | +| dc_is_schema_master |Whether the domain controller should hold the Schema Master FSMO role.
| bool | no | | false | +| dc_is_infrastructure_master |Whether the domain controller should hold the Infrastructure Master FSMO role.
| bool | no | | false | +| dc_is_pdc_emulator |Whether the domain controller should hold the PDC Emulator FSMO role.
| bool | no | | false | +| dc_is_rid_master |Whether the domain controller should hold the RID Master FSMO role.
| bool | no | | false | ## License diff --git a/roles/domain_controller/meta/argument_specs.yml b/roles/domain_controller/meta/argument_specs.yml index 09f2306..407ac07 100644 --- a/roles/domain_controller/meta/argument_specs.yml +++ b/roles/domain_controller/meta/argument_specs.yml @@ -6,12 +6,24 @@ argument_specs: - This role configures the Windows Server machine as an Active Directory Domain Controller. author: Jim Tarpley options: + vault_url: + type: str + required: false + description: + - The URL for accessing HashiCorp Vault. + - Alternatively, this can be configured through ansible.cfg or environment variables. + vault_token: + type: str + required: false + description: + - The token for accessing HashiCorp Vault. + - Alternatively, this (or any other authentication method) can be configured through ansible.cfg or environment variables. dc_vault_create_mount_point: type: bool required: false default: true description: - - Whether to create the KV version 2 mount point in HashiCorp Vault for the safe mode password. + - Whether to create the KV version 2 mount point in HashiCorp Vault for the safe mode password, if it doesn't exist. dc_vault_managed_safe_mode_password: type: bool required: false @@ -23,19 +35,21 @@ argument_specs: required: false default: os description: - - The KV version 2 mount point in HashiCorp Vault for the safe mode password. + - The KV version 2 mount point in HashiCorp Vault for storing the safe mode password. dc_vault_safe_mode_path: type: str required: false default: "{{ inventory_hostname }}/safe_mode" description: - - The path within the mount point in HashiCorp Vault for the safe mode password. + - The path within the KV version 2 mount point in HashiCorp Vault for storing the safe mode password. dc_safe_mode_password: type: str required: false description: - The safe mode password for the domain controller. - - If `dc_vault_managed_safe_mode_password` is `true`, this value is ignored. + - If *dc_vault_managed_safe_mode_password* is `true`, this is required. + - If *dc_vault_managed_safe_mode_password* is `false` and the secret is already stored in HashiCorp Vault, this is ignored. + - If *dc_vault_managed_safe_mode_password* is `false` and the secret is not stored in HashiCorp Vault, this password used and stored in HashiCorp Vault. dc_first_domain_controller: type: bool required: false @@ -46,17 +60,19 @@ argument_specs: type: str required: true description: - - The name of the domain to which the domain controller will belong. + - The name of the domain for which the server will serve as domain controller. dc_domain_admin_user: type: str - required: true + required: false description: - The user account to use for configuring the domain controller. + - If *dc_first_domain_controller* is `true`, this is ignored. + - Otherwise, this is required and the user account must have the necessary permissions to promote the server to a domain controller. dc_domain_admin_password: type: str - required: true + required: false description: - - The password for the user account to use for configuring the domain controller. + - The password for the *dc_domain_admin_user* user account. dc_database_path: type: path required: false @@ -83,40 +99,40 @@ argument_specs: - '4.2.2.2' elements: str description: - - A list of DNS forwarders for the domain controller. + - A list of DNS forwarder IP addresses for the domain controller. dc_dns_servers: type: list required: true elements: str description: - - A list of DNS servers for the domain controller. + - A list of DNS server IP addresses for the domain controller. dc_is_domain_naming_master: type: bool required: false default: false description: - - Whether the domain controller is the domain naming master. + - Whether the domain controller should hold the Domain Naming Master FSMO role. dc_is_schema_master: type: bool required: false default: false description: - - Whether the domain controller is the schema master. + - Whether the domain controller should hold the Schema Master FSMO role. dc_is_infrastructure_master: type: bool required: false default: false description: - - Whether the domain controller is the infrastructure master. + - Whether the domain controller should hold the Infrastructure Master FSMO role. dc_is_pdc_emulator: type: bool required: false default: false description: - - Whether the domain controller is the PDC emulator. + - Whether the domain controller should hold the PDC Emulator FSMO role. dc_is_rid_master: type: bool required: false default: false description: - - Whether the domain controller is the RID master. + - Whether the domain controller should hold the RID Master FSMO role. diff --git a/roles/domain_controller/meta/main.yml b/roles/domain_controller/meta/main.yml index 1ef7381..dc8886a 100644 --- a/roles/domain_controller/meta/main.yml +++ b/roles/domain_controller/meta/main.yml @@ -3,7 +3,15 @@ galaxy_info: author: Jim Tarpley namespace: trippsc2 role_name: domain_controller - description: This role configures the Windows Server machine as an Active Directory Domain Controller. + description: | + This role configures the Windows Server machine as an Active Directory Domain Controller. + + The following scenarios are supported: + - The server is the first domain controller in a new forest. + - The server is an additional domain controller in an existing domain. + + The following scenarios are not supported, but may be added in the future: + - The server is the first domain controller in a child or tree domain in an existing forest. license: MIT diff --git a/roles/domain_controller/molecule/default/prepare.yml b/roles/domain_controller/molecule/default/prepare.yml index f4a5ec4..a92140d 100644 --- a/roles/domain_controller/molecule/default/prepare.yml +++ b/roles/domain_controller/molecule/default/prepare.yml @@ -17,27 +17,5 @@ - name: Prepare Vault server hosts: - vault - pre_tasks: - - name: Bootstrap python for Ansible - become: true - ansible.builtin.raw: | - command -v python3 python || ( - command -v apk >/dev/null && sudo apk add --no-progress --update python3 || - (test -e /usr/bin/dnf && sudo dnf install -y python3) || - (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || - (test -e /usr/bin/yum && sudo yum -y -qq install python3) || - (test -e /usr/sbin/pkg && sudo env ASSUME_ALWAYS_YES=yes pkg update && sudo env ASSUME_ALWAYS_YES=yes pkg install python3) || - (test -e /usr/sbin/pkg_add && sudo /usr/sbin/pkg_add -U -I -x python%3.7) || - echo "Warning: Python not bootstrapped due to unknown platform." - ) - changed_when: false roles: - role: trippsc2.hashi_vault.testing - tasks: - - name: Create secret engine - delegate_to: localhost - trippsc2.hashi_vault.vault_kv2_secret_engine: - token: "{{ vault_token }}" - url: "{{ vault_url }}" - engine_mount_point: os - state: present diff --git a/roles/domain_controller/molecule/default/verify.yml b/roles/domain_controller/molecule/default/verify.yml index fa5b9a3..5b3731f 100644 --- a/roles/domain_controller/molecule/default/verify.yml +++ b/roles/domain_controller/molecule/default/verify.yml @@ -22,7 +22,7 @@ - name: Verify that the domain controller is promoted ansible.builtin.assert: that: - - ansible_windows_domain_role | regex_search('(domain controller)') + - ("domain controller" in ansible_windows_domain_role) - ansible_windows_domain == 'test.loc' fail_msg: The domain controller is not promoted. success_msg: The domain controller is promoted. diff --git a/roles/domain_controller/molecule/new/prepare.yml b/roles/domain_controller/molecule/new/prepare.yml index d00a556..d930c4d 100644 --- a/roles/domain_controller/molecule/new/prepare.yml +++ b/roles/domain_controller/molecule/new/prepare.yml @@ -2,28 +2,5 @@ - name: Prepare Vault server hosts: - vault - gather_facts: false - pre_tasks: - - name: Bootstrap python for Ansible - become: true - ansible.builtin.raw: | - command -v python3 python || ( - command -v apk >/dev/null && sudo apk add --no-progress --update python3 || - (test -e /usr/bin/dnf && sudo dnf install -y python3) || - (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || - (test -e /usr/bin/yum && sudo yum -y -qq install python3) || - (test -e /usr/sbin/pkg && sudo env ASSUME_ALWAYS_YES=yes pkg update && sudo env ASSUME_ALWAYS_YES=yes pkg install python3) || - (test -e /usr/sbin/pkg_add && sudo /usr/sbin/pkg_add -U -I -x python%3.7) || - echo "Warning: Python not bootstrapped due to unknown platform." - ) - changed_when: false roles: - role: trippsc2.hashi_vault.testing - tasks: - - name: Create secret engine - delegate_to: localhost - trippsc2.hashi_vault.vault_kv2_secret_engine: - token: "{{ vault_token }}" - url: "{{ vault_url }}" - engine_mount_point: os - state: present diff --git a/roles/domain_controller/molecule/new/verify.yml b/roles/domain_controller/molecule/new/verify.yml index 196bffa..a8b372d 100644 --- a/roles/domain_controller/molecule/new/verify.yml +++ b/roles/domain_controller/molecule/new/verify.yml @@ -22,7 +22,7 @@ - name: Verify that the domain controller is promoted ansible.builtin.assert: that: - - ansible_windows_domain_role | regex_search('(domain controller)') + - ("domain controller" in ansible_windows_domain_role) - ansible_windows_domain == 'test.loc' fail_msg: The domain controller is not promoted. success_msg: The domain controller is promoted. diff --git a/roles/domain_controller/tasks/validate.yml b/roles/domain_controller/tasks/validate.yml index 952b18c..7c4b2f8 100644 --- a/roles/domain_controller/tasks/validate.yml +++ b/roles/domain_controller/tasks/validate.yml @@ -5,37 +5,87 @@ ansible_os_family is not defined or ansible_windows_domain_member is not defined ansible.builtin.setup: + gather_subset: + - '!all' + - '!min' + - distribution + - os_family + - windows_domain - name: Validate OS ansible.builtin.assert: that: - ansible_os_family == 'Windows' - - ansible_distribution | regex_search('(Windows Server)') - fail_msg: "This role can only be run on Windows Server system. {{ ansible_distribution }} is not supported." + - ("Windows Server" in ansible_distribution) + fail_msg: "This role can only be run on a Windows Server system. {{ ansible_distribution }} is not supported." success_msg: "This role is running on {{ ansible_distribution }}." -- name: Verify facts are defined +- name: Validate Vault URI + when: + - dc_vault_managed_safe_mode_password + - vault_url is defined ansible.builtin.assert: that: - - ansible_windows_domain_member is defined - fail_msg: Information could not be gathered regarding domain membership. - success_msg: Domain membership information is available. + - vault_url is uri(schemes=['http', 'https']) + fail_msg: "The 'vault_url' variable must be defined as a valid HTTP/HTTPS URL. Value: {{ vault_url }}" + success_msg: "The 'vault_url' variable is defined as a valid HTTP/HTTPS URL." -- name: Ensure machine is already a domain member +- name: Validate that the safe mode password is defined + when: + - not dc_vault_managed_safe_mode_password + ansible.builtin.assert: + that: + - dc_safe_mode_password is defined + fail_msg: "The 'dc_safe_mode_password' variable must be defined or managed by HashiCorp Vault." + success_msg: "The 'dc_safe_mode_password' is defined. Value: {{ dc_safe_mode_password }}" + +- name: Validate domain name + ansible.builtin.assert: + that: + - dc_domain_name is community.general.fqdn_valid + fail_msg: "The 'dc_domain_name' variable must be defined as a valid FQDN. Value: {{ dc_domain_name }}" + success_msg: "The 'dc_domain_name' variable is defined as a valid FQDN." + +- name: Validate system is already a domain member when: - not dc_first_domain_controller ansible.builtin.assert: that: - ansible_windows_domain_member - ansible_windows_domain == dc_domain_name - fail_msg: "This machine is not a domain member of {{ dc_domain_name }}." - success_msg: "This machine is a domain member of {{ dc_domain_name }}." + fail_msg: "This system is not a domain member of {{ dc_domain_name }}." + success_msg: "This system is a domain member of {{ dc_domain_name }}." -- name: Ensure that either the safe mode password is defined +- name: Validate domain admin user is defined when: - - not dc_vault_managed_safe_mode_password + - not dc_first_domain_controller ansible.builtin.assert: that: - - dc_safe_mode_password is defined - fail_msg: "The 'dc_safe_mode_password' variable must be defined." - success_msg: "The 'dc_safe_mode_password' is defined. Value: {{ dc_safe_mode_password }}" + - dc_domain_admin_user is defined + fail_msg: "The 'dc_domain_admin_user' variable must be defined." + success_msg: "The 'dc_domain_admin_user' variable is defined." + +- name: Validate domain admin password is defined + when: + - not dc_first_domain_controller + ansible.builtin.assert: + that: + - dc_domain_admin_password is defined + fail_msg: "The 'dc_domain_admin_password' variable must be defined." + success_msg: "The 'dc_domain_admin_password' variable is defined." + +- name: Validate DNS forwarder + loop: "{{ dc_dns_forwarders }}" + ansible.builtin.assert: + that: + - item is ansible.utils.ipv4 + fail_msg: "{{ item }} is not a valid IPv4 address." + success_msg: "{{ item }} is a valid IPv4 address." + +- name: Validate DNS server + loop: "{{ dc_dns_servers }}" + ansible.builtin.assert: + that: + - item is ansible.utils.ipv4 + fail_msg: "{{ item }} is not a valid IPv4 address." + success_msg: "{{ item }} is a valid IPv4 address." diff --git a/roles/linux_member/README.md b/roles/linux_member/README.md index 531cc96..90ffb0e 100644 --- a/roles/linux_member/README.md +++ b/roles/linux_member/README.md @@ -1,9 +1,12 @@ # Ansible Role: trippsc2.ad.linux_member -Version: 1.2.5 +Version: 1.2.6 + +This role joins a Linux system to an Active Directory domain. + +Before running this role, the system should use be able to resolve the AD domain name and domain controllers via DNS. -This role joins a Linux machine to a Windows domain. ## Requirements @@ -22,22 +25,22 @@ This role joins a Linux machine to a Windows domain. ## Role Arguments |Option|Description|Type|Required|Choices|Default| |---|---|---|---|---|---| -| domjoin_domain_name |The name of the domain to which the Linux machine will be joined.
| str | yes | | | -| domjoin_computer_ou |The OU in which the computer account will be created.
This is the distinguished name of the OU relative to the base of the domain (e.g. 'OU=Linux' not 'OU=Linux,DC=test,DC=loc').
| str | no | | | -| domjoin_domain_user |The user account to use for joining the Linux machine to the domain.
| str | yes | | | -| domjoin_domain_password |The password for the domain user account.
| str | yes | | | -| domjoin_override_space |The character used to override spaces in user or group names.
| str | no | | | -| domjoin_default_shell |The default shell for domain users.
| str | no | | /bin/bash | +| domjoin_domain_name |The name of the AD domain to which the Linux system will be joined.
| str | yes | | | +| domjoin_computer_ou |The OU in which the computer account will be created.
This is the distinguished name of the OU relative to the base of the domain (e.g. `OU=Linux` not `OU=Linux,DC=test,DC=loc`).
| str | no | | | +| domjoin_domain_user |The user account to be used to authenticate to the AD domain for joining the Linux machine.
| str | yes | | | +| domjoin_domain_password |The password for the *domjoin_domain_user* user account.
| str | yes | | | +| domjoin_override_space |The character used to override spaces in AD user or group names.
| str | no | | | +| domjoin_default_shell |The default shell for domain users.
| path | no | | /bin/bash | | domjoin_use_fully_qualified_names |Whether to use fully qualified names for domain users and groups.
| bool | no | | true | -| domjoin_fallback_homedir |The fallback home directory for domain users.
| str | no | | /home/%u@%d | -| domjoin_enable_gc |Whether to enable the Global Catalog for the domain.
If disabled, trust relationships with other domains will not be available, but logins will be faster.
| bool | no | | false | -| domjoin_gpo_access_control |The access control mode for Group Policy Objects.
See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad for details.
| str | no |A list of domain users who should be added to the sudoers file.
Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
| list of 'str' | no | | | -| domjoin_sudoers_groups |A list of domain groups who should be added to the sudoers file.
Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
| list of 'str' | no | | | -| domjoin_add_ssh_allowusers |A list of domain users who should be added to the AllowUsers directive in the SSH configuration.
Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
If no users are currently in the AllowUsers directive, the directive will **not** be created.
| list of 'str' | no | | | -| domjoin_add_ssh_allowgroups |A list of domain groups who should be added to the AllowGroups directive in the SSH configuration.
Space characters in the group names will be replaced with the character specified in `domjoin_override_space`.
If no groups are currently in the AllowGroups directive, the directive will **not** be created.
| list of 'str' | no | | | -| domjoin_add_ssh_denyusers |A list of domain users who should be added to the DenyUsers directive in the SSH configuration.
Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
| list of 'str' | no | | | -| domjoin_add_ssh_denygroups |A list of domain groups who should be added to the DenyGroups directive in the SSH configuration.
Space characters in the group names will be replaced with the character specified in `domjoin_override_space`.
| list of 'str' | no | | | +| domjoin_fallback_homedir |The template for the home directory of domain users.
The following variables can be used: %u - the username, %d - the fully qualified domain name
| str | no | | /home/%u@%d | +| domjoin_enable_gc |Whether to enable the Global Catalog for the domain.
If disabled, users and groups from trusted domains will not be recognized by the Linux system.
Disabling the Global Catalog can improve performance when there are many trusted domains.
| bool | no | | false | +| domjoin_gpo_access_control |The access control mode for Group Policy Objects.
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad for details.
| str | no |A list of domain users who should be added to the sudoers file.
This should be a list of user names only, not fully qualified names. (e.g. `jdoe` not `TEST\jdoe` or `jdoe@test.loc`)
Spaces in the user names will be escaped automatically in the config file. (e.g. `jdoe test` becomes `jdoe\ test`)
Spaces should not be replaced by the *domjoin_override_space* character. (e.g. If *domjoin_override_space* is `_`, use `jdoe test` not `jdoe_test`)
If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. (e.g. `jdoe` becomes `jdoe@test.loc`)
| list of 'str' | no | | | +| domjoin_sudoers_groups |A list of domain groups who should be added to the sudoers file.
This should be a list of user names only, not fully qualified names. (e.g. `linux` not `TEST\linux` or `linux@test.loc`)
The group names will be prefixed with a `%` symbol automatically in the config file. (e.g. `linux` becomes `%linux`)
Spaces in the user names will be escaped automatically in the config file. (e.g. `Domain Admins` becomes `Domain\ Admins`)
Spaces should not be replaced by the *domjoin_override_space* character. (e.g. If *domjoin_override_space* is `_`, use `Domain Admins` not `Domain_Admins`)
If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically.
| list of 'str' | no | | | +| domjoin_add_ssh_allowusers |A list of domain users who should be added to the AllowUsers directive in the SSH configuration.
This should be a list of user names only, not fully qualified names. (e.g. `jdoe` not `TEST\jdoe` or `jdoe@test.loc`)
Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `jdoe test` becomes `jdoe_test`)
If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. (e.g. `jdoe` becomes `jdoe@test.loc`)
If no users are currently in the AllowUsers directive, the directive will **not** be created for safety reasons.
| list of 'str' | no | | | +| domjoin_add_ssh_allowgroups |A list of domain groups who should be added to the AllowGroups directive in the SSH configuration.
This should be a list of user names only, not fully qualified names. (e.g. `Domain Admins` not `TEST\Domain Admins` or `Domain Admins@test.loc`)
Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `Domain Admins` becomes `Domain_Admins`)
If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically.
If no groups are currently in the AllowGroups directive, the directive will **not** be created.
| list of 'str' | no | | | +| domjoin_add_ssh_denyusers |A list of domain users who should be added to the DenyUsers directive in the SSH configuration.
This should be a list of user names only, not fully qualified names (e.g. `jdoe` not `TEST\jdoe` or `jdoe@test.loc`).
Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `jdoe test` becomes `jdoe_test`)
If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically.
| list of 'str' | no | | | +| domjoin_add_ssh_denygroups |A list of domain groups who should be added to the DenyGroups directive in the SSH configuration.
This should be a list of user names only, not fully qualified names. (e.g. `Domain Admins` not `TEST\Domain Admins` or `Domain Admins@test.loc`)
Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `Domain Admins` becomes `Domain_Admins`)
If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically.
| list of 'str' | no | | | ## License diff --git a/roles/linux_member/meta/argument_specs.yml b/roles/linux_member/meta/argument_specs.yml index be4751a..12fad6e 100644 --- a/roles/linux_member/meta/argument_specs.yml +++ b/roles/linux_member/meta/argument_specs.yml @@ -3,37 +3,37 @@ argument_specs: main: short_description: Linux Domain Join description: - - This role joins a Linux machine to a Windows domain. + - This role joins a Linux system to an Active Directory domain. author: Jim Tarpley options: domjoin_domain_name: type: str required: true description: - - The name of the domain to which the Linux machine will be joined. + - The name of the AD domain to which the Linux system will be joined. domjoin_computer_ou: type: str required: false description: - The OU in which the computer account will be created. - - This is the distinguished name of the OU relative to the base of the domain (e.g. 'OU=Linux' not 'OU=Linux,DC=test,DC=loc'). + - This is the distinguished name of the OU relative to the base of the domain (e.g. `OU=Linux` not `OU=Linux,DC=test,DC=loc`). domjoin_domain_user: type: str required: true description: - - The user account to use for joining the Linux machine to the domain. + - The user account to be used to authenticate to the AD domain for joining the Linux machine. domjoin_domain_password: type: str required: true description: - - The password for the domain user account. + - The password for the *domjoin_domain_user* user account. domjoin_override_space: type: str required: false description: - - The character used to override spaces in user or group names. + - The character used to override spaces in AD user or group names. domjoin_default_shell: - type: str + type: path required: false default: /bin/bash description: @@ -49,14 +49,16 @@ argument_specs: required: false default: /home/%u@%d description: - - The fallback home directory for domain users. + - The template for the home directory of domain users. + - 'The following variables can be used: %u - the username, %d - the fully qualified domain name' domjoin_enable_gc: type: bool required: false default: false description: - Whether to enable the Global Catalog for the domain. - - If disabled, trust relationships with other domains will not be available, but logins will be faster. + - If disabled, users and groups from trusted domains will not be recognized by the Linux system. + - Disabling the Global Catalog can improve performance when there are many trusted domains. domjoin_gpo_access_control: type: str required: false @@ -67,21 +69,28 @@ argument_specs: - enforcing description: - The access control mode for Group Policy Objects. - - See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad for details. + - 'See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad for details.' domjoin_sudoers_users: type: list required: false elements: str description: - A list of domain users who should be added to the sudoers file. - - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. + - This should be a list of user names only, not fully qualified names. (e.g. `jdoe` not `TEST\jdoe` or `jdoe@test.loc`) + - Spaces in the user names will be escaped automatically in the config file. (e.g. `jdoe test` becomes `jdoe\ test`) + - Spaces should not be replaced by the *domjoin_override_space* character. (e.g. If *domjoin_override_space* is `_`, use `jdoe test` not `jdoe_test`) + - If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. (e.g. `jdoe` becomes `jdoe@test.loc`) domjoin_sudoers_groups: type: list required: false elements: str description: - A list of domain groups who should be added to the sudoers file. - - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. + - This should be a list of user names only, not fully qualified names. (e.g. `linux` not `TEST\linux` or `linux@test.loc`) + - The group names will be prefixed with a `%` symbol automatically in the config file. (e.g. `linux` becomes `%linux`) + - Spaces in the user names will be escaped automatically in the config file. (e.g. `Domain Admins` becomes `Domain\ Admins`) + - Spaces should not be replaced by the *domjoin_override_space* character. (e.g. If *domjoin_override_space* is `_`, use `Domain Admins` not `Domain_Admins`) + - If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. domjoin_add_ssh_allowusers: type: list required: false @@ -89,8 +98,10 @@ argument_specs: elements: str description: - A list of domain users who should be added to the AllowUsers directive in the SSH configuration. - - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. - - If no users are currently in the AllowUsers directive, the directive will **not** be created. + - This should be a list of user names only, not fully qualified names. (e.g. `jdoe` not `TEST\jdoe` or `jdoe@test.loc`) + - Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `jdoe test` becomes `jdoe_test`) + - If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. (e.g. `jdoe` becomes `jdoe@test.loc`) + - If no users are currently in the AllowUsers directive, the directive will **not** be created for safety reasons. domjoin_add_ssh_allowgroups: type: list required: false @@ -98,7 +109,9 @@ argument_specs: elements: str description: - A list of domain groups who should be added to the AllowGroups directive in the SSH configuration. - - Space characters in the group names will be replaced with the character specified in `domjoin_override_space`. + - This should be a list of user names only, not fully qualified names. (e.g. `Domain Admins` not `TEST\Domain Admins` or `Domain Admins@test.loc`) + - Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `Domain Admins` becomes `Domain_Admins`) + - If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. - If no groups are currently in the AllowGroups directive, the directive will **not** be created. domjoin_add_ssh_denyusers: type: list @@ -107,7 +120,9 @@ argument_specs: elements: str description: - A list of domain users who should be added to the DenyUsers directive in the SSH configuration. - - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. + - This should be a list of user names only, not fully qualified names (e.g. `jdoe` not `TEST\jdoe` or `jdoe@test.loc`). + - Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `jdoe test` becomes `jdoe_test`) + - If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. domjoin_add_ssh_denygroups: type: list required: false @@ -115,4 +130,6 @@ argument_specs: elements: str description: - A list of domain groups who should be added to the DenyGroups directive in the SSH configuration. - - Space characters in the group names will be replaced with the character specified in `domjoin_override_space`. + - This should be a list of user names only, not fully qualified names. (e.g. `Domain Admins` not `TEST\Domain Admins` or `Domain Admins@test.loc`) + - Space characters in the user names will be replaced with the character specified in *domjoin_override_space* automatically. (e.g. If *domjoin_override_space* is `_`, `Domain Admins` becomes `Domain_Admins`) + - If *domjoin_use_fully_qualified_names* is `true`, the domain name suffix will be added automatically. diff --git a/roles/linux_member/meta/main.yml b/roles/linux_member/meta/main.yml index 65fe8cb..e578d7a 100644 --- a/roles/linux_member/meta/main.yml +++ b/roles/linux_member/meta/main.yml @@ -3,7 +3,10 @@ galaxy_info: author: Jim Tarpley namespace: trippsc2 role_name: linux_member - description: This role joins a Linux machine to a Windows domain. + description: | + This role joins a Linux system to an Active Directory domain. + + Before running this role, the system should use be able to resolve the AD domain name and domain controllers via DNS. license: MIT min_ansible_version: '2.14' diff --git a/roles/linux_member/tasks/sssd.yml b/roles/linux_member/tasks/sssd.yml index 2173cb9..862f435 100644 --- a/roles/linux_member/tasks/sssd.yml +++ b/roles/linux_member/tasks/sssd.yml @@ -35,7 +35,7 @@ path: /etc/sssd/sssd.conf section: "domain/{{ domjoin_domain_name | lower }}" option: use_fully_qualified_names - value: "{{ _domjoin_use_fully_qualified_names_value }}" + value: "{{ domjoin_use_fully_qualified_names | ternary('True', 'False') }}" state: present owner: root group: root @@ -63,7 +63,7 @@ path: /etc/sssd/sssd.conf section: "domain/{{ domjoin_domain_name | lower }}" option: ad_enable_gc - value: "{{ _domjoin_enable_gc_value }}" + value: "{{ domjoin_enable_gc | ternary('True', 'False') }}" state: present owner: root group: root diff --git a/roles/linux_member/vars/main.yml b/roles/linux_member/vars/main.yml index 97fcd9a..4c590b3 100644 --- a/roles/linux_member/vars/main.yml +++ b/roles/linux_member/vars/main.yml @@ -13,8 +13,3 @@ _domjoin_supported_non_el_distributions: _domjoin_domain_join_command: >- /usr/sbin/realm join --user={{ domjoin_domain_user }} {% if domjoin_computer_ou is defined %}--computer-ou='{{ domjoin_computer_ou }}' {% endif %}{{ domjoin_domain_name | lower }} - -_domjoin_use_fully_qualified_names_value: >- - {% if domjoin_use_fully_qualified_names %}True{% else %}False{% endif %} -_domjoin_enable_gc_value: >- - {% if domjoin_enable_gc %}True{% else %}False{% endif %} diff --git a/roles/testing_domain_controller/README.md b/roles/testing_domain_controller/README.md index 54419fc..b73f462 100644 --- a/roles/testing_domain_controller/README.md +++ b/roles/testing_domain_controller/README.md @@ -1,7 +1,7 @@ # Ansible Role: trippsc2.ad.testing_domain_controller -Version: 1.2.5 +Version: 1.2.6 This role creates an Active Directory domain on the Windows machine for use during Molecule testing. diff --git a/roles/testing_domain_member/README.md b/roles/testing_domain_member/README.md index 5195e9c..77fe2fd 100644 --- a/roles/testing_domain_member/README.md +++ b/roles/testing_domain_member/README.md @@ -1,7 +1,7 @@ # Ansible Role: trippsc2.ad.testing_domain_member -Version: 1.2.5 +Version: 1.2.6 This role joins a Windows machine to a test Active Directory Domain during Molecule testing. diff --git a/roles/testing_standalone_win/README.md b/roles/testing_standalone_win/README.md index 4237426..5313dd2 100644 --- a/roles/testing_standalone_win/README.md +++ b/roles/testing_standalone_win/README.md @@ -1,7 +1,7 @@ # Ansible Role: trippsc2.ad.testing_standalone_win -Version: 1.2.5 +Version: 1.2.6 This role configures DNS on a standalone (non-domain) Windows machine to use the domain controller for DNS and registers its IP address in DNS.