martbhell
commented
8 years ago Agreed.
Do you have suggestions for nsswitch, kerberos and sssd roles that work for you that don't do anything by default?
Closed mhakala closed 8 years ago
martbhell
commented
8 years ago Agreed.
Do you have suggestions for nsswitch, kerberos and sssd roles that work for you that don't do anything by default?
mhakala
commented
8 years ago We have currently working kerberos/sssd/AD_domain module that just sets up sssd+krb5. So that angle is covered (separate issue already exists). But for authentication and authorization setting we need a new role e.g. ansible-role-authconfig. This needs to be tunable and manage pam+nsswitch+nscd (you can turn off nscd). Nothing fancy, just a few templates with enough parameters. How should we proceed?
For backward compatibility this will not be an issue. Default setting can be as now in ansible-role-nis.
martbhell
commented
8 years ago ansible-role-nis takes care of everything that's needed to get it working. Same for https://github.com/CSC-IT-Center-for-Science/ansible-role-sssd
I think it would be best if the role you want to add also took care of everything that's needed. And IMO without using the authconfig command but that's up to you. You could make a second role that does the authconfig stuff, or include it in the adauth. If you make a new one then one could re-use it with the NIS role or other roles.
https://github.com/CSC-IT-Center-for-Science/ansible-role-nis/blob/master/tasks/main.yml#L5
ansible-role-nis only does something if nis_enabled: True and/or nis_initialize: True
Something similar should be done for your roles. After that we can add the roles to the playbook files in https://github.com/CSC-IT-Center-for-Science/fgci-ansible repo (including local.yml which I'm assuming your compute nodes are using) but keep the nis default to enabled in the roles. Then in your group_vars you can set it to disabled and set the appropriate variables to run the adauth role.
How does this sound?
ansible-role-nis is the role that templates in the nsswitch file.
mhakala
commented
8 years ago Could you at least add conditional to the ansible-role-nis around lines 27-29 in tasks/install.yml to check wether to update nss in this role or not. We do need NIS also and would make sense for use to disble NSS update here and do that in a separate module.
27 - name : template in nsswitch - conditionals inside template
28 template: src=nsswitch.conf.j2 dest=/etc/nsswitch.confAsk and you shall receive :)
Anything else you need us to do in relation to this?
martbhell
commented
8 years ago No reply, closing.
This is a bit broader issue than just this repository. But closely related. Now ansible-role-nis defines the /etc/nsswitch.conf. It would be better to have totally different role to manage
Basically we need the functionality to do the same as authconfig below: "authconfig --enablesssd --enablesssdauth --disablecache --enableshadow --passalgo=sha512 --enablenis --update"
Beyond this request we do need a separate module for kerberos (almost ready with ability to do domainjoin) and sssd.