I join server Linux sles 15 sp5 to my active directory usinag ansible 2.91. i success to join the server to domain but the i have one problem that i can't login directly via user ad, before it i should check box manually in user logon i client server and check this 2 cases in yast manually "Allow Domain User Logon" and "Create Home Directory" before login. my object is to do all this by code to automate this task. this is m playbook file:
- hosts: all
vars:
pkgs:
- sssd
- sssd-tools
- sssd-ldap
- sssd-ad
- adcli
- realmd
- krb5-client
- openldap2-client
- cyrus-sasl-gssapi
AD_Domain: XXXXXXX.LOCAL
AD_Domain_alt: XXXXXXX.local
Join_OU: OU=Linux,DC=XXXXXXX,DC=LOCAL
SRV_ADM_GRP_OU: OU=Linux,DC=XXXXXXX,DC=local
vars_prompt:
- name: username
prompt: "Please enter your AD admin username?"
private: no
- name: password
prompt: "Please enter AD admin user password?"
private: yes
- name: adhostname
prompt: "Please enter the simple machine name, not fqdn format"
private: no
tasks:
- name: Checking the Server Distribution Version (SLES)
fail:
msg: System does not run SLES, shutdown
when: ansible_facts['distribution'] != 'SLES'
- name: Installing the necessary packages to join the AD domain
yum: name={{ pkgs }} state=present update_cache=yes
- name: Configuring the machine name
shell: hostnamectl set-hostname {{ adhostname }}.{{ AD_Domain_alt }}
- name: Integration with the AD domain (creation of the AD computer account and updating of the /etc/krb5.keytab file)
shell: echo '{{ password }}' | adcli join --stdin-password {{ AD_Domain }} -U {{ username }} --domain-ou={{ Join_OU }}
- name: Configuring the sssd.conf file
template:
src: sssd.j2
dest: /etc/sssd/sssd.conf
owner: root
group: root
mode: 0600
- name: Configuring the nsswitch.conf file
lineinfile:
path: /etc/nsswitch.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- regexp: '^passwd:'
line: 'passwd: compat sss'
- regexp: '^group:'
line: 'group: compat sss'
- regexp: '^services:'
line: 'services: files sss'
- regexp: '^sudoers:'
line: 'sudoers: files sss'
- name: Authorizing the Linux AD Admin group to connect to Linux servers
shell: realm permit -g [email protected]
- name: Adding Linux Admin group in sudoers
lineinfile:
dest: /etc/sudoers
line: '"%[email protected]" ALL=(ALL) ALL'
insertafter: '^%wheel'
- name: Configuring the krb5.conf file
template:
src: krb5.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: 0644
- name: Configuring the ldap.conf client
template:
src: ldap.j2
dest: /etc/openldap/ldap.conf
owner: root
group: root
mode: 0644
- name: Restarting daemon realm
systemd:
name: realmd
enabled: yes
state: restarted
- name: Restarting SSSD daemon
systemd:
name: sssd
enabled: yes
state: restarted
This is my file sssd:
[sssd]
domains = {{ AD_Domain }}
config_file_version = 2
services = nss, pam, sudo
[nss]
filter_users = root
filter_groups = root
[pam]
[sudo]
[domain/{{ AD_Domain }}]
#krb5_realm = {{ AD_Domain }}
ad_domain = {{ AD_Domain }}
realmd_tags = manages-system joined-with-adcli
#cache_credentials = false
id_provider = ad
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = false
create_homedir = true
skel_dir = /etc/skel
fallback_homedir = /home/%u
access_provider = ad
ldap_id_mapping = true
auto_private_groups = true
ldap_referrals = false
ldap_schema = ad
#chpass_provider = ad
sudo_provider = ad
simple_allow_groups = YYYYYYYYYYYYY
ad_gpo_access_control = permissive