We have a postgres user in ipa to prevent people from making an account
with that name, but we need/want to use a local version of this on
database servers, not the ipa one. We need the local one because the ipa
one is locked and this prevents database backups from working.
(Locked accounts can't run cron jobs).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's a real user 'mock' who we want to allow on ipsilon (so they can
login to anything) and people02 (so they can get to their people space),
but no where else, since we ened the local mock user on places like
builders, etc.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have a legit user who has the 'mock' account. So, we allow the ipa
one to override on people02 (since they have a shell account there), but
keep the filer everywhere else where we may run 'mock' the command.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's a actual legit person with a fas account of 'mock'
We don't want to use their account, we want to use the local mock user
instead.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
For the maintainer_tests instances we just want to allow anyone with
shell access ability to sudo with no password. In this case asking for
password/tokens could provide a MITM attack vector. This matches up with
the way they were setup before with fas2.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We don't want a custom /etc/hosts installed on every host, so bring back
the conditional.
Improves commit 7a2024398f.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Move the vpn ./. base logic from the ipa/client role into the hosts
role, so that applying the latter doesn't apply the base profile on VPN
hosts.
Fixes: fedora-infrastructure#9822
Signed-off-by: Nils Philippsen <nils@redhat.com>
Currently /etc/nsswitch.conf has configurations like
passwd: sss files
shadow: files sss
group: sss files
The problem is that to make sure that certain users could not be
created in IPA (like nobody root etc), they were already created but
in a restricted group. In order to allow sss to work for postfix, nfs,
nobody and such, the sssd.conf needs to ignore them in the nss
section. This adds a file which will do that.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
If either `ipa_client_shell_groups` and `ipa_client_sudo_groups` are
unset or empty, sysadmin-main will still be able to login and sudo.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The previous implementation didn't work because of a chicken-and-egg
problem: To add the batcave shell groups to those specifically for
bastion, it needs to look them up, but they aren't set yet (probably
because `batcave` comes after `bastion`).
Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a
list of Ansible group names whose `ipa_client_shell_groups` will be
combined with that of the host itself. This is more robust because it's
done late, after variables are set from the inventory.
Signed-off-by: Nils Philippsen <nils@redhat.com>
This requires the canonical names of IPA servers to be mapped to their
IP addresses on the VPN as well as specifying the IPA server explicitly
when enrolling clients.
Signed-off-by: Nils Philippsen <nils@redhat.com>
SSSD caches information, some types for hours by default. When changing
anything in IPA pertaining to a host this role is applied to, clean out
the caches on the host so the changes are effective immediately.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The `fas_client` role installed a version of nsswitch.conf which doesn't
delegate to sss. For some reason, ipa-client-install doesn't ensure this
is brought back. This prepends `sss` to lines where it would be missing
otherwise. Also, run the cleanup tasks before the enrollment task.
Signed-off-by: Nils Philippsen <nils@redhat.com>
This is necessary because:
- The ipa/client role is pulled in if only one host is in the play which
uses it.
- The prepare-ipa-info tasks operate on all hosts in the play in order
to gather together operations on the IPA server which would otherwise
be (potentially, unnecessarily) repeated for many hosts in the play
and which have to be serialized to avoid race conditions when changing
data in IPA.
For now, we set `primary_auth_source` to `fas` for `all`, and to `ipa`
for the `staging` group. We can set this to `ipa` for individual host
groups in prod to enable this piece meal while we roll out the change.
Fixes: https://pagure.io/fedora-infrastructure/issue/9674
Signed-off-by: Nils Philippsen <nils@redhat.com>
With set_facts, if an element of a list is undefined, the containing
fact variable becomes a string. Something Sirius Cybernetics Corporation
something something.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The `ipa_server_admin_passwords` contains the passwords of the admin
users of all IPA servers affected in a play. Don't loop over them
directly to avoid divulging them in the logs or on the console.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Don't attempt to loop over undefined variables. This can happen if the
relevant `ipa_*` variables aren't defined for any host in the play.
Signed-off-by: Nils Philippsen <nils@redhat.com>
