roles/system-auth: Configure PAM system authentication

The *system-auth* role deploys PAM configuration for system-wide user authentication. It is specifically focused on Active Directory authentication using Samba/Winbind.
2018-03-11 18:07:21 -05:00 · 2018-03-11 18:07:21 -05:00 · 0fa0c2f66e
parent 7217c1c8a0
commit 0fa0c2f66e
5 changed files with 97 additions and 0 deletions
--- a/roles/system-auth/defaults/main.yml
+++ b/roles/system-auth/defaults/main.yml
@ -0,0 +1,2 @@
 pam_mkhomedir: false
 pam_winbind: false
--- a/roles/system-auth/tasks/main.yml
+++ b/roles/system-auth/tasks/main.yml
@ -0,0 +1,43 @@
 - name: load distribution-specific variables
  include_vars: '{{ item }}'
  with_first_found:
  - '{{ ansible_distribution }}.yml'
  - '{{ ansible_os_family }}.yml'
  - defaults.yml
 - name: ensure authconfig is not installed
  package:
    name=authconfig
    state=absent
 - name: ensure authconfig PAM configuration is reset
  command:
    mv /etc/pam.d/{{ item }}-ac /etc/pam.d/{{ item }}
    removes=/etc/pam.d/{{ item }}-ac
  with_items:
  - fingerprint-auth
  - password-auth
  - postlogin
  - smartcard-auth
  - system-auth
 - name: ensure mkhomedir package is installed
  package:
    name={{ mkhomedir_pkg }}
  when: pam_mkhomedir
 - name: ensure oddjobd starts at boot
  service:
    name=oddjobd
    enabled=true
  when: pam_mkhomedir and pam_oddjob_mkhomedir
 - name: ensure oddjobd is running
  service:
    name=oddjobd
    state=started
  when: pam_mkhomedir and pam_oddjob_mkhomedir
 - name: ensure pam configuration is set
  template:
    src={{ item.template }}
    dest=/etc/pam.d/{{ item.name }}
    mode=0644
  with_items: '{{ pam_system_auth_conf }}'
--- a/roles/system-auth/templates/password-auth.j2
+++ b/roles/system-auth/templates/password-auth.j2
@ -0,0 +1,40 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        required      pam_faildelay.so delay=2000000
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 {% if pam_winbind %}
 auth        sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
 {% endif %}
 auth        required      pam_deny.so
 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
 {% if pam_winbind %}
 account     [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
 {% endif %}
 account     required      pam_permit.so
 password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 {% if pam_winbind %}
 password    sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
 {% endif %}
 password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 -session     optional      pam_systemd.so
 {% if pam_mkhomedir %}
 {% if pam_oddjob_mkhomedir %}
 session     optional      pam_oddjob_mkhomedir.so umask=0077
 {% endif %}
 {% endif %}
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 {% if pam_winbind %}
 session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
 {% endif %}
--- a/roles/system-auth/templates/system-auth.j2
+++ b/roles/system-auth/templates/system-auth.j2
@ -0,0 +1,5 @@
 #%PAM-1.0
 auth		include	password-auth
 account		include	password-auth
 password	include	password-auth
 session		include	password-auth
--- a/roles/system-auth/vars/RedHat.yml
+++ b/roles/system-auth/vars/RedHat.yml
@ -0,0 +1,7 @@
 mkhomedir_pkg: oddjob-mkhomedir
 pam_oddjob_mkhomedir: true
 pam_system_auth_conf:
 - name: password-auth
  template: password-auth.j2
 - name: system-auth
  template: system-auth.j2