roles/nsswitch: Configure glibc name service

The *nsswitch* role can be used to configure the name service switch on
glibc-based distributions, including Gentoo, Fedora, and CentOS. It is
specifically focused on Active Directory authentication via
Samba/Winbind.

roles/nsswitch/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+
+- name: ensure nsswitch is configured
+  template:
+    src={{ item }}
+    dest=/etc/nsswitch.conf
+    mode=644
+    owner=root
+    group=root
+  with_first_found:
+  - '{{ ansible_distribution }}.nsswitch.conf.j2'
+  - default.nsswitch.conf.j2

roles/nsswitch/templates/CentOS.nsswitch.conf.j2

@@ -0,0 +1,64 @@
+#
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Valid entries include:
+#
+#	nisplus			Use NIS+ (NIS version 3)
+#	nis			Use NIS (NIS version 2), also called YP
+#	dns			Use DNS (Domain Name Service)
+#	files			Use the local files
+#	db			Use the local database (.db) files
+#	compat			Use NIS on compat mode
+#	hesiod			Use Hesiod for user lookups
+#	[NOTFOUND=return]	Stop searching if not found so far
+#
+
+# To use db, put the "db" in front of "files" for entries you want to be
+# looked up first in the databases
+#
+# Example:
+#passwd:    db files nisplus nis
+#shadow:    db files nisplus nis
+#group:     db files nisplus nis
+
+passwd:     {{ nsswitch_passwd|reject("equalto", "")|join(' ') }}
+shadow:     {{ nsswitch_shadow|reject("equalto", "")|join(' ') }}
+group:      {{ nsswitch_group|reject("equalto", "")|join(' ') }}
+#initgroups: files sss
+
+#hosts:     db files nisplus nis dns
+hosts:      {{ nsswitch_hosts|reject("equalto", "")|join(' ') }}
+
+# Example - obey only what nisplus tells us...
+#services:   nisplus [NOTFOUND=return] files
+#networks:   nisplus [NOTFOUND=return] files
+#protocols:  nisplus [NOTFOUND=return] files
+#rpc:        nisplus [NOTFOUND=return] files
+#ethers:     nisplus [NOTFOUND=return] files
+#netmasks:   nisplus [NOTFOUND=return] files     
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files sss
+
+netgroup:   nisplus sss
+
+publickey:  nisplus
+
+automount:  files nisplus sss
+aliases:    files nisplus
+

roles/nsswitch/templates/Fedora.nsswitch.conf.j2

@@ -0,0 +1,62 @@
+#
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Valid entries include:
+#
+#	nisplus			Use NIS+ (NIS version 3)
+#	nis			Use NIS (NIS version 2), also called YP
+#	dns			Use DNS (Domain Name Service)
+#	files			Use the local files
+#	db			Use the local database (.db) files
+#	compat			Use NIS on compat mode
+#	hesiod			Use Hesiod for user lookups
+#	[NOTFOUND=return]	Stop searching if not found so far
+#
+
+# To use db, put the "db" in front of "files" for entries you want to be
+# looked up first in the databases
+#
+# Example:
+#passwd:    db files nisplus nis
+#shadow:    db files nisplus nis
+#group:     db files nisplus nis
+
+passwd:     {{ nsswitch_passwd|reject("equalto", "")|join(' ') }} systemd
+shadow:     {{ nsswitch_shadow|reject("equalto", "")|join(' ') }}
+group:      {{ nsswitch_group|reject("equalto", "")|join(' ') }} systemd
+
+#hosts:     db files nisplus nis dns
+hosts:      {{ nsswitch_hosts|reject("equalto", "")|join(' ') }}
+
+# Example - obey only what nisplus tells us...
+#services:   nisplus [NOTFOUND=return] files
+#networks:   nisplus [NOTFOUND=return] files
+#protocols:  nisplus [NOTFOUND=return] files
+#rpc:        nisplus [NOTFOUND=return] files
+#ethers:     nisplus [NOTFOUND=return] files
+#netmasks:   nisplus [NOTFOUND=return] files
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files sss
+
+netgroup:   nisplus sss
+
+publickey:  nisplus
+
+automount:  files nisplus
+aliases:    files nisplus

roles/nsswitch/vars/RedHat.yml

@@ -0,0 +1,13 @@
+nsswitch_passwd:
+- files
+- '{{ "winbind" if nss_winbind|d else "sss" }}'
+nsswitch_shadow:
+- files
+nsswitch_group:
+- files
+- '{{ "winbind" if nss_winbind|d else "sss" }}'
+nsswitch_hosts:
+- files
+- '{% if nss_avahi|d %}mdns_minimal [NOTFOUND=return]{% endif %}'
+- dns
+- myhostname