ansible-playbook实现centos6/7 加入windows server 2016域

目标：

使用ansible-playbook实现centos 6/7加入现有的windows server 2016域，使用域用户登录，不同安全组的用户有不同的权限。

环境:

环境需求：

• 两台windows server域控制器，同时做为DNS服务器。
• 主域服务器：dc01.mtkt.local
• 备份域服务器：dc02.mtkt.local
• 域名：mtkt.local
• 域管理员：itadmin
• LoginGroup组：域内安全组，组内用户将可以登录到centos服务器，
• AdminGroup组：域内安全组，组内用户将可以登录到centos服务器，拥有不需要输入密码的sudo权限。
• centos6/7 各一台，已完成ansible目标机基础配置。DNS服务器配置为两台域控制器IP
• centos7 一台用于ansible server。
• ansible host配置文件中 [linux] 部分包括centos6/7主机各一台

脚本：

ansible playbook：add2domain.yml

---
- gather_facts: true
  hosts: '{{ host }}'
  remote_user: root
  vars:
    domainname: mtkt.local
    dc1: dc01.mtkt.local
    dc2: dc02.mtkt.local
  tasks:
    - name: Install a yum package
      yum:
        name: realmd,sssd,oddjob,oddjob-mkhomedir,adcli,samba-common
        state: present
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "7"

    - name: realm
      shell:  echo 'YourPassword | realm join dc01.mtkt.local -U itadmin
      ignore_errors: yes
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "7"
    #    tag : 退出域：realm leave MTKT.LOCAL

    - name: change /etc/sssd/sssd.conf
      lineinfile:
        dest: /etc/sssd/sssd.conf
        regexp: '(^|#)fallback_homedir'
        line: 'fallback_homedir = /home/%u'
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "7"
      tags: sssd


    - name: change /etc/sssd/sssd.conf
      lineinfile:
        dest: /etc/sssd/sssd.conf
        regexp: '(^|#)use_fully_qualified_names'
        line: 'use_fully_qualified_names = False'
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "7"
      tags: sssd

    - name:  restart sssd
      systemd: name=sssd enabled=yes state=restarted
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "7"
      tags: sssd

    - name: change sudoers
      lineinfile:
        path: /etc/sudoers
        state: present
        #        regexp: '^%AdminGroup' ##正则匹配只能修改一行。
        line: '{{ item }}'
        validate: '/usr/sbin/visudo -cf %s'
      with_items:
        - '%[email protected]  ALL=(ALL) NOPASSWD:  ALL'
        - '%[email protected]  ALL=(ALL)  ALL'
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "7"
      tags: sudoers
#以上用于centos7, 以下用于centos6
    - name: Install a yum package
      yum:
        name: sssd,oddjob,oddjob-mkhomedir,adcli,samba-common,authconfig
        state: present
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"
    - name: sssd.conf file
      template:
        src: sssd.conf.j2
        dest: /etc/sssd/sssd.conf
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    - name:
      file:
        path: /etc/sssd/sssd.conf
        owner: root
        group: root
        mode: 0600
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    - name: krb5.conf file
      template:
        src: krb5.conf.j2
        dest: /etc/krb5.conf
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    - name:
      service: name=sssd enabled=yes state=restarted
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    - name:
      service: name=messagebus enabled=yes state=restarted
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    - name:
      service: name=oddjobd enabled=yes state=restarted
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    #在centos6暂用本地shell命令expect实现加入域功能。
    #expect 只需要在本地执行，不需要发送到远程主机上执行， 使用delegate_to: 指派给本地主机执行。
    - name: join the ad
      shell: expect adcli.exp {{ansible_ssh_host}}
      delegate_to: localhost
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"
      tags: join
    #    - name: exit the ad
    #      shell:  expect /tmp/adcliexit.exp {{ansible_ssh_host}}
    #      tags: exit
    - name:
      shell: authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"

    #修改sudoers 文件，centos6下：%[email protected] 不能加域名后缀mtkt.local，只需要%AdminGroup，否则用户登录后sudo提示用户未在sudoers文件中。
    - name: change sudoers
      lineinfile:
        path: /etc/sudoers
        state: present
        # regexp: '^%AdminGroup' ##正则匹配只能修改一行。
        line: '{{ item }}'
        validate: '/usr/sbin/visudo -cf %s'
      with_items:
        - '%AdminGroup  ALL=(ALL) NOPASSWD:  ALL'
        - '%LoginGroup  ALL=(ALL)  ALL'
      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == "6"
      tags: sudoers

adcli.exp 脚本：

#!/usr/bin/expect -f
set timeout 5
set server [lrange $argv 0 0]
set command1 "adcli join mtkt.local -U itadmin"

# 登录到远程主机上修改 用户密码，格式：expect adcli.exp server_IP

if { $argc != 1 } {
 send_user "用法: #expect adcli.exp server_IP \n"
 exit
}

spawn /usr/bin/ssh root@$server

send "$command1\r"

#使用单行expect 避免返回提示时间较长时出现的不匹配返回提示符的问题

expect "*LOCAL:"
send "YourPasswd\r"

expect "#*"
send "exit\r"

interact

centos6 krb5配置文件模板：krb5.conf.j2

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = {{ domainname }}
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 mtkt.local = {
  kdc = {{ dc1 }}
  admin_server = {{ dc1 }}
 }

[domain_realm]
 .example.com = {{ domainname }}
 example.com = {{ domainname }}

centos6 sssd配置文件模板:sssd.conf.j2

[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = {{ domainname }}

[domain/{{ domainname }}]
id_provider = ad
fallback_homedir = /home/%u
shell_fallback = /bin/bash
override_shell = /bin/bash
default_shell = /bin/bash
access_provider = simple
simple_allow_groups = LoginGroup,AdminGroup

执行： ansible-playbook add2domain.yml --extra-vars "host=linux"

写在最后：

未解决问题：

• centos6上只配置了一台主域服务器。
• 脚本中密码均为明文

临时方案

• 目标机为centos6情况下，以下shell命令不能正常执行 shell: echo 'YourPassword' |adcli join mtkt.local -U itadmin 想使用ansible pexpect模块又遇到目标机找不到指定模块的问题，

• 临时解决方法： 在本地调试expect脚本，完成远程主机加入域动作， 使用ansible delegate_to 功能指派加入域动作在本机执行，同时也解决了目标机IP地址做为变量替换到expect 命令行中的问题，使用ansible local_action模块则无法使用目标机IP变量。

转载于:https://my.oschina.net/winniepoohmeng/blog/3024393