Role copiada do IME.

.gitignore

@@ -0,0 +1 @@
+*~

defaults/main.yml

@@ -0,0 +1,3 @@
+sssd_ad_realm: "smbdomain.local.br"
+sssd_ad_admin_password: 'proalunoSenh@1'
+sssd_ad_admin_user: 'Administrator'

handlers/main.yml

@@ -0,0 +1,4 @@
+- name: reinicia sssd
+  service:
+    name: sssd
+    state: restarted

tasks/main.yml

@@ -0,0 +1,30 @@
+- name: pacotes auth
+  apt:
+    update_cache: yes
+    pkg:
+      - realmd
+      - sssd-tools
+      - sssd
+      - libnss-sss
+      - libpam-sss
+      - adcli
+      - packagekit
+      - krb5-user
+      - python3-pexpect
+
+- name: realm join
+  expect:
+    command: realm join "{{ sssd_ad_realm }}" -U "{{ sssd_ad_admin_user }}"%"{{ sssd_ad_admin_password }}" --do-not-touch-config
+    creates: /etc/krb5.keytab
+
+- name: configura krb5.conf
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+
+- name: configura sssd
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: reinicia sssd

templates/krb5.conf.j2

@@ -0,0 +1,20 @@
+[libdefaults]
+    default_realm = {{ sssd_ad_realm|upper }}
+
+# Allows GSSAPI logins from unknown hostnames
+    ignore_acceptor_hostname = true
+
+# The following krb5.conf variables are only for MIT Kerberos.
+    kdc_timesync = 1
+    ccache_type = 4
+    forwardable = true
+    proxiable = true
+    rdns = false
+
+# The following libdefaults parameters are only for Heimdal Kerberos.
+    fcc-mit-ticketflags = true
+    udp_preference_limit = 0
+
+[realms]
+
+[domain_realm]

templates/sssd.conf.j2

@@ -0,0 +1,17 @@
+[sssd]
+domains = {{ ssshd_ad_realm }}
+config_file_version = 2
+services = nss, pam
+
+[domain/{{ sssd_ad_realm }}]
+default_shell = /bin/bash
+krb5_store_password_if_offline = True
+cache_credentials = True
+krb5_realm = {{ sssd_ad_realm|upper }}
+realmd_tags = manages-system joined-with-adcli 
+id_provider = ad
+fallback_homedir = /home/%u@%d
+ad_domain = {{ sssd_ad_realm }}
+use_fully_qualified_names = False
+ldap_id_mapping = True
+access_provider = ad