Restrict Local users login using SSH or from Console

.travis.yml

@@ -1,24 +1,32 @@
 ---
-services: docker
+dist: bionic
+language: python
+python: "3.6"
 
-env:
-  # Defaults.
-  - distro: centos7
-    test_idempotence: false
+# Use the new container infrastructure
+sudo: true
 
-script:
-  # Configure test script so we can run extra tests after playbook is run.
-  - export container_id=$(date +%s)
-  - export cleanup=false
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python3-pip
+
+install:
+  # Install ansible
+  - pip3 install ansible
 
-  # Download test shim.
-  - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/sylus/e5d6eb8852d649ae78477b2daf86e707/raw
-  - chmod +x ${PWD}/tests/test.sh
+  # Check ansible version
+  - ansible --version
 
-  # Run tests.
-  - ${PWD}/tests/test.sh
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - "ansible-playbook tests/test.yml -i tests/inventory --syntax-check"
+  # - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become-user root"
+  # - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become-user root | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)"
 
 notifications:
-  slack:
-    secure: M+yCxKJqimIn8NeW0B9zZfjgLur6YnxqA5XoulSuuIwNHqkAR7d6EAsydwR8vEKTqVfKdOobMVmalOCcQOw6HSwnu49KYUAESYsL/yyvK/aHXM52y6XV1L6s+gtD6/eQo3VECR8xMAM2+GkzUGeaA2hWA13CwXo7aXcik0/q2KTJb1eTXDj1LYyjwPE6pmHcWsxE6bmGLTvaHDpWQpoSTD3tiJqvAIVNsSGm4HiZ0rlVS09hM+xU3OTVIfurYmWJI+Do1KceINrwDlbEZgsYGXLCg5Oah/DK5pAmKocF8BDNZx01AH3vqG2yQSoV4xpTF+NdfHh2XFY9If1Ugyv9xDAkLbCkMzhzh8UIvXNCWvWstKh6I8gnJPJGUst0FXk2clCx+ILl4wlMrdd0UcUA5GX6R6ELUfxfT//xVK5I5t0IbCqBB5Nl1bDf7ndeksYqlTxk4DoM6t5yGlhCRqNz5z1SxMe2wv4OQaIuuNsFVvQ9USPc7FKHKxQQBAOiT8b0QNuFm8U/nresytpZrMQ0vMnMA9iQz+xQvdKyVw1ZS2HPx05lWBv0CC3sDkPqXETohG7bC5hkSY4LPNNlqtu6oOtfmbCuDfbpjpzAm5NvtNcdMavAd/jtEfO7sSxAwW02wty4XilXk4INMOp+2z5W2vwkyMkpTsvsnm7Da6mPzMA=
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

LICENSE

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2018 William Hearn
+Copyright (c) 2019-2020 Kálmán Szalai - KAMI
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,8 +1,232 @@
-# Ansible role for Active Directory
+# Ansible Role: Installs and configures Active Directory on Linux.
 
-[![Build Status][travisci-badge]][travisci]
+Travis status:   [![Build Status](https://travis-ci.org/KAMI911/ansible-role-linux-ad.svg?branch=master)](https://travis-ci.org/KAMI911/ansible-role-linux-ad)
+Code Climate status: [![Code Climate](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad/badges/gpa.svg)](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad)
+Test Coverage status: [![Test Coverage](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad/badges/coverage.svg)](https://codeclimate.com/github/KAMI911/ansible-role-linux-ad/coverage)
 
-<!-- Links Referenced -->
+## Table of Contents
 
-[travisci]:             https://travis-ci.org/govcloud/ansible-role-ad
-[travisci-badge]:       https://travis-ci.org/govcloud/ansible-role-ad.png?branch=master
+1. [Requirements][Requirements]
+2. [Installation][Installation]
+3. [Role Variables][Role Variables]
+4. [Dependencies][Dependencies]
+5. [Example Playbook][Example Playbook]
+6. [Licensing][Licensing]
+7. [Author Information][Author Information]
+8. [Support][Support]
+9. [Contributing][Contributing]
+10. [Donation][Donation]
+
+## Requirements
+
+None.
+
+## Installation
+
+    ansible-galaxy install kami911.linux-ad
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+
+### Port, connection, and firewall related options
+
+    linux_ad_manage_firewalld: true
+
+Role manages the firewalld settings of required ports.
+
+### Debug settings
+
+    linux_ad_authconfig_debug_mode: false
+
+Use authconfig debug mode.
+
+    linux_ad_authconfig_debug_level: 3
+
+Set authconfig debug level.
+
+    linux_ad_authconfig_domain: 'cloud.department.ca'
+
+### Genereal AD settings
+
+Set authconfig (FQDN) domain name.
+
+    linux_ad_authconfig_realm:  'CLOUD.DEPARTMENT.CA'
+
+Set authconfig realm name.
+
+    linux_ad_authconfig_computer_ou: 'ou=computers,dc=cloud,dc=department,dc=ca'
+
+Set the Active Directory path to computers organization unit.
+
+    linux_ad_authconfig_windomain: 'EXAMPLECOM'
+
+Set authconfig Windows domain name.
+
+    linux_ad_authconfig_sssd_user: 'admin'
+
+Specify an already existing domain user that has 'add computer to domain' rights.
+
+    linux_ad_authconfig_sssd_pass: 'pass'
+
+Specify the password of that domain user.
+
+    linux_ad_authconfig_access_groups: []
+
+An array/list of groups that have access to the host.
+
+    linux_ad_authconfig_access_users: []
+
+An array/list of users that have access to the host.
+
+    linux_ad_ansible_distribution_major_version: '{{ ansible_lsb.major_release|int }}'
+
+Specify the main version of your Linux OS if something gets wrong and the version is not available.
+
+    linux_ad_ad_info_ad_server: 'dc1.department.ca'
+
+    linux_ad_ad_info_ad_backup_server: 'dc2.department.ca'
+
+Specify the primary and a backup Active Directory login server.
+
+    linux_ad_rejoin: false
+
+Try to rejoint to the Active Directory via deleting /etc/krb5.keytab file. Default is false.
+
+    linux_ad_home_dir: '/home/%d/%u'
+
+Home directory of the user.
+Additionally you can use these variables:
+%u -login name
+%U - UID number
+%d - domain name
+%f - fully qualified user name (user@domain))
+%% - %.
+
+    linux_ad_shell: '/bin/bash'
+
+Shell to use for freshly created users.
+
+    linux_ad_use_fq_username: true
+
+Use fully qualified name for login name. When false you can login with username, when tru you can login with username@domain_name
+
+    linux_ad_home_dir_base:
+      - '/home/{{ linux_ad_authconfig_domain }}'
+
+If you not using /home/%s as home directory, the script have to create all of required domains subdirectory (in this example case /home/cloud.department.ca/). Please list all possible domains here.
+
+    linux_ad_home_dir_user: 'root'
+
+The user of the newly created subhome directory.
+
+    linux_ad_home_dir_group: 'root'
+
+The group of the newly created subhome directory.
+
+    linux_ad_home_dir_mode: 755
+
+The mode of the newly created subhome directory.
+
+    linux_ad_sudoers_d:
+    - file: linux_ad
+        host: ALL
+        runas: ALL
+        ugid: '%Enterprise\ Admins'
+        nopasswd: true
+        commands:
+        - 'ALL'
+
+Create sudoers file with these parameters. The file is filename of the created file in sudoers.d.
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+    - hosts: all
+      roles:
+        - linux-ad
+
+## Licensing
+
+The lactransformer application and documantations are licensed under the terms of
+the MIT / BSD, you will find a copy of this license in the
+[LICENSE](LICENSE) file included in the source package.
+
+## Author Information
+
+This role was created in 2019-2020 by Kálmán Szalai - KAMI based on work of William Hearn (https://github.com/govcloud/ansible-role-ad)
+
+## Support
+
+If you have any question, do not hesitate and drop me a line.
+If you found a bug, or have a feature request, you can [fill an issue](https://github.com/KAMI911/ansible-role-linux-ad/issues).
+
+### Using as a submudule of an AWX playbook
+
+#### Add as a submodule
+
+```
+git submodule add --force [email protected]:KAMI911/ansible-role-linux-ad.git roles/linux-ad
+```
+
+#### Update as sumodule
+
+Update only this submodule
+
+```
+git submodule update --remote roles/linux-ad/
+```
+
+Update all submodules:
+
+```
+git submodule foreach git pull origin master
+```
+
+## Contributing
+
+There are many ways to contribute to ansible-role-linux-ad -- whether it be sending patches,
+testing, reporting bugs, or reviewing and updating the documentation. Every
+contribution is appreciated!
+
+Please continue reading in the [contributing chapter](CONTRIBUTING.md).
+
+### Fork me on Github
+
+https://github.com/KAMI911/ansible-role-linux-ad
+
+Add a new remote `upstream` with this repository as value.
+
+```
+git remote add upstream https://github.com/KAMI911/ansible-role-linux-ad.git
+```
+
+You can pull updates to your fork's master branch:
+
+```
+git fetch --all
+git pull upstream HEAD
+```
+
+## Donation
+
+If you find this useful, please consider a donation:
+
+[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RLQZ58B26XSLA)
+
+
+<!-- TOC URLs -->
+[Requirements]: #requirements
+[Installation]: #installation
+[Role Variables]: #role_variables
+[Dependencies]: #dependencies
+[Example Playbook]: #example_playbook
+[Licensing]: #licensing
+[Author Information]: #author_information
+[Support]: #support
+[Contributing]: #contributing
+[Donation]: #donation

defaults/main.yml

@@ -1,24 +1,48 @@
 ---
-authconfig_debug_mode: false
-authconfig_debug_level: 3
+linux_ad_manage_firewalld: true
 
-authconfig_domain: 'cloud.department.ca'
-authconfig_realm:  'CLOUD.DEPARTMENT.CA'
-authconfig_computer_ou: 'ou=computers,dc=cloud,dc=department,dc=ca'
+linux_ad_authconfig_debug_mode: false
+linux_ad_authconfig_debug_level: 3
 
-#authconfig_windomain: "EXAMPLECOM"
+linux_ad_authconfig_domain: 'cloud.department.ca'
+linux_ad_authconfig_realm:  'CLOUD.DEPARTMENT.CA'
+linux_ad_authconfig_computer_ou: 'ou=computers,dc=cloud,dc=department,dc=ca'
 
-authconfig_sssd_user: 'admin'
-authconfig_sssd_pass: 'pass'
+linux_ad_authconfig_windomain: 'EXAMPLECOM'
+
+linux_ad_authconfig_sssd_user: 'admin'
+linux_ad_authconfig_sssd_pass: 'pass'
 
 # An array/list of groups that have access to the host
-authconfig_access_groups: []
+linux_ad_authconfig_access_groups: []
 
 # An array/list of users that have access to the host
-authconfig_access_users: []
+linux_ad_authconfig_access_users: []
 
 # This variable sometimes does not get set and shouldn't be relied on.
-ansible_distribution_major_version: ""
+linux_ad_ansible_distribution_major_version: '{{ ansible_distribution_major_version|int }}'
+
+linux_ad_ad_info_ad_server: 'dc1.department.ca'
+linux_ad_ad_info_ad_backup_server: 'dc2.department.ca'
+
+linux_ad_rejoin: false
+
+# Home directory of the user. (You can use these variables: %u -login name, %U - UID number, %d - domain name, %f - fully qualified user name (user@domain))
+linux_ad_home_dir: '/home/%d/%u'
+linux_ad_shell: '/bin/bash'
+linux_ad_use_fq_username: true
+
+linux_ad_home_dir_base:
+  - '/home/{{ linux_ad_authconfig_domain }}'
+linux_ad_home_dir_user: 'root'
+linux_ad_home_dir_group: 'root'
+linux_ad_home_dir_mode: 0755
 
-ad_info_ad_server: dc1.department.ca
-ad_info_ad_backup_server: dc2.department.ca
+linux_ad_sudoers_d:
+  - file: linux_ad
+    host: ALL
+    runas: ALL
+    ugid: '%Enterprise\ Admins'
+    nopasswd: true
+    commands:
+      - 'ALL'