From b76326dae1a40350b0032ed80bac9dc2b8b9bfb2 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 15 Feb 2022 16:45:59 +0100 Subject: [PATCH] update.. --- group_vars/all/main.yml | 9 ++--- hosts | 5 ++- roles/common/tasks/nis-install-client.yml | 9 +++++ roles/common/tasks/nis-install-server.yml | 42 +++++++++++++++++++++++ 4 files changed, 60 insertions(+), 5 deletions(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 7505448..3e6d2c8 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1095,10 +1095,11 @@ nis_groups: group_id: 1012 #nis_deleted_user: -remove_nis_users: - - name: anna - - name: birgit - - name: jonas +remove_nis_users: [] +#remove_nis_users: +# - name: anna +# - name: birgit +# - name: jonas nis_user: - name: chris diff --git a/hosts b/hosts index a031502..74b9538 100644 --- a/hosts +++ b/hosts @@ -9,7 +9,7 @@ ab8.akb.netz ab9.akb.netz ab11.akb.netz ab12.akb.netz -192.168.63.168 +192.168.63.175 ansible_user=root file-akb.akb.netz ansible_user=root 192.168.82.20 ansible_user=root gw-akb.oopen.de ansible_become=true ansible_become_method=sudo ansible_user=chris @@ -24,6 +24,7 @@ ab8.akb.netz ab9.akb.netz ab11.akb.netz ab12.akb.netz +192.168.63.175 ansible_user=root [nfs_client] ab1.akb.netz @@ -35,6 +36,7 @@ ab8.akb.netz ab9.akb.netz ab11.akb.netz ab12.akb.netz +192.168.63.175 ansible_user=root [nis_client] ab1.akb.netz @@ -46,6 +48,7 @@ ab8.akb.netz ab9.akb.netz ab11.akb.netz ab12.akb.netz +192.168.63.175 ansible_user=root [file_server] file-akb.akb.netz ansible_user=root diff --git a/roles/common/tasks/nis-install-client.yml b/roles/common/tasks/nis-install-client.yml index 665b378..6276cc0 100644 --- a/roles/common/tasks/nis-install-client.yml +++ b/roles/common/tasks/nis-install-client.yml @@ -74,6 +74,15 @@ - nis-install - nis-install-client +- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'YPBINDARGS' (client) + replace: + path: /etc/default/nis + regexp: '^YPBINDARGS=.*' + replace: 'YPBINDARGS=' + tags: + - nis-install + - nis-install-client + # --- # /etc/{passwd,group,shadow} diff --git a/roles/common/tasks/nis-install-server.yml b/roles/common/tasks/nis-install-server.yml index b86cf2a..ceeadf3 100644 --- a/roles/common/tasks/nis-install-server.yml +++ b/roles/common/tasks/nis-install-server.yml @@ -37,6 +37,48 @@ - nis-install-client +# --- +# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default. +# +# Note: +# 'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller +# +# --- + +- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists + stat: + path: /etc/pam.d/common-password + register: file_etc_pam_d_common_password + tags: + - nis-install + - nis-install-server + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version']|int >= 11 + +- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt' + shell: "grep -i -q -E '^password.+yescrypt' /etc/pam.d/common-password" + register: presence_of_passwprd_hashing_yescrypt + changed_when: + - presence_of_passwprd_hashing_yescrypt.rc < 1 + failed_when: + - presence_of_passwprd_hashing_yescrypt.rc >= 2 + when: + - ansible_facts['distribution'] == "Debian" + - ansible_distribution_major_version|int >= 11 + - ansible_distribution_major_version|int <= 12 + - file_etc_pam_d_common_password.stat.exists == True + +- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt + shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version']|int >= 11 + - ansible_facts['distribution_major_version']|int <= 12 + - file_etc_pam_d_common_password.stat.exists == True + - presence_of_passwprd_hashing_yescrypt is changed + + # --- # /etc/default/nis # ---