pulibrary · kayiwa · Jan 8, 2025 · Jan 2, 2025 · Jan 2, 2025 · Jan 2, 2025
diff --git a/.github/workflows/molecule_tests.yml b/.github/workflows/molecule_tests.yml
@@ -83,7 +83,6 @@ jobs:
           # - ruby
           - ruby_s
           - samba
-          - sssd_ad
           # - saxon
           - shared_data
           # - shibboleth

diff --git a/group_vars/bibdata/common.yml b/group_vars/bibdata/common.yml
@@ -20,10 +20,9 @@ bibdata_admin_netids:
   - mk8066
   - mzelesky
   - pdiskin
-  - pmgreen
   - rl8282
   - tpend
   - bd4538
 # The playbook is failing because of https://github.com/pulibrary/princeton_ansible/issues/4938
-# deploy_id_rsa_private_key: "{{  lookup('file', '../roles/lib_sftp/files/id_rsa')  }}\n"
+deploy_id_rsa_private_key: "{{ lookup('file', '../roles/lib_sftp/files/id_ed25519') }}\n"
 alma_api_limit: 150000
diff --git a/group_vars/lib_jobs/common.yml b/group_vars/lib_jobs/common.yml
@@ -31,7 +31,6 @@ lib_jobs_admin_netids:
   - mk8066
   - mzelesky
   - pdiskin
-  - pmgreen
   - rl8282
 # shared rails variables
 rails_app_vars:

diff --git a/group_vars/lib_jobs/staging.yml b/group_vars/lib_jobs/staging.yml
@@ -16,7 +16,7 @@ app_oit_client_secret: '{{ vault_oit_prod_client_secret }}'
 install_mailcatcher: true
 mailcatcher_group: 'pulsys'
 mailcatcher_user: 'pulsys'
-#lib-sftp
+# lib-sftp
 app_sftp_host: 'lib-sftp-staging1.princeton.edu'
 # Database / Postgres
 app_db_name: 'lib_jobs_staging'

diff --git a/group_vars/sftp/common.yml b/group_vars/sftp/common.yml
@@ -1,6 +1,6 @@
 ---
-auth_rule_one: "{{ vault_auth_rule_one }}"
-auth_rule_two: "{{ vault_auth_rule_two }}"
-auth_rule_three: "{{ vault_auth_rule_three }}"
-auth_rule_dev: "{{ vault_auth_rule_dev }}"
-almasftp_user_password: "{{ vault_almasftp_salted_user_password }}"
+almasftp_user: almasftp
+aspaceftp_user: lib-aspacesftp
+allowed_ssh_users:
+  - almasftp
+  - lib-aspacesftp
diff --git a/group_vars/sftp/production.yml b/group_vars/sftp/production.yml
@@ -1,9 +1,4 @@
 ---
-sssd_domain: "{{ vault_sssd_domain }}"
-sssd_uris:
-  - "{{ vault_sssd_uri1 }}"
-sssd_search_base: "{{ vault_sssd_search_base }}"
-sssd_bind_dn: "{{ vault_sssd_bind_dn }}"
-sssd_bind_dn_password: "{{ vault_sssd_dn_password }}"
 host_ad_name: lib-sftp-prod1.princeton.edu
-deploy_user_uid: 1003
+deploy_user_local_keys:
+  - { name: 'bibdata-worker-staging1', key: "{{ lookup('file', '../roles/lib_sftp/files/id_ed25519.pub') }}" }
diff --git a/group_vars/sftp/staging.yml b/group_vars/sftp/staging.yml
@@ -1,10 +1,4 @@
 ---
-sssd_domain: "{{ vault_sssd_domain }}"
-sssd_uris:
-  - "{{ vault_sssd_uri1 }}"
-sssd_search_base: "{{ vault_sssd_search_base }}"
-sssd_bind_dn: "{{ vault_sssd_bind_dn }}"
-sssd_bind_dn_password: "{{ vault_sssd_dn_password }}"
 host_ad_name: sftp-staging1.princeton.edu
 deploy_user_local_keys:
-  - { name: 'bibdata-worker-staging1', key: "{{ lookup('file', '../roles/lib_sftp/files/id_rsa.pub') }}" }
+  - { name: 'bibdata-worker-staging1', key: "{{ lookup('file', '../roles/lib_sftp/files/id_ed25519.pub') }}" }
diff --git a/group_vars/sftp/vault.yml b/group_vars/sftp/vault.yml
@@ -1,50 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-31613931316131343938386136656433623866613766343730616333373536616537393034363438
-3063616136653162343135346335306335326230623437320a343363323763643466663239343461
-37376633363465373330383766323433303330336133313635333061356133313339373239356233
-3432663637646337330a333536376336316232383533386665643735396166646139333536623862
-37373836356363323835343862306435373438346663653036363732666238663632616632643737
-38663364646361323861363662316235636664333661333765646139373437623431653630323637
-66336163363932373837333435323834363562653335356432623963343063626630633163633734
-37313033333430663631313832353565363066373630623537306663663834333637336435653762
-38346564393836353162386362303662623735376139396436363835653431336533303631333562
-31373462386236623762323639643133633938333265303962396166336463326632393133653364
-37303763306665366533333839346263336636613330656532343231396631656334383234313034
-31323438623938316436393839313335663939653534373730303131336638613830336665383666
-66333837353066323836303730636234666134656433393466396435636531306436323531356162
-30323935393862343264313863643831303462386239636631303735333133353235393664363639
-61323431356436303637636431663439313166316365623565373165633736306533343734323236
-35333931373066303432616566356532313534666336333937663664373139333663633731323437
-35633834353466666532663261313639353136316465313331656436383533383834313530343937
-63616339393837343032353636393530633830336638353232636263336461633430393264336134
-31363033366239343166393162363330323666373336316338383630333962343066666636303437
-65333764656136366365376466316338373264303032326539326435326664656365613439373332
-36383534316664663964393766343664646631613861383135383533376236376565366239633433
-33653234613337646131306533346361386539373161383531366466326539356235633738346132
-63653632623735346261306535393761376562323135626238363865356564393136363534306666
-66393465313063373631343465643264613639393833616236303730383730373631326632313636
-30323238363738666531656438353165303230636364626230343231383434663064613938663436
-65666632333036396536646230653961623563386331653538613238373462313734313634333133
-30383561633364613731353964373039313432356638623137356332623435636264336464653165
-35643634633938376363313665323461643039343162646238373331396435366636663763353933
-61643536396237643064623764643363666637343131393332613834653233316435346161343434
-33316165666238393066393463386534313266343765643333393335356163643634333838353264
-66623666373435643662316233393466386133353135393634363364353534343936373162363963
-36393962663432316264323130636361316132396434386232663239346163653232653065343732
-38353938326162353234316339353833373331326564663665353332643330656133333338336265
-38313737333733313839373863333265393730313239633061336432306237383936373963323032
-65346536396335646563396461613831393339336238316237636661393266336337646564323065
-66616664353737613965363464306139663838333166393530383834343864613934323462316434
-36316161366464666130633736363162336437636537626135323238636535336230393862366165
-62363638653130316134643932623237323635316664323162623166323839646233383634353638
-65636137303833306234333433623462393033333934363465633637313935326135333231323433
-36656339353533613036613630663135353966663664356531636636323234356436613437326630
-31653633613239323965316238303732313839613539353764626131303662326131306566333539
-65336661663930383461663263396434303335363838306463366238346563303863303236326465
-66363831633566353737626162333763376631626165613232636335376333636433626336636338
-34326233633033623638373766386365363564376137306366616630653039343136376433653130
-36643431616534373432376332303039373161653836613931613864653431643164623030333933
-61313761363939613838333833373763323136656266343235613736343434363963316130313966
-30656431643630366439643231313462386439643162313737353164343330616235303133656362
-62303533306664376436316233636230333939366262386466633036376139386231333866643065
-3264
+37333866633765646566316337636565316234383633366238356339653239626432306132623430
+6166376332323766306639316139346364336363663930660a313133336465626531653965386230
+35643761313963656438356564323538333738646133393165376339623135373631376365373937
+3430343966353066320a646533633332376334376436393861323831343030376361376638626462
+36663265366431373864313936353038613232323032306266306138636132383237663539653530
+62306166313633303434366663396162323434626339303462653061366233333335616239323730
+35306566346432643633326632396132643333383064616131353665366562623839666137303666
+64623932326463303563396533633961646463386361626330363461363936393736336666663761
+66643934386165346462353964316535386563336139373962366364356263343531336465333435
+3833623833393838626465643230613761363935376237386637
diff --git a/inventory/all_projects/lib_sftp b/inventory/all_projects/lib_sftp
@@ -1,5 +1,7 @@
 
 [libsftp_staging]
 lib-sftp-staging1.princeton.edu
+lib-sftp-test1.princeton.edu
+lib-sftp-test2.princeton.edu
 [libsftp_production]
 lib-sftp-prod1.princeton.edu
diff --git a/playbooks/lib_sftp.yml b/playbooks/lib_sftp.yml
@@ -17,7 +17,7 @@
 
   pre_tasks:
     - set_fact:
-        deploy_id_rsa_private_key: "{{  lookup('file', '../roles/lib_sftp/files/id_rsa')  }}\n"
+        deploy_id_rsa_private_key: "{{ lookup('file', '../roles/lib_sftp/files/id_ed25519') }}\n"
 
   vars_files:
     - ../group_vars/sftp/vault.yml

diff --git a/playbooks/utils/ad_join.yml b/playbooks/utils/ad_join.yml
@@ -0,0 +1,34 @@
+---
+# by default this playbook runs in the staging environment
+# to run in production, pass '-e runtime_env=production'
+# To allow a new user to log in run
+#
+# `ansible-playbook -v playbooks/lib_sftp.yml -e [email protected] -t add_sftp_user`
+#
+- name: bind {{ inventory_hostname }} to AD
+  hosts: all
+  remote_user: pulsys
+  become: true
+
+  vars_files:
+    - ../group_vars/all/vault.yml
+    - ../group_vars/all/vars.yml
+    - ../group_vars/sftp/common.yml
+    - ../group_vars/sftp/{{ runtime_env | default('staging') }}.yml
+
+  pre_tasks:
+      - name: stop playbook if you didn't use --limit
+        fail:
+          msg: "you must use -l or --limit"
+        when: ansible_limit is not defined
+        run_once: true
+
+  roles:
+    - role: ../roles/ad_join
+
+  post_tasks:
+    - name: tell everyone on slack you ran an ansible playbook
+      community.general.slack:
+        token: "{{ vault_pul_slack_token }}"
+        msg: "Ansible ran `{{ ansible_play_name }}` on {{ inventory_hostname }}"
+        channel: "{{ slack_alerts_channel }}"
diff --git a/roles/ad_join/README.md b/roles/ad_join/README.md
@@ -0,0 +1,62 @@
+# ad_join
+
+This Ansible role configures a Rocky Linux 9 or Ubuntu system to join an Active Directory domain. It installs necessary packages, configures `sssd`, `krb5`, and PAM, and joins the system to the specified domain.
+
+## Description
+
+This role performs the following actions:
+
+1.  Installs required packages: `realmd`, `sssd`, `oddjob`, `oddjob-mkhomedir`, `samba-common-tools`, `adcli`, `krb5-workstation`, and `openldap-clients`, `authselect-compat`.
+2.  Creates a custom `authselect` profile for PAM configuration with `sssd` preferred for authentication.
+3.  Copies and extracts a pre-configured custom PAM configuration to ensure proper authentication order.
+4.  Templates and deploys the `sssd.conf` and `krb5.conf` configuration files.
+5.  Discovers the AD realm.
+6.  Joins the system to the AD domain using `realm join`.
+7.  Enables and starts the `sssd` and `oddjobd` services.
+8.  Configures the `sssd.conf` file to not use StartTLS, not to require a certificate, disables the Global Catalog lookups, sets the search base, and removes the `ad_access_filter`.
+9.  Ensures the system time is synchronized using `chrony`.
+10. Adds the necessary Kerberos Key Distribution Centers (KDCs) to the `krb5.conf` file.
+11. Sets SELinux to permissive mode temporarily during configuration.
+12. Ensures necessary log files and directories exist with appropriate permissions.
+13. Enables Kerberos and GSSAPI authentication in the SSH server configuration.
+14. Performs post-configuration checks, including testing Kerberos ticket acquisition, LDAP search connectivity, domain status, and user/group information retrieval.
+
+## Requirements
+
+* Ansible 2.9 or higher.
+* A target system running Rocky Linux 9 (tested throughly and successfully) or Ubuntu.
+* Network connectivity to the Active Directory domain.
+* An Active Directory user account with sufficient privileges to join computers to the domain.
+* A pre-configured custom PAM configuration packaged as `custom_pul_sssd.tar.gz` and placed in the `templates/` directory of the role.
+* Access to [OIT AD Machine Registration Tool](https://tools.princeton.edu/Dept/) to register a new Active Directory name
+
+## Role Variables
+
+### Default Variables (`defaults/main.yml`)
+
+*   `ad_join_ad_domain`: The Active Directory domain to join (e.g., `pu.win.princeton.edu`).
+*   `ad_join_ad_realm`: The Kerberos realm, usually the uppercase version of the AD domain (e.g., `PU.WIN.PRINCETON.EDU`).
+*   `ad_join_admin_user`: An AD user with privileges to join computers to the domain (defaults to doas-libsftp).
+*   `ad_join_admin_password`: The password for the `admin_user`. **It is highly recommended to use Ansible Vault to encrypt this variable.**
+*   `ad_join_computer_ou`: The organizational unit (OU) in AD where the computer object will be created.
+*   `ad_join_create_home_dir`: Whether to enable automatic home directory creation for AD users (true/false).
+*   `ad_join_default_shell`: The default shell for AD users (e.g., `/bin/bash`).
+
+### Other Variables (`vars/main.yml`)
+
+*   `ad_join_packages`: A list of required packages to install.
+*   `ad_join_sssd_config_file`: Path to the `sssd.conf` file.
+*   `ad_join_krb5_config_file`: Path to the `krb5.conf` file.
+*   `ad_join_authselect_custom_path`: Path to the custom `authselect` profile directory.
+*   `ad_join_authselect_profile_name`: Name of the custom `authselect` profile.
+
+## Example Playbook
+
+```yaml
+---
+- hosts: your_rocky9_vm
+  become: true
+  roles:
+    - role: ad_join
+      vars:
+        ad_join_admin_password: "{{ vault_admin_password }}"
diff --git a/roles/ad_join/defaults/main.yml b/roles/ad_join/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+# defaults file for roles/ad_join
+ad_join_ad_domain: pu.win.princeton.edu
+ad_join_ad_realm: PU.WIN.PRINCETON.EDU
+ad_join_admin_user: "doas-libsftp"
+ad_join_admin_password: "{{ sssd_bind_dn_password }}"
+ad_join_computer_ou: "OU=Library,DC=pu,DC=win,DC=princeton,DC=edu"
+ad_join_create_home_dir: true
+ad_join_default_shell: /bin/bash
+allowed_ssh_users:
+  - ac2754
+  - ar1789
+  - fkayiwa
+  - vk4273
diff --git a/roles/ad_join/files/custom_pul_sssd.tar.gz b/roles/ad_join/files/custom_pul_sssd.tar.gz
diff --git a/roles/ad_join/files/krb5.conf b/roles/ad_join/files/krb5.conf
@@ -0,0 +1,37 @@
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    dns_lookup_realm = true
+    dns_lookup_kdc = true
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = yes
+    rdns = false
+    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+    spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
+    default_ccache_name = KEYRING:persistent:%{uid}
+    udp_preference_limit = 0
+    default_realm = PU.WIN.PRINCETON.EDU
+
+[realms]
+    PU.WIN.PRINCETON.EDU = {
+        kdc = pdom09.pu.win.princeton.edu
+        kdc = pdom10.pu.win.princeton.edu
+        kdc = pdom11.pu.win.princeton.edu
+        kdc = pdom12.pu.win.princeton.edu
+        kdc = pdom13.pu.win.princeton.edu
+        kdc = pdom14.pu.win.princeton.edu
+        kdc = pdom15.pu.win.princeton.edu
+        kdc = pdom16.pu.win.princeton.edu
+        admin_server = pdom15.pu.win.princeton.edu
+        auth_to_local = RULE:[1:$0](^.*@PU.WIN.PRINCETON.EDU$)s/@.*//
+      }
+
+[domain_realm]
+.pu.win.princeton.edu = PU.WIN.PRINCETON.EDU
+pu.win.princeton.edu = PU.WIN.PRINCETON.EDU
diff --git a/roles/ad_join/files/sssd.conf b/roles/ad_join/files/sssd.conf
@@ -0,0 +1,22 @@
+[sssd]
+domains = pu.win.princeton.edu
+config_file_version = 2
+services = nss, pam, pac
+
+[domain/PU.WIN.PRINCETON.EDU]
+default_shell = /bin/bash
+krb5_store_password_if_offline = True
+cache_credentials = True
+krb5_realm = PU.WIN.PRINCETON.EDU
+ad_domain = pu.win.princeton.edu
+realmd_tags = manages-system joined-with-adcli
+id_provider = ad
+auth_provider = ad
+chpass_provider = ad
+access_provider = ad
+fallback_homedir = /home/%u@%d
+use_fully_qualified_names = False
+ldap_id_mapping = False
+ldap_disable_gc = True
+ldap_search_base = dc=pu,dc=win,dc=princeton,dc=edu
+ad_gpo_ignore_unreadable = true
diff --git a/roles/sssd_ad/handlers/main.yml → roles/ad_join/handlers/main.yml b/roles/sssd_ad/handlers/main.yml → roles/ad_join/handlers/main.yml
@@ -1,11 +1,11 @@
 ---
-# handlers file sssd_ad
-- name: restart sshd
+# handlers file for roles/ad_join
+- name: Restart sssd
   ansible.builtin.service:
-    name: sshd
+    name: sssd
     state: restarted
 
-- name: restart sssd
-  service:
-    name: sssd
+- name: Restart sshd
+  ansible.builtin.service:
+    name: sshd
     state: restarted
diff --git a/roles/sssd_ad/meta/main.yml → roles/ad_join/meta/main.yml b/roles/sssd_ad/meta/main.yml → roles/ad_join/meta/main.yml
@@ -1,13 +1,13 @@
 ---
 galaxy_info:
-  role_name: system_ldap
+  role_name: ad_join
   company: Princeton University Library
-  description: System_LDAP
+  description: binds and enpoint to active directory
   author: pulibrary
 
   license: MIT
 
-  min_ansible_version: 2.2
+  min_ansible_version: 2.9
 
   platforms:
     - name: Ubuntu

diff --git a/roles/ad_join/molecule/default/converge.yml b/roles/ad_join/molecule/default/converge.yml
@@ -0,0 +1,10 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    - running_on_server: false
+  become: true
+  tasks:
+    - name: "Include ad_join"
+      ansible.builtin.include_role:
+        name: ad_join
diff --git a/roles/sssd_ad/molecule/default/molecule.yml → roles/ad_join/molecule/default/molecule.yml b/roles/sssd_ad/molecule/default/molecule.yml → roles/ad_join/molecule/default/molecule.yml
@@ -9,7 +9,7 @@ lint: |
   ansible-lint
 platforms:
   - name: instance
-    image: "ghcr.io/pulibrary/pul_containers:jammy_multi"
+    image: "ghcr.io/pulibrary/pul_containers:rocky_multi"
     command: "sleep infinity"
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
-Original file line number
+Diff line change
@@ Expand Up / @@ -31,7 +31,6 @@ lib_jobs_admin_netids: @@
       - mk8066
       - mzelesky
       - pdiskin
-      - pmgreen
       - rl8282
     # shared rails variables
     rails_app_vars:
@@ Expand Down @@