Debian 11通过Ansible加入域的问题是”Conditional result was False”。

huangapple go评论80阅读模式
英文:

debian 11 domain joining via Ansible "Conditional result was False"

问题

以下是代码部分的翻译:

- name: Join system to AD
  expect:
    command: /usr/sbin/realm join --membership-software=adcli {{ realm_domain }} --computer-ou='{{ realm_ad_ou }}' --user={{ kerberos_user }}
    responses:
      (?i)Password: "{{ kerberos_user_password }}"
  ignore_errors: yes
  when: realm_list_results.stdout == ""
  become: true
  tags: adjoin
---
# tasks that run after a new deployment

- name: Load Secrets
  include_vars: "secrets.yml"

- name: Load Variables
  include_vars: "vars.yml"

- name: Install pip
  apt: 
    name: python3-pip
    state: present
    update_cache: yes

- name: Install pexpect
  pip: 
    name: pexpect
    state: present  

- name: Install AD Domain packages
  apt: 
    name: "{{ item }}"
    state: present 
    update_cache: yes
  with_items:
    - realmd
    - sssd
    - adcli
    - krb5-user
    - sssd-tools
    - samba-common
    - packagekit
    - samba-common-bin
    - samba-libs
  tags: ad

- name: Copy realmd.conf
  template: 
    src: realmd.conf.j2
    dest: /etc/realmd.conf
    owner: root
    group: root
    mode: 0644
  tags: ad

- name: Copy krb5.conf
  template: 
    src: krb5.conf.j2
    dest: /etc/krb5.conf
    backup: yes
    owner: root
    group: root
    mode: 0644
  tags: ad

- name: Discover realm
  command: /bin/bash -c "/usr/sbin/realm discover {{ realm_domain }}"
  register: realm_discover_results
  tags: ad

- name: Discover realm debug
  debug: 
    msg: "{{ realm_discover_results.stdout }}"

- name: Create kerberos ticket
  expect:
    command: /bin/bash -c "/usr/bin/kinit -V {{ kerberos_user }}"
    responses:
      (?i)Password: "{{ kerberos_user_password }}"
  tags: ad

- name: Checking to see if the system is already joined to AD
  command: /bin/bash -c "/usr/sbin/realm list"
  register: realm_list_results
  tags: adlist

- name: Debug realm_list_results
  debug:
    msg: "{{ realm_list_results.stdout }}"

- name: Join the system to AD
  expect:
    command: /usr/sbin/realm join --membership-software=adcli {{ realm_domain }} --computer-ou='{{ realm_ad_ou }}' --user={{ kerberos_user }}
    responses:
      (?i)Password: "{{ kerberos_user_password }}"  
  ignore_errors: yes
  when: realm_list_results.stdout == ""
  become: true
  tags: adjoin

- name: Copy sudoers file for safety
  command: cp -f /etc/sudoers /etc/sudoers.tmp

- name: Create sudoers file backup
  command: cp -f /etc/sudoers /etc/sudoers.bak

- name: Add domain admins group to sudoers
  lineinfile: dest=/etc/sudoers.tmp state=present line='%domain\ admins ALL=(ALL:ALL) ALL' regexp='^%domain'

- name: Final sudoers file check
  shell: visudo -q -c -f /etc/sudoers.tmp && cp -f /etc/sudoers.tmp /etc/sudoers

- name: Copy sssd.conf
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: 0644
  tags: ad

- name: Copy pam common-session
  template: 
    src: common-session.j2
    dest: /etc/pam.d/common-session
    owner: root
    group: root
    mode: 0644
  tags: ad

如果需要进一步的翻译或帮助,请告诉我。

英文:

I've been trying to troubleshoot this task but to no avail Debian 11通过Ansible加入域的问题是”Conditional result was False”。 Hoping someone can help me out. This particular playbook is from wolffhaven

The error I'm receiving is here. I've tried to add various debug options to the task but nothing gets outputted.

> TASK [domain_join : Join system to AD]
> ******************************************************************************************************************************************************************************************************************************************************** task path:
> /etc/ansible/playbooks/ansible-realmd/roles/domain_join/tasks/main.yml:82
> skipping: [10.112.2.183] => {
> "changed": false,
> "skip_reason": "Conditional result was False"

The task is as follows:

- name: Join system to AD
  expect:
    command: /usr/sbin/realm join --membership-software=adcli {{ realm_domain }} --computer-ou='{{ realm_ad_ou }}' --user={{ kerberos_user }}
    responses:
      (?i)Password: "{{ kerberos_user_password }}"
  ignore_errors: yes
  when: realm_list_results.stdout == ""
  become: true
  tags: adjoin

and here's the full role..

---
# tasks that run after a new deployment

- name: Load Secrets
  include_vars: "secrets.yml"

- name: Load Variables
  include_vars: "vars.yml"

- name: Install pip
  apt: 
    name: python3-pip
    state: present
    update_cache: yes

- name: Install pexpect
  pip: 
    name: pexpect
    state: present  

- name: Install AD Domain packages
  apt: 
    name: "{{ item }}"
    state: present 
    update_cache: yes
  with_items:
    - realmd
    - sssd
    - adcli
    - krb5-user
    - sssd-tools
    - samba-common
    - packagekit
    - samba-common-bin
    - samba-libs
  tags: ad

- name: Copy realmd.conf
  template: 
    src: realmd.conf.j2
    dest: /etc/realmd.conf
    owner: root
    group: root
    mode: 0644
  tags: ad

- name: Copy krb5.conf
  template: 
    src: krb5.conf.j2
    dest: /etc/krb5.conf
    backup: yes
    owner: root
    group: root
    mode: 0644
  tags: ad

- name: Discover realm
  command: /bin/bash -c "/usr/sbin/realm discover {{ realm_domain }}"
  register: realm_discover_results
  tags: ad

- name: Discover realm debug
  debug: 
    msg: "{{ realm_discover_results.stdout }}"

- name: Create kerberos ticket
  expect:
    command: /bin/bash -c "/usr/bin/kinit -V {{ kerberos_user }}"
    responses:
      (?i)Password: "{{ kerberos_user_password }}"
  tags: ad

- name: Checking to see if system is already joined to AD
  command: /bin/bash -c "/usr/sbin/realm list"
  register: realm_list_results
  tags: adlist

- name: Debug realm_list_results
  debug:
    msg: "{{ realm_list_results.stdout }}"

- name: Join system to AD
  expect:
    command: /usr/sbin/realm join --membership-software=adcli {{ realm_domain }} --computer-ou='{{ realm_ad_ou }}' --user={{ kerberos_user }}
    responses:
      (?i)Password: "{{ kerberos_user_password }}"  
  ignore_errors: yes
  when: realm_list_results.stdout == ""
  become: true
  tags: adjoin

- name: Copy suders file for safety
  command: cp -f /etc/sudoers /etc/sudoers.tmp

- name: Create sudoers file backup
  command: cp -f /etc/sudoers /etc/sudoers.bak

- name: Add domain admins group to sudoers
  lineinfile: dest=/etc/sudoers.tmp state=present line='%domain\ admins ALL=(ALL:ALL) ALL' regexp='^%domain'

- name: Final sudoers file check
  shell: visudo -q -c -f /etc/sudoers.tmp && cp -f /etc/sudoers.tmp /etc/sudoers

- name: Copy sssd.conf
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: 0644
  tags: ad

- name: Copy pam common-session
  template: 
    src: common-session.j2
    dest: /etc/pam.d/common-session
    owner: root
    group: root
    mode: 0644
  tags: ad

答案1

得分: 1

The "skip_reason": "Conditional result was False" simply means that the condition when: realm_list_results.stdout == "" has not been met.

Try to debug the command /bin/bash -c "/usr/sbin/realm discover {{ realm_domain }}" on the target/remote system.

The stdout of the command has to be an empty string "" to meet the when condition.

英文:

The "skip_reason": "Conditional result was False" simply means that the condition when: realm_list_results.stdout == "" has not been met.

Try to debug the command /bin/bash -c "/usr/sbin/realm discover {{ realm_domain }}" on the target/remote system.

The stdout of the command has to be an empty string "" to meet the when condition.

huangapple
  • 本文由 发表于 2023年3月1日 11:24:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/75599304.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定