add default domains to sssd rules

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Arden97

linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml

@@ -5,25 +5,29 @@
 # disruption = medium
 {{{ ansible_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
 
-- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}}
+
+- name: Ensure that "certificate_verification" is not set in {{{ sssd_conf }}}
   community.general.ini_file:
-      path: /etc/sssd/sssd.conf
+      path: {{{ sssd_conf }}}
       section: sssd
       option: certificate_verification
       state: absent
       mode: 0600
 
-- name: 'Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf'
+- name: 'Ensure that "certificate_verification" is not set in {{{ sssd_conf_dir }}}/*.conf'
   community.general.ini_file:
-      path: /etc/sssd/conf.d/*.conf
+      path: {{{ sssd_conf_dir }}}/*.conf
       section: sssd
       option: certificate_verification
       state: absent
       mode: 0600
 
 - name: Ensure that "certificate_verification" is set
   community.general.ini_file:
-      path: /etc/sssd/conf.d/certificate_verification.conf
+      path: {{{ sssd_conf_dir }}}/certificate_verification.conf
       section: sssd
       option: certificate_verification
       value: "ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}"

linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh

@@ -11,8 +11,12 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
 
-{{{ bash_ensure_ini_config("$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}}
+MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf"
+
+{{{ bash_ensure_ini_config("$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf", "sssd", "certificate_verification", "ocsp_dgst=$var_sssd_certificate_verification_digest_function") }}}
 
 umask $OLD_UMASK

linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml

@@ -4,14 +4,18 @@
 # complexity = low
 # disruption = medium
 
-- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}}
+
+- name: {{{ rule_title }}} - Find all the conf files inside the {{{ sssd_conf_dir }}} directory
   ansible.builtin.find:
     paths:
-    - "/etc/sssd/conf.d/"
+    - "{{{ sssd_conf_dir }}}"
     patterns: "*.conf"
   register: sssd_conf_d_files
 
-- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory
+- name: {{{ rule_title }}} - Modify lines in files in the {{{ sssd_conf_dir }}} directory
   ansible.builtin.replace:
     path: "{{ item }}"
     regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
@@ -20,32 +24,32 @@
   register: modify_lines_sssd_conf_d_files
   when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1
 
-- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Find {{{ sssd_conf }}}
   ansible.builtin.stat:
-    path: /etc/sssd/sssd.conf
+    path: {{{ sssd_conf }}}
   register: sssd_conf_file
 
-- name: {{{ rule_title }}} - Modify lines in /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Modify lines in {{{ sssd_conf }}}
   ansible.builtin.replace:
-    path: "/etc/sssd/sssd.conf"
+    path: "{{{ sssd_conf }}}"
     regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
     replace: '\1,pam'
   register: modify_lines_sssd_conf_file
   when: sssd_conf_file.stat.exists
 
-- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Find services key in {{{ sssd_conf }}}
   ansible.builtin.replace:
-    path: "/etc/sssd/sssd.conf"
+    path: "{{{ sssd_conf }}}"
     regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+'
     replace: ''
   changed_when: false
   check_mode: true
   register: sssd_conf_file_services
   when: sssd_conf_file.stat.exists
 
-- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Insert entry to {{{ sssd_conf }}}
   community.general.ini_file:
-    path: /etc/sssd/sssd.conf
+    path: {{{ sssd_conf }}}
     section: sssd
     option: services
     value: pam

linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh

@@ -8,16 +8,13 @@ OLD_UMASK=$(umask)
 umask u=rw,go=
 
 SSSD_CONF="/etc/sssd/sssd.conf"
-SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
 
-if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
-    mkdir -p /etc/sssd
-    touch "$SSSD_CONF"
-fi
 
 # Flag to check if there is already services with pam
 service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
+for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
 	if [ ! -e "$f" ]; then
 		continue
 	fi
@@ -39,7 +36,7 @@ done
 
 # If there was no service in [sssd], add it to first config
 if [ "$service_already_exist" = false ]; then
-    for f in $SSSD_CONF $SSSD_CONF_DIR; do
+    for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
         cat << EOF >> "$f"
 [sssd]
 services = pam

linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml

@@ -3,44 +3,26 @@
 # strategy = configure
 # complexity = low
 # disruption = medium
-- name: "Test for domain group"
-  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
-  register: test_grep_domain
-  failed_when: false
-  changed_when: False
-  check_mode: no
-
-- name: "Add default domain group (if no domain there)"
-  community.general.ini_file:
-    path: /etc/sssd/sssd.conf
-    section: "{{ item.section }}"
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    create: yes
-    mode: 0600
-  with_items:
-    - { section: sssd, option: domains, value: default}
-    - { section: domain/default, option: id_provider, value: files }
-  when:
-    - test_grep_domain.stdout is defined
-    - test_grep_domain.stdout | length < 1
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}}
 
 - name: "Enable Smartcards in SSSD"
   community.general.ini_file:
-    dest: /etc/sssd/sssd.conf
+    dest: {{{ sssd_conf }}}
     section: pam
     option: pam_cert_auth
     value: 'True'
     create: yes
     mode: 0600
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside {{{ sssd_conf_dir }}}
   ansible.builtin.find:
-    paths: "/etc/sssd/conf.d/"
+    paths: "{{{ sssd_conf_dir }}}"
     patterns: "*.conf"
   register: sssd_conf_d_files
 
-- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+- name: Fix pam_cert_auth configuration in {{{ sssd_conf_dir }}}
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '[^#]*pam_cert_auth.*'

linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh

@@ -9,7 +9,11 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "pam_cert_auth", "True") }}}
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
+
+{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "pam_cert_auth", "True") }}}
 
 umask $OLD_UMASK
 

linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml

@@ -5,31 +5,13 @@
 # disruption = medium
 {{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}}
 
-- name: "Test for domain group"
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
-  register: test_grep_domain
-  failed_when: false
-  changed_when: False
-  check_mode: no
-
-- name: "Add default domain group (if no domain there)"
-  community.general.ini_file:
-    path: /etc/sssd/sssd.conf
-    section: "{{ item.section }}"
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    create: yes
-    mode: 0600
-  with_items:
-    - { section: sssd, option: domains, value: default}
-    - { section: domain/default, option: id_provider, value: files }
-  when:
-    - test_grep_domain.stdout is defined
-    - test_grep_domain.stdout | length < 1
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}}
 
 - name: "Configure SSSD's Memory Cache to Expire"
   community.general.ini_file:
-    dest: /etc/sssd/sssd.conf
+    dest: {{{ sssd_conf }}}
     section: nss
     option: memcache_timeout
     value: "{{ var_sssd_memcache_timeout }}"

linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh

@@ -7,6 +7,10 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "nss", "memcache_timeout", "$var_sssd_memcache_timeout") }}}
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
+
+{{{ bash_ensure_ini_config("$SSSD_CONF", "nss", "memcache_timeout", "$var_sssd_memcache_timeout") }}}
 
 umask $OLD_UMASK

linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml

@@ -3,44 +3,26 @@
 # strategy = configure
 # complexity = low
 # disruption = medium
-- name: "Test for domain group"
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
-  register: test_grep_domain
-  failed_when: false
-  changed_when: False
-  check_mode: no
-
-- name: "Add default domain group (if no domain there)"
-  community.general.ini_file:
-    path: /etc/sssd/sssd.conf
-    section: "{{ item.section }}"
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    create: yes
-    mode: 0600
-  with_items:
-    - { section: sssd, option: domains, value: default}
-    - { section: domain/default, option: id_provider, value: files }
-  when:
-    - test_grep_domain.stdout is defined
-    - test_grep_domain.stdout | length < 1
+{{% set sssd_conf = "/etc/sssd/sssd.conf" -%}}
+{{% set sssd_conf_dir = "/etc/sssd/conf.d" -%}}
+{{{ ansible_sssd_ensure_default_domain(sssd_conf, sssd_conf_dir) }}}
 
 - name: "Configure SSD to Expire Offline Credentials"
   community.general.ini_file:
-    dest: /etc/sssd/sssd.conf
+    dest: {{{ sssd_conf }}}
     section: pam
     option: offline_credentials_expiration
     value: 1
     create: yes
     mode: 0600
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside {{{ sssd_conf_dir }}}
   ansible.builtin.find:
-    paths: "/etc/sssd/conf.d/"
+    paths: "{{{ sssd_conf_dir }}}"
     patterns: "*.conf"
   register: sssd_conf_d_files
 
-- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+- name: Fix offline_credentials_expiration configuration in {{{ sssd_conf_dir }}}
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: '[^#]*offline_credentials_expiration.*'

linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh

@@ -9,6 +9,10 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "offline_credentials_expiration", "1") }}}
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+{{{ bash_sssd_ensure_default_domain("$SSSD_CONF", "$SSSD_CONF_DIR") }}}
+
+{{{ bash_ensure_ini_config("$SSSD_CONF $SSSD_CONF_DIR/*.conf", "pam", "offline_credentials_expiration", "1") }}}
 
 umask $OLD_UMASK