1

I am building a Podman container that runs Samba Active Directory with Bind9 and Freeradius support using Ansible and have runned into a bit of a snag.

Samba runs fine with DLZ_BIND as backend in my container, but I need to integrate Freeradius into the container, so I can support logins via VPN.

I am trying to templating the following line in /etc/freeradius/3.0/mods-available/mschap:

ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 
  --request-nt-key 
  --username={mschap:User-Name} 
  --domain={{ ad_info.netbios_domain }} 
  --challenge=%{%{mschap:Challenge}:-00} 
  --nt-response=%{%{mschap:NT-Response}:-00}"

For the sake of the exercise you can assume that the value of {{ ad_info.netbios_domain }} is EXAMPLE.

It is the only place in the file where I use a Jinja variable.

However running ansible-playbook makes Ansible basically blow up in my face, when it tries to template the file.

I presume it is because the Jinja variable is inserted inside a qouted string? Because a BASH shell script containing the following line will not blow up in ansible:

SAMBA_ADMIN_PASSWORD="{{ ad_info.admin_password }}"

So what are the right way to use Jinja, when you have a quoted string?

Edit

I made a template containing only the line in question and got the follwing error from ansible:

failed: [myhost.example.com] (item=etc/freeradius/3.0/mods-available/mschap) => 
{
  "ansible_loop_var": "item", 
  "changed": false, "item": 
  "etc/freeradius/3.0/mods-available/mschap-jinja", 
  "msg": "AnsibleError: template error while templating string: tag name expected. 

  String: ntlm_auth = \"/usr/bin/ntlm_auth 
    --allow-mschapv2 
    --request-nt-key 
    --username={mschap:User-Name} 
    --domain={{ ad_info.netbios_domain }} 
    --challenge=%{%{mschap:Challenge}:-00} 
    --nt-response=%{%{mschap:NT-Response}:-00}\"
"}

1 Answers1

2

The combination {% opens a Jinja statement. To avoid this interpretation put the brace into a variable, e.g.

    BR: '{{ "{" }}'

and use it in the template

shell> cat mschap.j2
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 
  --request-nt-key 
  --username={mschap:User-Name} 
  --domain={{ ad_info.netbios_domain }} 
  --challenge=%{{ BR }}%{mschap:Challenge}:-00} 
  --nt-response=%{{ BR }}%{mschap:NT-Response}:-00}"

The task below should do the job

    - template:
        src: mschap.j2
        dest: mschap
      vars:
        ad_info:
          netbios_domain: EXAMPLE

gives

shell> cat mschap
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 
  --request-nt-key 
  --username={mschap:User-Name} 
  --domain=EXAMPLE 
  --challenge=%{%{mschap:Challenge}:-00} 
  --nt-response=%{%{mschap:NT-Response}:-00}"
Vladimir Botka
  • 3,791
  • 6
  • 17
  • Thank you. I did have a feeling that I needed to escape at least some of the `%{` characters due to jinja is also using that syntax for statements. At least I have a way forward from here. :-) – Lasse Michael Mølgaard Feb 06 '22 at 12:06