From 61569e21b4e5c95adf90c5f409050dfad83b5722 Mon Sep 17 00:00:00 2001 From: Michael Pellegrino Date: Sun, 29 Aug 2021 11:40:53 -0400 Subject: [PATCH 1/2] updates to samba roles todo: set samba acl - currently manual via compmgmt.msc todo: dynamic dns update? --- roles/role-samba4-ad-member/defaults/main.yml | 8 ++ roles/role-samba4-ad-member/tasks/main.yml | 45 ++++++++++- .../tasks/ubt-2004-amd64.yml | 3 +- .../role-samba4-ad-member/templates/hosts.j2 | 8 ++ .../templates/smb.conf.j2 | 21 +++++ .../tasks/ubuntu-2004-amd64.yml | 5 +- .../templates/hosts.j2 | 7 ++ samba-dc.yml | 8 +- samba.yml | 79 +++++++------------ test.yml | 13 +++ 10 files changed, 140 insertions(+), 57 deletions(-) create mode 100644 roles/role-samba4-ad-member/templates/hosts.j2 create mode 100644 roles/role-samba4-primary-ad-dc/templates/hosts.j2 create mode 100644 test.yml diff --git a/roles/role-samba4-ad-member/defaults/main.yml b/roles/role-samba4-ad-member/defaults/main.yml index bdfc667..6296819 100755 --- a/roles/role-samba4-ad-member/defaults/main.yml +++ b/roles/role-samba4-ad-member/defaults/main.yml @@ -53,3 +53,11 @@ smb_multicastdns : 'no' smb_dnssec : 'no' smb_cache : 'yes' smb_dnsstublistener : 'yes' + +#share defaults +public_share_name: share +public_share_path: /media/share +private_share_name: private +private_share_path: /media/private +samba_group_name: Domain\ Users + diff --git a/roles/role-samba4-ad-member/tasks/main.yml b/roles/role-samba4-ad-member/tasks/main.yml index 2b74bba..0df65d5 100644 --- a/roles/role-samba4-ad-member/tasks/main.yml +++ b/roles/role-samba4-ad-member/tasks/main.yml @@ -8,7 +8,18 @@ # Samba is the standard Windows interoperability # suite of programs for Linux and Unix. # - +- name: update hosts file + become: true + blockinfile: + dest: /etc/hosts + content: "{{ lookup('template', '{{ role_path }}/templates/hosts.j2') }}" + state: present + tags: update_hosts +- name: set hostname + become: true + hostname: + name: '{{ inventory_hostname }}' + tags: set_hostname - name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64" import_tasks: ubt-2004-amd64.yml when: @@ -26,3 +37,35 @@ when: - ansible_distribution_version == "18.04" - ansible_architecture == "x86_64" + +- name: "Check that {{ public_share_path }} exist" + stat: + path: "{{ public_share_path }}" + register: public_dir_exists + +- name: "Create {{ public_share_path }} directory" + become: yes + file: + state: directory + path: "{{ public_share_path }}" + owner: nobody + group: nogroup + mode: 0755 + recurse: yes + when: public_dir_exists.stat.exists == False + +- name: "Check that {{ private_share_path }} exist" + stat: + path: "{{ private_share_path }}" + register: private_dir_exists + +- name: "Create {{ private_share_path }} directory" + become: yes + file: + state: directory + path: "{{ private_share_path }}" + owner: root + group: "{{ samba_group_name }}" + mode: 1770 + when: private_dir_exists.stat.exists == False + diff --git a/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml b/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml index 99f718d..c65f34d 100644 --- a/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml +++ b/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml @@ -59,7 +59,8 @@ - name: "Edit Fstab" replace: path: /etc/fstab - regexp: 'errors=remount-ro 0' + #regexp: 'errors=remount-ro 0' + regexp: 'defaults' replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' backup: yes diff --git a/roles/role-samba4-ad-member/templates/hosts.j2 b/roles/role-samba4-ad-member/templates/hosts.j2 new file mode 100644 index 0000000..05d3eca --- /dev/null +++ b/roles/role-samba4-ad-member/templates/hosts.j2 @@ -0,0 +1,8 @@ +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }}.demo.dsfinancial.com +{% endfor %} + +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }} +{% endfor %} + diff --git a/roles/role-samba4-ad-member/templates/smb.conf.j2 b/roles/role-samba4-ad-member/templates/smb.conf.j2 index c679df6..d438106 100755 --- a/roles/role-samba4-ad-member/templates/smb.conf.j2 +++ b/roles/role-samba4-ad-member/templates/smb.conf.j2 @@ -21,3 +21,24 @@ winbind offline logon = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes + +#### Public Share #### +[{{ public_share_name }}] + path = {{ public_share_path }} + browsable =yes + writable = yes + guest ok = yes + read only = no + acl_xattr:ignore system acl = yes + +#### Private Share #### +[{{ private_share_name }}] + path = {{ private_share_path }} + valid users = @{{ samba_group_name }} + guest ok = no + writable = yes + browsable = yes + create mask = 0700 + directory mask = 0700 + acl_xattr:ignore system acl = yes + diff --git a/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml b/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml index c872746..cbf88ab 100644 --- a/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml +++ b/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml @@ -128,7 +128,8 @@ - name: "Edit Fstab" replace: path: /etc/fstab - regexp: 'errors=remount-ro 0' + #regexp: 'errors=remount-ro 0' + regexp: 'defaults' replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' backup: yes @@ -147,4 +148,4 @@ - udp - name: "Ubuntu login" - import_tasks: ubuntu-1804-amd64-login.yml \ No newline at end of file + import_tasks: ubuntu-1804-amd64-login.yml diff --git a/roles/role-samba4-primary-ad-dc/templates/hosts.j2 b/roles/role-samba4-primary-ad-dc/templates/hosts.j2 new file mode 100644 index 0000000..95d082f --- /dev/null +++ b/roles/role-samba4-primary-ad-dc/templates/hosts.j2 @@ -0,0 +1,7 @@ +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }}.demo.dsfinancial.com +{% endfor %} + +{% for item in ansible_play_batch %} +{{ hostvars[item].ansible_host }} {{ item }} +{% endfor %} diff --git a/samba-dc.yml b/samba-dc.yml index 4a13c1d..d900a31 100644 --- a/samba-dc.yml +++ b/samba-dc.yml @@ -1,14 +1,14 @@ -- hosts: adc01 +- hosts: dc01 become: true vars: # -- Custom settings: role-samba4-primary-ad-dc -- - smb_workgroup : 'LAB' - smb_realm : 'LAB.LOCAL' + smb_workgroup : 'VSRAPOC' + smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET' smb_username : 'administrator' smb_password : 'Password123' smb_role : 'primary' - smb_dns_servers: '10.100.100.12' + smb_dns_servers: '10.1.10.10' smb_dns_forwarder: '8.8.8.8' roles: diff --git a/samba.yml b/samba.yml index 15d8224..8aef74f 100644 --- a/samba.yml +++ b/samba.yml @@ -1,49 +1,30 @@ ---- -- hosts: samba - tasks: - - name: Install Samba Packages - become: yes - apt: - name: ['samba', 'smbclient','winbind','krb5-user','krb5-config','krb5-locales','winbind','libpam-winbind','libnss-winbind','dnsutils'] - state: present - update_cache: true - - name: stop samba services - become: yes - command: systemctl stop "{{ item }}" - ignore_errors: true - with_items: - - samba-ad-dc.service - - smbd.service - - nmbd.service - - winbind.service - - name: disable samba services - become: yes - command: systemctl disable "{{ item }}" - ignore_errors: true - with_items: - - samba-ad-dc.service - - smbd.service - - nmbd.service - - winbind.service - - name: set nsswitch service to use DNS resolution - become: yes - lineinfile: - path: /etc/nsswitch.conf - state: present - regexp: '^hosts:' - line: 'hosts: files dns mdns4_minimal [NOTFOUND=return]' - - name: check if smb.conf exists - stat: - path: /etc/samba/smb.conf - register: stat_result - - name: rename default smb.conf - become: yes - shell: mv /etc/samba/smb.conf /etc/samba/smb.conf.backup - ignore_errors: true - tags: remove_default_samba_config - - name: delete default kerberos configuration if it exists - become: yes - file: - state: absent - path: "/etc/krb5.conf" - tags: remove_default_samba_config +- hosts: dc01 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'VSRAPOC' + smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET' + smb_username : 'administrator' + smb_password : 'Password123' + smb_role : 'primary' + smb_dns_servers: '10.1.10.10' + smb_dns_forwarder: '8.8.8.8' + + roles: + - role-samba4-primary-ad-dc + +- hosts: server01 server02 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'VSRAPOC' + smb_realm : 'VSRAPOC.DSFINANCIAL.COMCAST.NET' + smb_username : 'administrator' + smb_password : 'Password123' + smb_dns_servers: '10.1.10.10' + + roles: + - role-samba4-ad-member + diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..ce0dc10 --- /dev/null +++ b/test.yml @@ -0,0 +1,13 @@ +--- + - hosts: server02 + tasks: + - name: test acl + ansible.posix.acl: + path: /media/share + + - name: test dns + community.windows.win_dns_record: + name: "server02.vsrapoc.dsfinancial.comcast.net" + type: "A" + value: "10.1.10.14" + zone: "vsrapoc.dsfinancial.comcast.net" From 54c5369d2c1cfbddee3d5ade570ee8e314055c42 Mon Sep 17 00:00:00 2001 From: Michael Pellegrino Date: Sun, 29 Aug 2021 12:29:49 -0400 Subject: [PATCH 2/2] set directory acl's todo: sequencing (need reboot, then re-run playbook) --- roles/role-samba4-ad-member/tasks/main.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/role-samba4-ad-member/tasks/main.yml b/roles/role-samba4-ad-member/tasks/main.yml index 0df65d5..3e3dc9b 100644 --- a/roles/role-samba4-ad-member/tasks/main.yml +++ b/roles/role-samba4-ad-member/tasks/main.yml @@ -68,4 +68,24 @@ group: "{{ samba_group_name }}" mode: 1770 when: private_dir_exists.stat.exists == False +- name: set acl's on public share + ansible.posix.acl: + path: "{{ public_share_path }}" + entry: "{{ item.entry }}" + state: present + with_items: + - { entry: "user::rwx" } + - { entry: "user:nobody:rwx" } + - { entry: "group::r-x" } + - { entry: "group:domain\ users:rwx" } + - { entry: "mask::rwx" } + - { entry: "other::r-x" } + - { entry: "default:user::rwx" } + - { entry: "default:user:administrator:rwx" } + - { entry: "default:group::r-x" } + - { entry: "default:group:domain\ users:rwx" } + - { entry: "default:group:nogroup:r-x" } + - { entry: "default:mask::rwx" } + - { entry: "default:other::r-x" } +