mikepell/dsfin-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move samba roles to roles directory

Browse Source
This commit is contained in:
Michael Pellegrino
2021-08-26 14:29:25 -04:00
parent ab9c9281d8
commit 21612189e0
28 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
roles/role-samba4-primary-ad-dc/LICENSE Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2018 bitfinity
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

58
roles/role-samba4-primary-ad-dc/README.md Normal file
View File

@@ -0,0 +1,58 @@
Role Name
=========
Ansible role to setup a Ubuntu Primary Active Directory Domain Controller
Requirements
------------
- Ansible control server
- Ubuntu
Role Variables
--------------
Set defaut variable(s) in group_vars for reusing in other playbooks.
- def_ad_workgroup : 'LAB'
- def_ad_realm : 'LAB.LOCAL'
- def_ad_admin : 'administrator'
- def_ad_pass : 'Welkom123'
- def_ad_dns : '192.168.0.66 192.168.0.67'
- def_ad_dc01 : '192.168.0.67'
- def_ad_dc02 : '192.168.0.67'
- def_ad_basedn : 'OU=lab,DC=lab,DC=local'
You can override these variable(s) in your own playbook
- smb_workgroup : TEST
- smb_realm : TEST.NET
- smb_dns_servers : "{{ ansible_default_ipv4.address }}"
- smb_username : administrator
- smb_password : Welkom123
Example Playbook
----------------
- hosts: adc01
become: true
vars:
# -- Custom settings: role-samba4-primary-ad-dc --
smb_workgroup : 'LAB'
smb_realm : 'LAB.LOCAL'
smb_username : 'administrator'
smb_password : 'Password123'
roles:
- role-samba4-primary-ad-dc
License
-------
GNU GPLv3
Author Information
------------------
www.bitfinity.nl

33
roles/role-samba4-primary-ad-dc/defaults/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: defaults/main.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
# -- Samba4 AD settings --
#
# Variable(s):
# smb_repository : 'default' or 'latest' # Set which repositories wil be used.
# smb_role : 'member' # Set samba4 role primary (only for initial setup), additional, member.
# smb_workgroup : 'LAB' # Set workgroup (should be in capital letters).
# smb_realm : 'LAB.LOCAL' # Set realm (should be in capital letters).
# smb_dns_servers : '{{ ansible_default_ipv4.address }}' # Set current ipv4 address.
# smb_dns_forwarders : '8.8.8.8 8.8.4.4' # Set DNS forwarders.
# smb_username : 'administrator' # Set administrator account.
# smb_password : 'Welkom123' # Set administrator password.
#
# Comment:
# Override variable(s) or set put them in your group_vars folder for reusing.
#
smb_repository : '{{ def_ad_repository }}'
smb_role : 'member'
smb_workgroup : '{{ def_ad_workgroup }}'
smb_realm : '{{ def_ad_realm }}'
smb_dns_servers : '{{ ansible_default_ipv4.address }}'
smb_dns_forwarder : '{{ def_ad_dns_forwarder }}'
smb_username : '{{ def_ad_admin}}'
smb_password : '{{ def_ad_pass }}'

13
roles/role-samba4-primary-ad-dc/handlers/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: handlers/main.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "restart_samba"
systemd:
state: restarted
name: samba-ad-dc.service

18
roles/role-samba4-primary-ad-dc/meta/main.yml Normal file
View File

@@ -0,0 +1,18 @@
galaxy_info:
author: L. Rutten
description: Install Samba4 Active Directory (Primary) Domain Controller
company: Bitfinity-NL
license: GPLv3
min_ansible_version: 2.4
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
galaxy_tags:
- samba4
- AD
- Active Directory
- ubuntu
- Windows
- linux

43
roles/role-samba4-primary-ad-dc/tasks/main.yml Normal file
View File

@@ -0,0 +1,43 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/main.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "For OS: Ubuntu 16.04LTS, Arch: amd64"
import_tasks: ubuntu-1604-amd64.yml
when:
- ansible_distribution_version == "16.04"
- ansible_architecture == "x86_64"
- name: "Role: primary DC, For OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubuntu-1804-amd64.yml
when:
- smb_role == "primary"
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
- name: "Role: additional DC, For OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubuntu-1804-amd64.yml
when:
- smb_role == "additional"
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
- name: "Role: primary DC, For OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubuntu-2004-amd64.yml
when:
- smb_role == "primary"
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"
- name: "Role: additional DC, For OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubuntu-2004-amd64.yml
when:
- smb_role == "additional"
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"

125
roles/role-samba4-primary-ad-dc/tasks/ubt-1804-adc.yml Normal file
View File

@@ -0,0 +1,125 @@
---
# Title: Role Samba4
#
# Author: bitfinity-nl
# File: tasks/ubt-1804-adc.yml
#
# Description:
# Add additional domain controller
#
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Transfer adc/smb.conf.j2 to /etc/samba/smb.conf"
template:
src: adc/smb.conf.j2
dest: /etc/samba/smb.conf
- name: "Join {{ ansible_hostname }} as additional domain controller"
raw: "samba-tool domain join {{ smb_realm }} DC -U{{ smb_workgroup }}\\{{smb_username }} --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "Configure DNS forwarder in /etc/samba/smb.conf"
replace:
path: /etc/samba/smb.conf
regexp: '127.0.0.53'
replace: '{{ def_ad_dns_forwarder }}'
backup: yes
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
- name: "Enable Services"
systemd:
masked: no
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Allow traffic for Application Samba4 AD-DC"
ufw:
rule: allow
name: Samba
- name: "Allow all DNS traffic on port 53/tcp"
ufw:
rule: allow
port: '53'
proto: "{{ item }}"
with_items:
- tcp
- udp
- name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml

120
roles/role-samba4-primary-ad-dc/tasks/ubuntu-1604-amd64.yml Normal file
View File

@@ -0,0 +1,120 @@
---
# title: ansible-role-samba4-primary-ad-dc
#
# Author: Luc Rutten
# Version: 1.0
# File: tasks/ubuntu-1604-amd64.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
when:
- smb_dc_result.failed == true
- name: "Disable Services"
systemd:
enabled: no
state: stopped
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
when:
- smb_dc_result.failed == true
- name: "back-Up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Start domain provisioning"
raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
when:
- smb_dc_result.failed == true
- name: "Enable Services"
systemd:
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
when:
- smb_dc_result.failed == true
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
when:
- smb_dc_result.failed == true

69
roles/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64-login.yml Normal file
View File

@@ -0,0 +1,69 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/ubt-1804-amd64-login.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba
- name: "Modify /etc/samba/smb.conf for AD logins"
blockinfile:
path: /etc/samba/smb.conf
insertafter: "use rfc2307 = yes"
block: |
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
marker: "# {mark} ANSIBLE MANAGED BLOCK"
notify: restart_samba
- name: "Transfer templates"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'nsswitch.conf.j2', dest: '/etc/nsswitch.conf'}
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes

150
roles/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64.yml Normal file
View File

@@ -0,0 +1,150 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/ubt-1804-amd64.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
#- name: "Add additional repositories"
# apt_repository:
# repo: ppa:linux-schools/samba-latest
# when:
# - smb_repository == 'latest'
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Disable Services"
systemd:
enabled: no
state: stopped
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
- systemd-resolved
when:
- smb_dc_result.failed == true
#- name: "Disable Services"
# systemd:
# enabled: no
# state: stopped
# name: "{{ item }}"
# with_items:
# - systemd-resolved
# when:
# - smb_dc_result.failed == true
# - smb_repository == 'latest'
- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Start domain provisioning"
raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "Configure DNS forwarder in /etc/samba/smb.conf"
replace:
path: /etc/samba/smb.conf
regexp: '127.0.0.53'
replace: '{{ def_ad_dns_forwarder }}'
backup: yes
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
- name: "Enable Services"
systemd:
masked: no
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Allow traffic for Application Samba4 AD-DC"
ufw:
rule: allow
name: Samba
- name: "Allow all DNS traffic on port 53/tcp"
ufw:
rule: allow
port: '53'
proto: "{{ item }}"
with_items:
- tcp
- udp
- name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml

150
roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml Normal file
View File

@@ -0,0 +1,150 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/ubt-1804-amd64.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
#- name: "Add additional repositories"
# apt_repository:
# repo: ppa:linux-schools/samba-latest
# when:
# - smb_repository == 'latest'
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Disable Services"
systemd:
enabled: no
state: stopped
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
- systemd-resolved
when:
- smb_dc_result.failed == true
#- name: "Disable Services"
# systemd:
# enabled: no
# state: stopped
# name: "{{ item }}"
# with_items:
# - systemd-resolved
# when:
# - smb_dc_result.failed == true
# - smb_repository == 'latest'
- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Start domain provisioning"
raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "Configure DNS forwarder in /etc/samba/smb.conf"
replace:
path: /etc/samba/smb.conf
regexp: '127.0.0.53'
replace: '{{ def_ad_dns_forwarder }}'
backup: yes
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
- name: "Enable Services"
systemd:
masked: no
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Allow traffic for Application Samba4 AD-DC"
ufw:
rule: allow
name: Samba
- name: "Allow all DNS traffic on port 53/tcp"
ufw:
rule: allow
port: '53'
proto: "{{ item }}"
with_items:
- tcp
- udp
- name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml

16
roles/role-samba4-primary-ad-dc/templates/adc/smb.conf.j2 Normal file
View File

@@ -0,0 +1,16 @@
# Global parameters
[global]
dns forwarder = {{ smb_dns_forwarder }}
netbios name = {{ ansible_hostname }}
realm = {{ smb_realm }}
server role = active directory domain controller
workgroup = {{ smb_workgroup }}
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/{{ smb_realm }}/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No

1
roles/role-samba4-primary-ad-dc/templates/domain-admins.j2 Normal file
View File

@@ -0,0 +1 @@
%domain\ admins ALL=(ALL:ALL) ALL

20
roles/role-samba4-primary-ad-dc/templates/nsswitch.conf.j2 Normal file
View File

@@ -0,0 +1,20 @@
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

41
roles/role-samba4-primary-ad-dc/templates/pam_winbind.conf.j2 Normal file
View File

@@ -0,0 +1,41 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
# For more details see man pam_winbind.conf(5)
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
cached_login = yes
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
warn_pwd_expire = 21
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no