updates to samba roles

todo: set samba acl - currently manual via compmgmt.msc todo: dynamic dns update?
2021-08-29 11:40:53 -04:00
parent 21612189e0
commit 61569e21b4
10 changed files with 140 additions and 57 deletions
--- a/roles/role-samba4-ad-member/defaults/main.yml
+++ b/roles/role-samba4-ad-member/defaults/main.yml
@@ -53,3 +53,11 @@ smb_multicastdns    : 'no'
 smb_dnssec          : 'no'
 smb_cache           : 'yes'
 smb_dnsstublistener : 'yes'
+
+#share defaults
+public_share_name: share
+public_share_path: /media/share
+private_share_name: private
+private_share_path: /media/private
+samba_group_name: Domain\ Users
+
--- a/roles/role-samba4-ad-member/tasks/main.yml
+++ b/roles/role-samba4-ad-member/tasks/main.yml
@@ -8,7 +8,18 @@
 #   Samba is the standard Windows interoperability 
 #   suite of programs for Linux and Unix.
 #
-
+- name: update hosts file
+  become: true
+  blockinfile:
+          dest: /etc/hosts
+          content: "{{ lookup('template', '{{ role_path }}/templates/hosts.j2') }}"
+          state: present
+  tags: update_hosts
+- name: set hostname
+  become: true
+  hostname:
+    name: '{{ inventory_hostname }}'
+  tags: set_hostname
 - name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64"
  import_tasks: ubt-2004-amd64.yml
  when:
@@ -26,3 +37,35 @@
  when:
    - ansible_distribution_version == "18.04"
    - ansible_architecture == "x86_64"
+
+- name: "Check that {{ public_share_path }} exist"
+  stat:
+    path: "{{ public_share_path }}"
+  register: public_dir_exists
+
+- name: "Create {{ public_share_path }} directory"
+  become: yes
+  file:
+    state: directory
+    path: "{{ public_share_path }}"
+    owner: nobody
+    group: nogroup
+    mode: 0755
+    recurse: yes
+  when: public_dir_exists.stat.exists == False
+
+- name: "Check that {{ private_share_path }} exist"
+  stat:
+    path: "{{ private_share_path }}"
+  register: private_dir_exists
+
+- name: "Create {{ private_share_path }} directory"
+  become: yes
+  file:
+    state: directory
+    path: "{{ private_share_path }}"
+    owner: root 
+    group: "{{ samba_group_name }}"
+    mode: 1770
+  when: private_dir_exists.stat.exists == False
+
--- a/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml
+++ b/roles/role-samba4-ad-member/tasks/ubt-2004-amd64.yml
@@ -59,7 +59,8 @@
 - name: "Edit Fstab"
  replace:
    path: /etc/fstab
-    regexp: 'errors=remount-ro 0'
+    #regexp: 'errors=remount-ro 0'
+    regexp: 'defaults'
    replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
    backup: yes
 
--- a/roles/role-samba4-ad-member/templates/hosts.j2
+++ b/roles/role-samba4-ad-member/templates/hosts.j2
@@ -0,0 +1,8 @@
+{% for item in ansible_play_batch %}
+{{ hostvars[item].ansible_host }}	{{ item }}.demo.dsfinancial.com
+{% endfor %}
+
+{% for item in ansible_play_batch %}
+{{ hostvars[item].ansible_host }}	{{ item }}
+{% endfor %}
+
--- a/roles/role-samba4-ad-member/templates/smb.conf.j2
+++ b/roles/role-samba4-ad-member/templates/smb.conf.j2
@@ -21,3 +21,24 @@ winbind offline logon = yes
 vfs objects = acl_xattr
 map acl inherit = Yes
 store dos attributes = Yes
+
+#### Public Share ####
+[{{ public_share_name }}]
+ path = {{ public_share_path }}
+ browsable =yes
+ writable = yes
+ guest ok = yes
+ read only = no
+ acl_xattr:ignore system acl = yes
+
+#### Private Share ####
+[{{ private_share_name }}]
+ path = {{ private_share_path }}
+ valid users = @{{ samba_group_name }}
+ guest ok = no
+ writable = yes
+ browsable = yes
+ create mask = 0700
+ directory mask = 0700
+ acl_xattr:ignore system acl = yes
+
--- a/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml
+++ b/roles/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml
@@ -128,7 +128,8 @@
 - name: "Edit Fstab"
  replace:
    path: /etc/fstab
-    regexp: 'errors=remount-ro 0'
+    #regexp: 'errors=remount-ro 0'
+    regexp: 'defaults'
    replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
    backup: yes

@@ -147,4 +148,4 @@
    - udp

 - name: "Ubuntu login"
-  import_tasks: ubuntu-1804-amd64-login.yml
+  import_tasks: ubuntu-1804-amd64-login.yml
--- a/roles/role-samba4-primary-ad-dc/templates/hosts.j2
+++ b/roles/role-samba4-primary-ad-dc/templates/hosts.j2
@@ -0,0 +1,7 @@
+{% for item in ansible_play_batch %}
+{{ hostvars[item].ansible_host }}	{{ item }}.demo.dsfinancial.com
+{% endfor %}
+
+{% for item in ansible_play_batch %}
+{{ hostvars[item].ansible_host }}	{{ item }}
+{% endfor %}
--- a/samba-dc.yml
+++ b/samba-dc.yml
@@ -1,14 +1,14 @@
- hosts: adc01
+- hosts: dc01
  become: true

  vars:
    # -- Custom settings: role-samba4-primary-ad-dc --
-    smb_workgroup : 'LAB'
-    smb_realm     : 'LAB.LOCAL' 
+    smb_workgroup : 'VSRAPOC'
+    smb_realm     : 'VSRAPOC.DSFINANCIAL.COMCAST.NET'
    smb_username  : 'administrator'
    smb_password  : 'Password123'
    smb_role      : 'primary'
-    smb_dns_servers: '10.100.100.12'
+    smb_dns_servers: '10.1.10.10'
    smb_dns_forwarder: '8.8.8.8'

  roles:
--- a/samba.yml
+++ b/samba.yml
@@ -1,49 +1,30 @@
---
- hosts: samba
-  tasks:
-    - name: Install Samba Packages
-      become: yes
-      apt:
-        name: ['samba', 'smbclient','winbind','krb5-user','krb5-config','krb5-locales','winbind','libpam-winbind','libnss-winbind','dnsutils']
-        state: present
-        update_cache: true
-    - name: stop samba services
-      become: yes
-      command: systemctl stop "{{ item }}"
-      ignore_errors: true
-      with_items:
-              - samba-ad-dc.service
-              - smbd.service
-              - nmbd.service
-              - winbind.service
-    - name: disable samba services
-      become: yes
-      command: systemctl disable "{{ item }}"
-      ignore_errors: true
-      with_items:
-              - samba-ad-dc.service
-              - smbd.service
-              - nmbd.service
-              - winbind.service
-    - name: set nsswitch service to use DNS resolution
-      become: yes
-      lineinfile:
-              path: /etc/nsswitch.conf
-              state: present
-              regexp: '^hosts:'
-              line: 'hosts:          files dns mdns4_minimal [NOTFOUND=return]'
-    - name: check if smb.conf exists
-      stat:
-              path: /etc/samba/smb.conf
-      register: stat_result
-    - name: rename default smb.conf
-      become: yes
-      shell: mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
-      ignore_errors: true
-      tags: remove_default_samba_config
-    - name: delete default kerberos configuration if it exists
-      become: yes
-      file:
-              state: absent
-              path: "/etc/krb5.conf"
-      tags: remove_default_samba_config
+- hosts: dc01
+  become: true
+
+  vars:
+    # -- Custom settings: role-samba4-primary-ad-dc --
+    smb_workgroup : 'VSRAPOC'
+    smb_realm     : 'VSRAPOC.DSFINANCIAL.COMCAST.NET'
+    smb_username  : 'administrator'
+    smb_password  : 'Password123'
+    smb_role      : 'primary'
+    smb_dns_servers: '10.1.10.10'
+    smb_dns_forwarder: '8.8.8.8'
+
+  roles:
+    - role-samba4-primary-ad-dc
+
+- hosts: server01 server02
+  become: true
+
+  vars:
+    # -- Custom settings: role-samba4-primary-ad-dc --
+    smb_workgroup : 'VSRAPOC'
+    smb_realm     : 'VSRAPOC.DSFINANCIAL.COMCAST.NET'
+    smb_username  : 'administrator'
+    smb_password  : 'Password123'
+    smb_dns_servers: '10.1.10.10'
+
+  roles:
+    - role-samba4-ad-member
+
--- a/test.yml
+++ b/test.yml
@@ -0,0 +1,13 @@
+---
+  - hosts: server02
+    tasks:
+            - name: test acl
+              ansible.posix.acl:
+                      path: /media/share
+
+            - name: test dns
+              community.windows.win_dns_record:
+                      name: "server02.vsrapoc.dsfinancial.comcast.net"
+                      type: "A"
+                      value: "10.1.10.14"
+                      zone: "vsrapoc.dsfinancial.comcast.net"