diff --git a/facts.yaml b/facts.yaml new file mode 100644 index 0000000..753648b --- /dev/null +++ b/facts.yaml @@ -0,0 +1,6 @@ +--- +- hosts: all + tasks: + - name: Print all available facts + ansible.builtin.debug: + var: ansible_facts diff --git a/group_vars/all.yml b/group_vars/all.yml new file mode 100644 index 0000000..bf7d9af --- /dev/null +++ b/group_vars/all.yml @@ -0,0 +1,10 @@ +--- +def_ad_workgroup : 'LAB' +def_ad_realm : 'LAB.LOCAL' +def_ad_admin : 'administrator' +def_ad_pass : 'Welkom123' +def_ad_dns : '192.168.0.66 192.168.0.67' +def_ad_dc01 : '192.168.0.67' +def_ad_dc02 : '192.168.0.67' +def_ad_basedn : 'OU=lab,DC=lab,DC=local' +def_ad_dns_forwarder: '8.8.8.8' diff --git a/role-samba4-ad-member/LICENSE b/role-samba4-ad-member/LICENSE new file mode 100755 index 0000000..24cd945 --- /dev/null +++ b/role-samba4-ad-member/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2018 bitfinity + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/role-samba4-ad-member/README.md b/role-samba4-ad-member/README.md new file mode 100755 index 0000000..2b6b4dc --- /dev/null +++ b/role-samba4-ad-member/README.md @@ -0,0 +1,47 @@ +ansible-role-samba4-ad-member +============================= + +Join Ubuntu as a member server to Active Directory + +**Domain Admins have sudo rights** + +Requirements +------------ + +- Ubuntu 16.04lts / 18.04lts AMD64 +- Active Direcory (2008r2 and up) +- Ansible-role-ntp-server + +Role Variables +-------------- + +See default/main.yml for detailed information. + +Example Playbook +---------------- + +This is an example how to use the role: + + - hosts: ad-members + become: true + + vars: + # -- custom settings - ansible-role-samba4-ad-member -- + smb_workgroup: EXAMPLE + smb_realm: EXAMPLE.LOCAL + smb_dns_servers: 192.168.0.1 192.168.0.2 + smb_username: adm_ansible + smb_password: '{{ ad_admin_pass }}' + + roles: + - ansible-role-samba4-ad-member + + +Source(s) +--------- +Thanks goes to all the authors and participants from +the sources below, so I could write this Anisble role. + +- https://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/ +- https://community.centrify.com/t5/Centrify-Express/Ad-group-with-space-in-its-name-not-working/td-p/17661 +- https://wiki.samba.org/index.php/PAM_Offline_Authentication diff --git a/role-samba4-ad-member/defaults/main.yml b/role-samba4-ad-member/defaults/main.yml new file mode 100755 index 0000000..bdfc667 --- /dev/null +++ b/role-samba4-ad-member/defaults/main.yml @@ -0,0 +1,55 @@ +--- +# Title: ansible-role-samba4-ad-member +# +# Author: bitfinity-nl +# File: defaults/main.yml +# +# Description: +# Samba is the standard Windows interoperability +# suite of programs for Linux and Unix. +# +# WORKGROUP: +# REALM: < CAPITAL LETTERS> + + +# -- Samba4 -- +# +# Variable(s): +# smb_workgroup: TEST # Specify the short workgroup name. +# smb_realm: TEST.NET # Specify the realm. +# smb_dns_servers: 192.168.0.1 # Specify the DNS servers. +# smb_username: administrator # Specify an administrative AD account. +# smb_password: password # Specify the password from administrative AD account. +# +# +# Comment: +# Change variable(s) here, in your playbook or set them in your groupvars +# +smb_workgroup : '{{ def_ad_workgroup }}' +smb_realm : '{{ def_ad_realm }}' +smb_dns_servers : '{{ def_ad_dns }}' +smb_username : '{{ def_ad_admin }}' +smb_password : '{{ def_ad_pass }}' + + +# -- resolv.conf.j2 -- +# +# Variable(s): +# smb_dns : '192.168.0.1' # Wil be extracted from variable {{ smb_dns_servers }} +# smb_fallbackdns : '192.168.0.2' # Wil be extracted from variable {{ smb_dns_servers }}. +# smb_domains : 'EXAMPLE.LOCAL' # Specify the realm. +# smb_llmnr : 'no' # Default=no +# smb_multicastdns : 'no' # Default=no +# smb_dnssec : 'no' # Default=no +# smb_cache : 'yes' # Default=yes +# smb_dnsstublistener : 'yes' # Defailt=yes +# +# Notes: +# - https://ubuntuforums.org/showthread.php?t=2391351 +# +smb_domains : '{{ smb_realm }}' +smb_llmnr : 'no' +smb_multicastdns : 'no' +smb_dnssec : 'no' +smb_cache : 'yes' +smb_dnsstublistener : 'yes' diff --git a/role-samba4-ad-member/handlers/main.yml b/role-samba4-ad-member/handlers/main.yml new file mode 100755 index 0000000..ed2d63e --- /dev/null +++ b/role-samba4-ad-member/handlers/main.yml @@ -0,0 +1,15 @@ +--- + # Handlers: Samba4 member server + # + # Author: Luc Rutten + # Version: 1.0 + + - name: "restart_samba_services" + systemd: + name: "{{ item }}" + state: restarted + enabled: yes + with_items: + - smbd + - nmbd + - winbind diff --git a/role-samba4-ad-member/meta/main.yml b/role-samba4-ad-member/meta/main.yml new file mode 100755 index 0000000..06ff2fb --- /dev/null +++ b/role-samba4-ad-member/meta/main.yml @@ -0,0 +1,19 @@ +galaxy_info: + author: L. Rutten + description: Join Ubuntu as a member server to Active Directory + company: Bitfinity-NL + license: MIT + min_ansible_version: 2.4 + platforms: + - name: Ubuntu + versions: + - xenial + - bionic + galaxy_tags: + - Ubuntu + - Bionic + - Xenial + - Samba4 + - ActiveDirectory + - Domain + - Windows diff --git a/role-samba4-ad-member/tasks/main.yml b/role-samba4-ad-member/tasks/main.yml new file mode 100644 index 0000000..2b74bba --- /dev/null +++ b/role-samba4-ad-member/tasks/main.yml @@ -0,0 +1,28 @@ +--- +# Title: ansible-role-samba4-ad-member +# +# Author: Bitfinity-NL +# File: tasks/ubt-1804-amd64.yml +# +# Description: +# Samba is the standard Windows interoperability +# suite of programs for Linux and Unix. +# + +- name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64" + import_tasks: ubt-2004-amd64.yml + when: + - ansible_distribution_version == "20.04" + - ansible_architecture == "x86_64" + +- name: "For OS: Ubuntu 16.04LTS, Arch: amd64" + import_tasks: ubt-1604-amd64.yml + when: + - ansible_distribution_version == "16.04" + - ansible_architecture == "x86_64" + +- name: "IFor OS: Ubuntu 18.04LTS, Arch: amd64" + import_tasks: ubt-1804-amd64.yml + when: + - ansible_distribution_version == "18.04" + - ansible_architecture == "x86_64" diff --git a/role-samba4-ad-member/tasks/ubt-1604-amd64.yml b/role-samba4-ad-member/tasks/ubt-1604-amd64.yml new file mode 100755 index 0000000..820d647 --- /dev/null +++ b/role-samba4-ad-member/tasks/ubt-1604-amd64.yml @@ -0,0 +1,110 @@ +--- +# Title: Samba4 member server +# +# Author: Bitfinity-NL +# File: tasks/ubt-1604-amd64.yml +# +# Description: +# Samba is the standard Windows interoperability +# suite of programs for Linux and Unix. +# + +- name: "Preseed Kerberos version 5" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Download template smb.conf.j2 to /etc/samba/smb.conf" + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + backup: yes + with_items: + - { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' } + - { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' } + notify: + - restart_samba_services + +- name: "edit hosts file in order to be reachable from hostname" + lineinfile: + path: /etc/hosts + regexp: "127.0.1.1 {{ ansible_hostname }}" + line: "127.0.1.1 {{ ansible_hostname }}.vgg.local {{ ansible_hostname}}" + backup: yes + +- name: "Joining domain: {{ smb_realm }}" + shell: "net ads join -U {{ smb_username }}%{{ smb_password }}" + +- name: "Configure nsswitch for winbind - passwd" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'passwd: compat' + line: 'passwd: compat winbind' + backup: yes + +- name: "Configure nsswitch for winbind - group" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'group: compat' + line: 'group: compat winbind' + backup: yes + +- name: "Configure nsswitch for winbind - shadow" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'shadow: compat' + line: 'shadow: compat winbind' + backup: yes + +- name: "Configure PAM Configuration" + shell: DEBIAN_FRONTEND=noninteractive pam-auth-update + +- name: "Configure PAM - /etc/pam.d/common-account" + lineinfile: + path: /etc/pam.d/common-account + line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' + backup: yes + +- name: "Configure PAM - /etc/pam.d/common-password" + replace: + path: /etc/pam.d/common-password + regexp: ' use_authtok' + replace: '' + backup: yes + +- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins" + template: + src: domain-admins.j2 + dest: /etc/sudoers.d/domain-admins + owner: root + group: root + mode: 0440 + backup: yes + + +# - name: "Set disk operator permisions for Domain Admins" +# shell: "net rpc rights grant '{{ smb_workgroup }}\Domain Admins' SeDiskOperatorPrivilege -U{{ smb_username }}%{{ smb_password }}" diff --git a/role-samba4-ad-member/tasks/ubt-1804-amd64.yml b/role-samba4-ad-member/tasks/ubt-1804-amd64.yml new file mode 100644 index 0000000..53751b1 --- /dev/null +++ b/role-samba4-ad-member/tasks/ubt-1804-amd64.yml @@ -0,0 +1,131 @@ +--- +# Title: ansible-role-samba4-ad-member +# +# Author: Bitfinity-NL +# File: tasks/ubt-1804-amd64.yml +# +# Description: +# Samba is the standard Windows interoperability +# suite of programs for Linux and Unix. +# +# Comment: +# Fixing DNS resolving +# + +- name: "string" + set_fact: + nameservers: "{{ smb_dns_servers }}" + +- name: "Set DNS servers for /etc/systemd/resolved.conf" + set_fact: + smb_dns : '{{ smb_dns_servers.split().0 }}' + smb_fallbackdns : "{{ smb_dns_servers.split().1 | default('{{ smb_dns_servers.split().0 }}') }}" + +- name: "Print primary DNS server" + debug: + msg: "{{ smb_dns }}" + +- name: "Print Secondary DNS server" + debug: + msg: "{{ smb_fallbackdns }}" + +- name: "Configure name resolution for static ipaddress" + template: + src: resolved.conf.j2 + dest: /etc/systemd/resolved.conf + +- name: "Preseed Kerberos version 5" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Download template smb.conf.j2 to /etc/samba/smb.conf" + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + backup: yes + with_items: + - { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' } + - { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' } + notify: + - restart_samba_services + +- name: "edit hosts file in order to be reachable from hostname" + lineinfile: + path: /etc/hosts + regexp: "127.0.1.1 {{ ansible_hostname }}" + line: "127.0.1.1 {{ ansible_hostname }}.vgg.local {{ ansible_hostname}}" + backup: yes + +- name: "Joining domain: {{ smb_realm }}" + shell: "net ads join -U {{ smb_username }}%{{ smb_password }}" + +- name: "Configure nsswitch for winbind - passwd" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'passwd: compat' + line: 'passwd: compat winbind' + backup: yes + +- name: "Configure nsswitch for winbind - group" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'group: compat' + line: 'group: compat winbind' + backup: yes + +- name: "Configure nsswitch for winbind - shadow" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'shadow: compat' + line: 'shadow: compat winbind' + backup: yes + +- name: "Configure PAM Configuration" + shell: DEBIAN_FRONTEND=noninteractive pam-auth-update + +- name: "Configure PAM - /etc/pam.d/common-account" + lineinfile: + path: /etc/pam.d/common-account + line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' + backup: yes + +- name: "Configure PAM - /etc/pam.d/common-password" + replace: + path: /etc/pam.d/common-password + regexp: ' use_authtok' + replace: '' + backup: yes + +- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins" + template: + src: domain-admins.j2 + dest: /etc/sudoers.d/domain-admins + owner: root + group: root + mode: 0440 + backup: yes diff --git a/role-samba4-ad-member/tasks/ubt-2004-amd64.yml b/role-samba4-ad-member/tasks/ubt-2004-amd64.yml new file mode 100644 index 0000000..99f718d --- /dev/null +++ b/role-samba4-ad-member/tasks/ubt-2004-amd64.yml @@ -0,0 +1,131 @@ +--- +# Title: ansible-role-samba4-ad-member +# +# Author: Bitfinity-NL +# File: tasks/ubt-2004-amd64.yml +# +# Description: +# Samba is the standard Windows interoperability +# suite of programs for Linux and Unix. +# +# Comment: +# Fixing DNS resolving +# + +- name: "string" + set_fact: + nameservers: "{{ smb_dns_servers }}" + +- name: "Set DNS servers for /etc/systemd/resolved.conf" + set_fact: + smb_dns : '{{ smb_dns_servers.split().0 }}' + smb_fallbackdns : "{{ smb_dns_servers.split().1 | default('{{ smb_dns_servers.split().0 }}') }}" + +- name: "Print primary DNS server" + debug: + msg: "{{ smb_dns }}" + +- name: "Print Secondary DNS server" + debug: + msg: "{{ smb_fallbackdns }}" + +- name: "Configure name resolution for static ipaddress" + template: + src: resolved.conf.j2 + dest: /etc/systemd/resolved.conf + +- name: "Preseed Kerberos version 5" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Download template smb.conf.j2 to /etc/samba/smb.conf" + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + backup: yes + with_items: + - { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' } + - { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' } + notify: + - restart_samba_services + +- name: "edit hosts file in order to be reachable from hostname" + lineinfile: + path: /etc/hosts + regexp: "127.0.1.1 {{ ansible_hostname }}" + line: "127.0.1.1 {{ ansible_hostname }}.{{ smb_realm|lower }} {{ ansible_hostname}}" + backup: yes + +- name: "Joining domain: {{ smb_realm }}" + shell: "net ads join -U {{ smb_username }}%{{ smb_password }}" + +- name: "Configure nsswitch for winbind - passwd" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'passwd: compat' + line: 'passwd: compat winbind' + backup: yes + +- name: "Configure nsswitch for winbind - group" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'group: compat' + line: 'group: compat winbind' + backup: yes + +- name: "Configure nsswitch for winbind - shadow" + lineinfile: + path: /etc/nsswitch.conf + regexp: 'shadow: compat' + line: 'shadow: compat winbind' + backup: yes + +- name: "Configure PAM Configuration" + shell: DEBIAN_FRONTEND=noninteractive pam-auth-update + +- name: "Configure PAM - /etc/pam.d/common-account" + lineinfile: + path: /etc/pam.d/common-account + line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' + backup: yes + +- name: "Configure PAM - /etc/pam.d/common-password" + replace: + path: /etc/pam.d/common-password + regexp: ' use_authtok' + replace: '' + backup: yes + +- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins" + template: + src: domain-admins.j2 + dest: /etc/sudoers.d/domain-admins + owner: root + group: root + mode: 0440 + backup: yes diff --git a/role-samba4-ad-member/templates/domain-admins.j2 b/role-samba4-ad-member/templates/domain-admins.j2 new file mode 100755 index 0000000..4a8b671 --- /dev/null +++ b/role-samba4-ad-member/templates/domain-admins.j2 @@ -0,0 +1 @@ +%domain\ admins ALL=(ALL:ALL) ALL diff --git a/role-samba4-ad-member/templates/pam_winbind.conf.j2 b/role-samba4-ad-member/templates/pam_winbind.conf.j2 new file mode 100755 index 0000000..b3082c2 --- /dev/null +++ b/role-samba4-ad-member/templates/pam_winbind.conf.j2 @@ -0,0 +1,41 @@ +# +# pam_winbind configuration file +# +# /etc/security/pam_winbind.conf +# +# For more details see man pam_winbind.conf(5) + +[global] + +# turn on debugging +;debug = no + +# turn on extended PAM state debugging +;debug_state = no + +# request a cached login if possible +# (needs "winbind offline logon = yes" in smb.conf) +;cached_login = no +cached_login = yes + +# authenticate using kerberos +;krb5_auth = no + +# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type +# (leave empty to just do krb5 authentication but not have a ticket +# afterwards) +;krb5_ccache_type = + +# make successful authentication dependend on membership of one SID +# (can also take a name) +;require_membership_of = + +# password expiry warning period in days +;warn_pwd_expire = 14 +warn_pwd_expire = 21 + +# omit pam conversations +;silent = no + +# create homedirectory on the fly +;mkhomedir = no diff --git a/role-samba4-ad-member/templates/resolved.conf.j2 b/role-samba4-ad-member/templates/resolved.conf.j2 new file mode 100644 index 0000000..c711651 --- /dev/null +++ b/role-samba4-ad-member/templates/resolved.conf.j2 @@ -0,0 +1,22 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See resolved.conf(5) for details + +[Resolve] +DNS={{ smb_dns }} +FallbackDNS= {{ smb_fallbackdns }} +Domains={{ smb_domains }} +LLMNR={{ smb_llmnr }} +MulticastDNS={{ smb_multicastdns }} +DNSSEC={{ smb_dnssec }} +Cache={{ smb_cache }} +DNSStubListener={{ smb_dnsstublistener }} \ No newline at end of file diff --git a/role-samba4-ad-member/templates/smb.conf.j2 b/role-samba4-ad-member/templates/smb.conf.j2 new file mode 100755 index 0000000..c679df6 --- /dev/null +++ b/role-samba4-ad-member/templates/smb.conf.j2 @@ -0,0 +1,23 @@ +[global] +workgroup = {{ smb_workgroup }} +realm = {{ smb_realm }} +netbios name = {{ ansible_hostname }} +security = ADS +#encrypt passwords = yes +dns forwarder = {{ smb_dns_servers }} + +idmap config * :backend = tdb +idmap config *:range = 50000-1000000 +template homedir = /home/%D/%U +template shell = /bin/bash + +winbind use default domain = yes +winbind offline logon = false +winbind nss info = rfc2307 +winbind enum users = yes +winbind enum groups = yes +winbind offline logon = yes + +vfs objects = acl_xattr +map acl inherit = Yes +store dos attributes = Yes diff --git a/role-samba4-primary-ad-dc/LICENSE b/role-samba4-primary-ad-dc/LICENSE new file mode 100644 index 0000000..24cd945 --- /dev/null +++ b/role-samba4-primary-ad-dc/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2018 bitfinity + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/role-samba4-primary-ad-dc/README.md b/role-samba4-primary-ad-dc/README.md new file mode 100644 index 0000000..697f63c --- /dev/null +++ b/role-samba4-primary-ad-dc/README.md @@ -0,0 +1,58 @@ +Role Name +========= + +Ansible role to setup a Ubuntu Primary Active Directory Domain Controller + +Requirements +------------ + +- Ansible control server +- Ubuntu + +Role Variables +-------------- + +Set defaut variable(s) in group_vars for reusing in other playbooks. +- def_ad_workgroup : 'LAB' +- def_ad_realm : 'LAB.LOCAL' +- def_ad_admin : 'administrator' +- def_ad_pass : 'Welkom123' +- def_ad_dns : '192.168.0.66 192.168.0.67' +- def_ad_dc01 : '192.168.0.67' +- def_ad_dc02 : '192.168.0.67' +- def_ad_basedn : 'OU=lab,DC=lab,DC=local' + +You can override these variable(s) in your own playbook + +- smb_workgroup : TEST +- smb_realm : TEST.NET +- smb_dns_servers : "{{ ansible_default_ipv4.address }}" +- smb_username : administrator +- smb_password : Welkom123 + +Example Playbook +---------------- + + - hosts: adc01 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'LAB' + smb_realm : 'LAB.LOCAL' + smb_username : 'administrator' + smb_password : 'Password123' + + roles: + - role-samba4-primary-ad-dc + + +License +------- + +GNU GPLv3 + +Author Information +------------------ + +www.bitfinity.nl diff --git a/role-samba4-primary-ad-dc/defaults/main.yml b/role-samba4-primary-ad-dc/defaults/main.yml new file mode 100644 index 0000000..ebc01fc --- /dev/null +++ b/role-samba4-primary-ad-dc/defaults/main.yml @@ -0,0 +1,33 @@ +--- +# title: role-samba4-primary-ad-dc +# +# Author: bitfinity-nl +# Version: 1.0 +# File: defaults/main.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +# -- Samba4 AD settings -- +# +# Variable(s): +# smb_repository : 'default' or 'latest' # Set which repositories wil be used. +# smb_role : 'member' # Set samba4 role primary (only for initial setup), additional, member. +# smb_workgroup : 'LAB' # Set workgroup (should be in capital letters). +# smb_realm : 'LAB.LOCAL' # Set realm (should be in capital letters). +# smb_dns_servers : '{{ ansible_default_ipv4.address }}' # Set current ipv4 address. +# smb_dns_forwarders : '8.8.8.8 8.8.4.4' # Set DNS forwarders. +# smb_username : 'administrator' # Set administrator account. +# smb_password : 'Welkom123' # Set administrator password. +# +# Comment: +# Override variable(s) or set put them in your group_vars folder for reusing. +# +smb_repository : '{{ def_ad_repository }}' +smb_role : 'member' +smb_workgroup : '{{ def_ad_workgroup }}' +smb_realm : '{{ def_ad_realm }}' +smb_dns_servers : '{{ ansible_default_ipv4.address }}' +smb_dns_forwarder : '{{ def_ad_dns_forwarder }}' +smb_username : '{{ def_ad_admin}}' +smb_password : '{{ def_ad_pass }}' + diff --git a/role-samba4-primary-ad-dc/handlers/main.yml b/role-samba4-primary-ad-dc/handlers/main.yml new file mode 100644 index 0000000..728b049 --- /dev/null +++ b/role-samba4-primary-ad-dc/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# title: role-samba4-primary-ad-dc +# +# Author: bitfinity-nl +# Version: 1.0 +# File: handlers/main.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +- name: "restart_samba" + systemd: + state: restarted + name: samba-ad-dc.service \ No newline at end of file diff --git a/role-samba4-primary-ad-dc/meta/main.yml b/role-samba4-primary-ad-dc/meta/main.yml new file mode 100644 index 0000000..f172e23 --- /dev/null +++ b/role-samba4-primary-ad-dc/meta/main.yml @@ -0,0 +1,18 @@ +galaxy_info: + author: L. Rutten + description: Install Samba4 Active Directory (Primary) Domain Controller + company: Bitfinity-NL + license: GPLv3 + min_ansible_version: 2.4 + platforms: + - name: Ubuntu + versions: + - xenial + - bionic + galaxy_tags: + - samba4 + - AD + - Active Directory + - ubuntu + - Windows + - linux diff --git a/role-samba4-primary-ad-dc/tasks/main.yml b/role-samba4-primary-ad-dc/tasks/main.yml new file mode 100644 index 0000000..7b20448 --- /dev/null +++ b/role-samba4-primary-ad-dc/tasks/main.yml @@ -0,0 +1,43 @@ +--- +# title: role-samba4-primary-ad-dc +# +# Author: bitfinity-nl +# Version: 1.0 +# File: tasks/main.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +- name: "For OS: Ubuntu 16.04LTS, Arch: amd64" + import_tasks: ubuntu-1604-amd64.yml + when: + - ansible_distribution_version == "16.04" + - ansible_architecture == "x86_64" + +- name: "Role: primary DC, For OS: Ubuntu 18.04LTS, Arch: amd64" + import_tasks: ubuntu-1804-amd64.yml + when: + - smb_role == "primary" + - ansible_distribution_version == "18.04" + - ansible_architecture == "x86_64" + +- name: "Role: additional DC, For OS: Ubuntu 18.04LTS, Arch: amd64" + import_tasks: ubuntu-1804-amd64.yml + when: + - smb_role == "additional" + - ansible_distribution_version == "18.04" + - ansible_architecture == "x86_64" + +- name: "Role: primary DC, For OS: Ubuntu 20.04LTS, Arch: amd64" + import_tasks: ubuntu-2004-amd64.yml + when: + - smb_role == "primary" + - ansible_distribution_version == "20.04" + - ansible_architecture == "x86_64" + +- name: "Role: additional DC, For OS: Ubuntu 20.04LTS, Arch: amd64" + import_tasks: ubuntu-2004-amd64.yml + when: + - smb_role == "additional" + - ansible_distribution_version == "20.04" + - ansible_architecture == "x86_64" + diff --git a/role-samba4-primary-ad-dc/tasks/ubt-1804-adc.yml b/role-samba4-primary-ad-dc/tasks/ubt-1804-adc.yml new file mode 100644 index 0000000..2c4e3cc --- /dev/null +++ b/role-samba4-primary-ad-dc/tasks/ubt-1804-adc.yml @@ -0,0 +1,125 @@ +--- +# Title: Role Samba4 +# +# Author: bitfinity-nl +# File: tasks/ubt-1804-adc.yml +# +# Description: +# Add additional domain controller +# + +- name: "Check OS if is allready DC" + shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: smb_dc_result + ignore_errors: yes + +- name: "Preseed Kerberos version 5: krb5-config/default_realm" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm" + raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + +- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial" + copy: + src: /etc/samba/smb.conf + dest: /etc/samba/smb.conf.initial + remote_src: yes + force: no + when: + - smb_dc_result.failed == true + +- name: "rm /etc/samba/smb.conf" + file: + path: /etc/samba/smb.conf + state: absent + when: + - smb_dc_result.failed == true + +- name: "Transfer adc/smb.conf.j2 to /etc/samba/smb.conf" + template: + src: adc/smb.conf.j2 + dest: /etc/samba/smb.conf + +- name: "Join {{ ansible_hostname }} as additional domain controller" + raw: "samba-tool domain join {{ smb_realm }} DC -U{{ smb_workgroup }}\\{{smb_username }} --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}" + when: + - smb_dc_result.failed == true + +- name: "Configure DNS forwarder in /etc/samba/smb.conf" + replace: + path: /etc/samba/smb.conf + regexp: '127.0.0.53' + replace: '{{ def_ad_dns_forwarder }}' + backup: yes + +- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial" + copy: + src: /etc/krb5.conf + dest: /etc/krb5.conf.initial + remote_src: yes + force: no + +- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf" + file: + src: /var/lib/samba/private/krb5.conf + dest: /etc/krb5.conf + state: link + force: yes + +- name: "Enable Services" + systemd: + masked: no + enabled: yes + state: started + name: "{{ item }}" + with_items: + - samba-ad-dc.service + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Allow traffic for Application Samba4 AD-DC" + ufw: + rule: allow + name: Samba + +- name: "Allow all DNS traffic on port 53/tcp" + ufw: + rule: allow + port: '53' + proto: "{{ item }}" + with_items: + - tcp + - udp + +- name: "Ubuntu login" + import_tasks: ubuntu-1804-amd64-login.yml diff --git a/role-samba4-primary-ad-dc/tasks/ubuntu-1604-amd64.yml b/role-samba4-primary-ad-dc/tasks/ubuntu-1604-amd64.yml new file mode 100644 index 0000000..961c121 --- /dev/null +++ b/role-samba4-primary-ad-dc/tasks/ubuntu-1604-amd64.yml @@ -0,0 +1,120 @@ +--- +# title: ansible-role-samba4-primary-ad-dc +# +# Author: Luc Rutten +# Version: 1.0 +# File: tasks/ubuntu-1604-amd64.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +- name: "Check OS if is allready DC" + shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: smb_dc_result + ignore_errors: yes + +- name: "Preseed Kerberos version 5: krb5-config/default_realm" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm" + raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + when: + - smb_dc_result.failed == true + +- name: "Disable Services" + systemd: + enabled: no + state: stopped + name: "{{ item }}" + with_items: + - samba-ad-dc.service + - smbd.service + - nmbd.service + - winbind.service + when: + - smb_dc_result.failed == true + +- name: "back-Up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial" + copy: + src: /etc/samba/smb.conf + dest: /etc/samba/smb.conf.initial + remote_src: yes + force: no + when: + - smb_dc_result.failed == true + +- name: "rm /etc/samba/smb.conf" + file: + path: /etc/samba/smb.conf + state: absent + when: + - smb_dc_result.failed == true + +- name: "Start domain provisioning" + raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}" + when: + - smb_dc_result.failed == true + +- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial" + copy: + src: /etc/krb5.conf + dest: /etc/krb5.conf.initial + remote_src: yes + force: no + when: + - smb_dc_result.failed == true + +- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf" + file: + src: /var/lib/samba/private/krb5.conf + dest: /etc/krb5.conf + state: link + force: yes + when: + - smb_dc_result.failed == true + +- name: "Enable Services" + systemd: + enabled: yes + state: started + name: "{{ item }}" + with_items: + - samba-ad-dc.service + - smbd.service + - nmbd.service + - winbind.service + when: + - smb_dc_result.failed == true + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + when: + - smb_dc_result.failed == true diff --git a/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64-login.yml b/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64-login.yml new file mode 100644 index 0000000..cd08c9a --- /dev/null +++ b/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64-login.yml @@ -0,0 +1,69 @@ +--- +# title: role-samba4-primary-ad-dc +# +# Author: bitfinity-nl +# Version: 1.0 +# File: tasks/ubt-1804-amd64-login.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Download template smb.conf.j2 to /etc/samba/smb.conf" + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + backup: yes + with_items: + - { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' } + notify: + - restart_samba + +- name: "Modify /etc/samba/smb.conf for AD logins" + blockinfile: + path: /etc/samba/smb.conf + insertafter: "use rfc2307 = yes" + block: | + template homedir = /home/%D/%U + template shell = /bin/bash + winbind use default domain = yes + winbind nss info = rfc2307 + winbind enum users = yes + winbind enum groups = yes + winbind offline logon = yes + vfs objects = acl_xattr + map acl inherit = Yes + store dos attributes = Yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + notify: restart_samba + +- name: "Transfer templates" + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + backup: yes + with_items: + - { src: 'nsswitch.conf.j2', dest: '/etc/nsswitch.conf'} + +- name: "Configure PAM Configuration" + shell: DEBIAN_FRONTEND=noninteractive pam-auth-update + +- name: "Configure PAM - /etc/pam.d/common-account" + lineinfile: + path: /etc/pam.d/common-account + line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' + backup: yes + +- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins" + template: + src: domain-admins.j2 + dest: /etc/sudoers.d/domain-admins + owner: root + group: root + mode: 0440 + backup: yes \ No newline at end of file diff --git a/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64.yml b/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64.yml new file mode 100644 index 0000000..c872746 --- /dev/null +++ b/role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64.yml @@ -0,0 +1,150 @@ +--- +# title: role-samba4-primary-ad-dc +# +# Author: bitfinity-nl +# Version: 1.0 +# File: tasks/ubt-1804-amd64.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +- name: "Check OS if is allready DC" + shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: smb_dc_result + ignore_errors: yes + +- name: "Preseed Kerberos version 5: krb5-config/default_realm" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm" + raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +#- name: "Add additional repositories" +# apt_repository: +# repo: ppa:linux-schools/samba-latest +# when: +# - smb_repository == 'latest' + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + +- name: "Disable Services" + systemd: + enabled: no + state: stopped + name: "{{ item }}" + with_items: + - samba-ad-dc.service + - smbd.service + - nmbd.service + - winbind.service + - systemd-resolved + when: + - smb_dc_result.failed == true + +#- name: "Disable Services" +# systemd: +# enabled: no +# state: stopped +# name: "{{ item }}" +# with_items: +# - systemd-resolved +# when: +# - smb_dc_result.failed == true +# - smb_repository == 'latest' + +- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial" + copy: + src: /etc/samba/smb.conf + dest: /etc/samba/smb.conf.initial + remote_src: yes + force: no + when: + - smb_dc_result.failed == true + +- name: "rm /etc/samba/smb.conf" + file: + path: /etc/samba/smb.conf + state: absent + when: + - smb_dc_result.failed == true + +- name: "Start domain provisioning" + raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}" + when: + - smb_dc_result.failed == true + +- name: "Configure DNS forwarder in /etc/samba/smb.conf" + replace: + path: /etc/samba/smb.conf + regexp: '127.0.0.53' + replace: '{{ def_ad_dns_forwarder }}' + backup: yes + +- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial" + copy: + src: /etc/krb5.conf + dest: /etc/krb5.conf.initial + remote_src: yes + force: no + +- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf" + file: + src: /var/lib/samba/private/krb5.conf + dest: /etc/krb5.conf + state: link + force: yes + +- name: "Enable Services" + systemd: + masked: no + enabled: yes + state: started + name: "{{ item }}" + with_items: + - samba-ad-dc.service + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Allow traffic for Application Samba4 AD-DC" + ufw: + rule: allow + name: Samba + +- name: "Allow all DNS traffic on port 53/tcp" + ufw: + rule: allow + port: '53' + proto: "{{ item }}" + with_items: + - tcp + - udp + +- name: "Ubuntu login" + import_tasks: ubuntu-1804-amd64-login.yml \ No newline at end of file diff --git a/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml b/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml new file mode 100644 index 0000000..c872746 --- /dev/null +++ b/role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml @@ -0,0 +1,150 @@ +--- +# title: role-samba4-primary-ad-dc +# +# Author: bitfinity-nl +# Version: 1.0 +# File: tasks/ubt-1804-amd64.yml +# +# Description: Creating a primairy Active Directory Domain Controller. + +- name: "Check OS if is allready DC" + shell: "samba-tool domain info {{ ansible_default_ipv4.address }}" + register: smb_dc_result + ignore_errors: yes + +- name: "Preseed Kerberos version 5: krb5-config/default_realm" + raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm" + raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +- name: "Preseed PAM Configuration" + raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections" + when: + - smb_dc_result.failed == true + +#- name: "Add additional repositories" +# apt_repository: +# repo: ppa:linux-schools/samba-latest +# when: +# - smb_repository == 'latest' + +- name: "Install dependencies" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - acl + - samba + - smbclient + - krb5-config + - krb5-user + - winbind + - libpam-winbind + - libnss-winbind + +- name: "Disable Services" + systemd: + enabled: no + state: stopped + name: "{{ item }}" + with_items: + - samba-ad-dc.service + - smbd.service + - nmbd.service + - winbind.service + - systemd-resolved + when: + - smb_dc_result.failed == true + +#- name: "Disable Services" +# systemd: +# enabled: no +# state: stopped +# name: "{{ item }}" +# with_items: +# - systemd-resolved +# when: +# - smb_dc_result.failed == true +# - smb_repository == 'latest' + +- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial" + copy: + src: /etc/samba/smb.conf + dest: /etc/samba/smb.conf.initial + remote_src: yes + force: no + when: + - smb_dc_result.failed == true + +- name: "rm /etc/samba/smb.conf" + file: + path: /etc/samba/smb.conf + state: absent + when: + - smb_dc_result.failed == true + +- name: "Start domain provisioning" + raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}" + when: + - smb_dc_result.failed == true + +- name: "Configure DNS forwarder in /etc/samba/smb.conf" + replace: + path: /etc/samba/smb.conf + regexp: '127.0.0.53' + replace: '{{ def_ad_dns_forwarder }}' + backup: yes + +- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial" + copy: + src: /etc/krb5.conf + dest: /etc/krb5.conf.initial + remote_src: yes + force: no + +- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf" + file: + src: /var/lib/samba/private/krb5.conf + dest: /etc/krb5.conf + state: link + force: yes + +- name: "Enable Services" + systemd: + masked: no + enabled: yes + state: started + name: "{{ item }}" + with_items: + - samba-ad-dc.service + +- name: "Edit Fstab" + replace: + path: /etc/fstab + regexp: 'errors=remount-ro 0' + replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0' + backup: yes + +- name: "Allow traffic for Application Samba4 AD-DC" + ufw: + rule: allow + name: Samba + +- name: "Allow all DNS traffic on port 53/tcp" + ufw: + rule: allow + port: '53' + proto: "{{ item }}" + with_items: + - tcp + - udp + +- name: "Ubuntu login" + import_tasks: ubuntu-1804-amd64-login.yml \ No newline at end of file diff --git a/role-samba4-primary-ad-dc/templates/adc/smb.conf.j2 b/role-samba4-primary-ad-dc/templates/adc/smb.conf.j2 new file mode 100644 index 0000000..c6a8737 --- /dev/null +++ b/role-samba4-primary-ad-dc/templates/adc/smb.conf.j2 @@ -0,0 +1,16 @@ +# Global parameters +[global] + dns forwarder = {{ smb_dns_forwarder }} + netbios name = {{ ansible_hostname }} + realm = {{ smb_realm }} + server role = active directory domain controller + workgroup = {{ smb_workgroup }} + idmap_ldb:use rfc2307 = yes + +[netlogon] + path = /var/lib/samba/sysvol/{{ smb_realm }}/scripts + read only = No + +[sysvol] + path = /var/lib/samba/sysvol + read only = No diff --git a/role-samba4-primary-ad-dc/templates/domain-admins.j2 b/role-samba4-primary-ad-dc/templates/domain-admins.j2 new file mode 100644 index 0000000..9cb2571 --- /dev/null +++ b/role-samba4-primary-ad-dc/templates/domain-admins.j2 @@ -0,0 +1 @@ +%domain\ admins ALL=(ALL:ALL) ALL \ No newline at end of file diff --git a/role-samba4-primary-ad-dc/templates/nsswitch.conf.j2 b/role-samba4-primary-ad-dc/templates/nsswitch.conf.j2 new file mode 100644 index 0000000..cbec1d7 --- /dev/null +++ b/role-samba4-primary-ad-dc/templates/nsswitch.conf.j2 @@ -0,0 +1,20 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat winbind +group: compat winbind +shadow: compat winbind +gshadow: files + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/role-samba4-primary-ad-dc/templates/pam_winbind.conf.j2 b/role-samba4-primary-ad-dc/templates/pam_winbind.conf.j2 new file mode 100644 index 0000000..9fae41c --- /dev/null +++ b/role-samba4-primary-ad-dc/templates/pam_winbind.conf.j2 @@ -0,0 +1,41 @@ +# +# pam_winbind configuration file +# +# /etc/security/pam_winbind.conf +# +# For more details see man pam_winbind.conf(5) + +[global] + +# turn on debugging +;debug = no + +# turn on extended PAM state debugging +;debug_state = no + +# request a cached login if possible +# (needs "winbind offline logon = yes" in smb.conf) +;cached_login = no +cached_login = yes + +# authenticate using kerberos +;krb5_auth = no + +# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type +# (leave empty to just do krb5 authentication but not have a ticket +# afterwards) +;krb5_ccache_type = + +# make successful authentication dependend on membership of one SID +# (can also take a name) +;require_membership_of = + +# password expiry warning period in days +;warn_pwd_expire = 14 +warn_pwd_expire = 21 + +# omit pam conversations +;silent = no + +# create homedirectory on the fly +;mkhomedir = no \ No newline at end of file diff --git a/samba-dc.yml b/samba-dc.yml new file mode 100644 index 0000000..4a13c1d --- /dev/null +++ b/samba-dc.yml @@ -0,0 +1,16 @@ +- hosts: adc01 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'LAB' + smb_realm : 'LAB.LOCAL' + smb_username : 'administrator' + smb_password : 'Password123' + smb_role : 'primary' + smb_dns_servers: '10.100.100.12' + smb_dns_forwarder: '8.8.8.8' + + roles: + - role-samba4-primary-ad-dc + diff --git a/samba-member.yml b/samba-member.yml new file mode 100644 index 0000000..8a2b545 --- /dev/null +++ b/samba-member.yml @@ -0,0 +1,14 @@ +- hosts: server1 + become: true + + vars: + # -- Custom settings: role-samba4-primary-ad-dc -- + smb_workgroup : 'LAB' + smb_realm : 'LAB.LOCAL' + smb_username : 'administrator' + smb_password : 'Password123' + smb_dns_servers: '10.100.100.12' + + roles: + - role-samba4-ad-member +