mikepell/dsfin-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding roles for samba-ad-dc and samba-ad-member

Browse Source
This commit is contained in:
Michael Pellegrino
2021-08-26 10:37:49 -04:00
parent 69e9c79702
commit ab9c9281d8
32 changed files with 1568 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
role-samba4-ad-member/LICENSE Executable file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2018 bitfinity
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

47
role-samba4-ad-member/README.md Executable file
View File

@@ -0,0 +1,47 @@
ansible-role-samba4-ad-member
=============================
Join Ubuntu as a member server to Active Directory
**Domain Admins have sudo rights**
Requirements
------------
- Ubuntu 16.04lts / 18.04lts AMD64
- Active Direcory (2008r2 and up)
- Ansible-role-ntp-server
Role Variables
--------------
See default/main.yml for detailed information.
Example Playbook
----------------
This is an example how to use the role:
- hosts: ad-members
become: true
vars:
# -- custom settings - ansible-role-samba4-ad-member --
smb_workgroup: EXAMPLE
smb_realm: EXAMPLE.LOCAL
smb_dns_servers: 192.168.0.1 192.168.0.2
smb_username: adm_ansible
smb_password: '{{ ad_admin_pass }}'
roles:
- ansible-role-samba4-ad-member
Source(s)
---------
Thanks goes to all the authors and participants from
the sources below, so I could write this Anisble role.
- https://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/
- https://community.centrify.com/t5/Centrify-Express/Ad-group-with-space-in-its-name-not-working/td-p/17661
- https://wiki.samba.org/index.php/PAM_Offline_Authentication

55
role-samba4-ad-member/defaults/main.yml Executable file
View File

@@ -0,0 +1,55 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: bitfinity-nl
# File: defaults/main.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
# WORKGROUP: <CAPITAL LETTERS>
# REALM: < CAPITAL LETTERS>
# -- Samba4 --
#
# Variable(s):
# smb_workgroup: TEST # Specify the short workgroup name.
# smb_realm: TEST.NET # Specify the realm.
# smb_dns_servers: 192.168.0.1 # Specify the DNS servers.
# smb_username: administrator # Specify an administrative AD account.
# smb_password: password # Specify the password from administrative AD account.
#
#
# Comment:
# Change variable(s) here, in your playbook or set them in your groupvars
#
smb_workgroup : '{{ def_ad_workgroup }}'
smb_realm : '{{ def_ad_realm }}'
smb_dns_servers : '{{ def_ad_dns }}'
smb_username : '{{ def_ad_admin }}'
smb_password : '{{ def_ad_pass }}'
# -- resolv.conf.j2 --
#
# Variable(s):
# smb_dns : '192.168.0.1' # Wil be extracted from variable {{ smb_dns_servers }}
# smb_fallbackdns : '192.168.0.2' # Wil be extracted from variable {{ smb_dns_servers }}.
# smb_domains : 'EXAMPLE.LOCAL' # Specify the realm.
# smb_llmnr : 'no' # Default=no
# smb_multicastdns : 'no' # Default=no
# smb_dnssec : 'no' # Default=no
# smb_cache : 'yes' # Default=yes
# smb_dnsstublistener : 'yes' # Defailt=yes
#
# Notes:
# - https://ubuntuforums.org/showthread.php?t=2391351
#
smb_domains : '{{ smb_realm }}'
smb_llmnr : 'no'
smb_multicastdns : 'no'
smb_dnssec : 'no'
smb_cache : 'yes'
smb_dnsstublistener : 'yes'

15
role-samba4-ad-member/handlers/main.yml Executable file
View File

@@ -0,0 +1,15 @@
---
# Handlers: Samba4 member server
#
# Author: Luc Rutten
# Version: 1.0
- name: "restart_samba_services"
systemd:
name: "{{ item }}"
state: restarted
enabled: yes
with_items:
- smbd
- nmbd
- winbind

19
role-samba4-ad-member/meta/main.yml Executable file
View File

@@ -0,0 +1,19 @@
galaxy_info:
author: L. Rutten
description: Join Ubuntu as a member server to Active Directory
company: Bitfinity-NL
license: MIT
min_ansible_version: 2.4
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
galaxy_tags:
- Ubuntu
- Bionic
- Xenial
- Samba4
- ActiveDirectory
- Domain
- Windows

28
role-samba4-ad-member/tasks/main.yml Normal file
View File

@@ -0,0 +1,28 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: Bitfinity-NL
# File: tasks/ubt-1804-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
- name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubt-2004-amd64.yml
when:
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"
- name: "For OS: Ubuntu 16.04LTS, Arch: amd64"
import_tasks: ubt-1604-amd64.yml
when:
- ansible_distribution_version == "16.04"
- ansible_architecture == "x86_64"
- name: "IFor OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubt-1804-amd64.yml
when:
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"

110
role-samba4-ad-member/tasks/ubt-1604-amd64.yml Executable file
View File

@@ -0,0 +1,110 @@
---
# Title: Samba4 member server
#
# Author: Bitfinity-NL
# File: tasks/ubt-1604-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
- name: "Preseed Kerberos version 5"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba_services
- name: "edit hosts file in order to be reachable from hostname"
lineinfile:
path: /etc/hosts
regexp: "127.0.1.1 {{ ansible_hostname }}"
line: "127.0.1.1 {{ ansible_hostname }}.vgg.local {{ ansible_hostname}}"
backup: yes
- name: "Joining domain: {{ smb_realm }}"
shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
- name: "Configure nsswitch for winbind - passwd"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'passwd: compat'
line: 'passwd: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - group"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'group: compat'
line: 'group: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - shadow"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'shadow: compat'
line: 'shadow: compat winbind'
backup: yes
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Configure PAM - /etc/pam.d/common-password"
replace:
path: /etc/pam.d/common-password
regexp: ' use_authtok'
replace: ''
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes
# - name: "Set disk operator permisions for Domain Admins"
# shell: "net rpc rights grant '{{ smb_workgroup }}\Domain Admins' SeDiskOperatorPrivilege -U{{ smb_username }}%{{ smb_password }}"

131
role-samba4-ad-member/tasks/ubt-1804-amd64.yml Normal file
View File

@@ -0,0 +1,131 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: Bitfinity-NL
# File: tasks/ubt-1804-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
# Comment:
# Fixing DNS resolving
#
- name: "string"
set_fact:
nameservers: "{{ smb_dns_servers }}"
- name: "Set DNS servers for /etc/systemd/resolved.conf"
set_fact:
smb_dns : '{{ smb_dns_servers.split().0 }}'
smb_fallbackdns : "{{ smb_dns_servers.split().1 | default('{{ smb_dns_servers.split().0 }}') }}"
- name: "Print primary DNS server"
debug:
msg: "{{ smb_dns }}"
- name: "Print Secondary DNS server"
debug:
msg: "{{ smb_fallbackdns }}"
- name: "Configure name resolution for static ipaddress"
template:
src: resolved.conf.j2
dest: /etc/systemd/resolved.conf
- name: "Preseed Kerberos version 5"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba_services
- name: "edit hosts file in order to be reachable from hostname"
lineinfile:
path: /etc/hosts
regexp: "127.0.1.1 {{ ansible_hostname }}"
line: "127.0.1.1 {{ ansible_hostname }}.vgg.local {{ ansible_hostname}}"
backup: yes
- name: "Joining domain: {{ smb_realm }}"
shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
- name: "Configure nsswitch for winbind - passwd"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'passwd: compat'
line: 'passwd: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - group"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'group: compat'
line: 'group: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - shadow"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'shadow: compat'
line: 'shadow: compat winbind'
backup: yes
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Configure PAM - /etc/pam.d/common-password"
replace:
path: /etc/pam.d/common-password
regexp: ' use_authtok'
replace: ''
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes

131
role-samba4-ad-member/tasks/ubt-2004-amd64.yml Normal file
View File

@@ -0,0 +1,131 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: Bitfinity-NL
# File: tasks/ubt-2004-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
# Comment:
# Fixing DNS resolving
#
- name: "string"
set_fact:
nameservers: "{{ smb_dns_servers }}"
- name: "Set DNS servers for /etc/systemd/resolved.conf"
set_fact:
smb_dns : '{{ smb_dns_servers.split().0 }}'
smb_fallbackdns : "{{ smb_dns_servers.split().1 | default('{{ smb_dns_servers.split().0 }}') }}"
- name: "Print primary DNS server"
debug:
msg: "{{ smb_dns }}"
- name: "Print Secondary DNS server"
debug:
msg: "{{ smb_fallbackdns }}"
- name: "Configure name resolution for static ipaddress"
template:
src: resolved.conf.j2
dest: /etc/systemd/resolved.conf
- name: "Preseed Kerberos version 5"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba_services
- name: "edit hosts file in order to be reachable from hostname"
lineinfile:
path: /etc/hosts
regexp: "127.0.1.1 {{ ansible_hostname }}"
line: "127.0.1.1 {{ ansible_hostname }}.{{ smb_realm|lower }} {{ ansible_hostname}}"
backup: yes
- name: "Joining domain: {{ smb_realm }}"
shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
- name: "Configure nsswitch for winbind - passwd"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'passwd: compat'
line: 'passwd: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - group"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'group: compat'
line: 'group: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - shadow"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'shadow: compat'
line: 'shadow: compat winbind'
backup: yes
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Configure PAM - /etc/pam.d/common-password"
replace:
path: /etc/pam.d/common-password
regexp: ' use_authtok'
replace: ''
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes

1
role-samba4-ad-member/templates/domain-admins.j2 Executable file
View File

@@ -0,0 +1 @@
%domain\ admins ALL=(ALL:ALL) ALL

41
role-samba4-ad-member/templates/pam_winbind.conf.j2 Executable file
View File

@@ -0,0 +1,41 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
# For more details see man pam_winbind.conf(5)
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
cached_login = yes
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
warn_pwd_expire = 21
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

22
role-samba4-ad-member/templates/resolved.conf.j2 Normal file
View File

@@ -0,0 +1,22 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details
[Resolve]
DNS={{ smb_dns }}
FallbackDNS= {{ smb_fallbackdns }}
Domains={{ smb_domains }}
LLMNR={{ smb_llmnr }}
MulticastDNS={{ smb_multicastdns }}
DNSSEC={{ smb_dnssec }}
Cache={{ smb_cache }}
DNSStubListener={{ smb_dnsstublistener }}

23
role-samba4-ad-member/templates/smb.conf.j2 Executable file
View File

@@ -0,0 +1,23 @@
[global]
workgroup = {{ smb_workgroup }}
realm = {{ smb_realm }}
netbios name = {{ ansible_hostname }}
security = ADS
#encrypt passwords = yes
dns forwarder = {{ smb_dns_servers }}
idmap config * :backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes