adding roles for samba-ad-dc and samba-ad-member

2021-08-26 10:37:49 -04:00
parent 69e9c79702
commit ab9c9281d8
32 changed files with 1568 additions and 0 deletions
--- a/role-samba4-ad-member/tasks/ubt-1604-amd64.yml
+++ b/role-samba4-ad-member/tasks/ubt-1604-amd64.yml
@@ -0,0 +1,110 @@
+---
+# Title: Samba4 member server
+#
+# Author: Bitfinity-NL
+# File: tasks/ubt-1604-amd64.yml
+#
+# Description:
+#   Samba is the standard Windows interoperability 
+#   suite of programs for Linux and Unix.
+#
+
+- name: "Preseed Kerberos version 5"
+  raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
+
+- name: "Preseed PAM Configuration"
+  raw: "echo libpam-runtime  libpam-runtime/profiles multiselect     unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
+ 
+- name: "Install dependencies" 
+  apt:
+    name: "{{ packages }}"
+    update_cache: yes
+    state: present
+  vars:
+    packages:
+    - acl
+    - samba
+    - smbclient
+    - krb5-config
+    - krb5-user
+    - winbind
+    - libpam-winbind
+    - libnss-winbind
+      
+- name: "Edit Fstab"
+  replace:
+    path: /etc/fstab
+    regexp: 'errors=remount-ro 0'
+    replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
+    backup: yes
+ 
+- name:  "Download template smb.conf.j2 to /etc/samba/smb.conf"
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    backup: yes
+  with_items:
+    - { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
+    - { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
+  notify:
+    - restart_samba_services
+  
+- name: "edit hosts file in order to be reachable from hostname"
+  lineinfile:
+    path: /etc/hosts
+    regexp: "127.0.1.1	{{ ansible_hostname }}"
+    line: "127.0.1.1	{{ ansible_hostname }}.vgg.local {{ ansible_hostname}}"
+    backup: yes
+
+- name: "Joining domain: {{ smb_realm }}"
+  shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
+   
+- name: "Configure nsswitch for winbind - passwd"
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: 'passwd:         compat'
+    line: 'passwd:         compat winbind'
+    backup: yes
+
+- name: "Configure nsswitch for winbind - group"
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: 'group:          compat'
+    line: 'group:          compat winbind'
+    backup: yes
+
+- name: "Configure nsswitch for winbind - shadow"
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: 'shadow:         compat'
+    line: 'shadow:         compat winbind'
+    backup: yes
+  
+- name: "Configure PAM Configuration"
+  shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+- name: "Configure PAM - /etc/pam.d/common-account"
+  lineinfile:
+    path: /etc/pam.d/common-account
+    line: 'session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022'
+    backup: yes
+
+- name: "Configure PAM - /etc/pam.d/common-password"
+  replace:
+    path: /etc/pam.d/common-password
+    regexp: ' use_authtok'
+    replace: ''
+    backup: yes 
+
+- name:  "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
+  template:
+    src: domain-admins.j2
+    dest: /etc/sudoers.d/domain-admins
+    owner: root
+    group: root
+    mode: 0440
+    backup: yes
+  
+
+#  - name: "Set disk operator permisions for Domain Admins"
+#    shell: "net rpc rights grant '{{ smb_workgroup }}\Domain Admins' SeDiskOperatorPrivilege -U{{ smb_username }}%{{ smb_password }}"