mikepell/dsfin-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding roles for samba-ad-dc and samba-ad-member

Browse Source
This commit is contained in:
Michael Pellegrino
2021-08-26 10:37:49 -04:00
parent 69e9c79702
commit ab9c9281d8
32 changed files with 1568 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
facts.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
- hosts: all
tasks:
- name: Print all available facts
ansible.builtin.debug:
var: ansible_facts

10
group_vars/all.yml Normal file
View File

@@ -0,0 +1,10 @@
---
def_ad_workgroup : 'LAB'
def_ad_realm : 'LAB.LOCAL'
def_ad_admin : 'administrator'
def_ad_pass : 'Welkom123'
def_ad_dns : '192.168.0.66 192.168.0.67'
def_ad_dc01 : '192.168.0.67'
def_ad_dc02 : '192.168.0.67'
def_ad_basedn : 'OU=lab,DC=lab,DC=local'
def_ad_dns_forwarder: '8.8.8.8'

21
role-samba4-ad-member/LICENSE Executable file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2018 bitfinity
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

47
role-samba4-ad-member/README.md Executable file
View File

@@ -0,0 +1,47 @@
ansible-role-samba4-ad-member
=============================
Join Ubuntu as a member server to Active Directory
**Domain Admins have sudo rights**
Requirements
------------
- Ubuntu 16.04lts / 18.04lts AMD64
- Active Direcory (2008r2 and up)
- Ansible-role-ntp-server
Role Variables
--------------
See default/main.yml for detailed information.
Example Playbook
----------------
This is an example how to use the role:
- hosts: ad-members
become: true
vars:
# -- custom settings - ansible-role-samba4-ad-member --
smb_workgroup: EXAMPLE
smb_realm: EXAMPLE.LOCAL
smb_dns_servers: 192.168.0.1 192.168.0.2
smb_username: adm_ansible
smb_password: '{{ ad_admin_pass }}'
roles:
- ansible-role-samba4-ad-member
Source(s)
---------
Thanks goes to all the authors and participants from
the sources below, so I could write this Anisble role.
- https://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/
- https://community.centrify.com/t5/Centrify-Express/Ad-group-with-space-in-its-name-not-working/td-p/17661
- https://wiki.samba.org/index.php/PAM_Offline_Authentication

55
role-samba4-ad-member/defaults/main.yml Executable file
View File

@@ -0,0 +1,55 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: bitfinity-nl
# File: defaults/main.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
# WORKGROUP: <CAPITAL LETTERS>
# REALM: < CAPITAL LETTERS>
# -- Samba4 --
#
# Variable(s):
# smb_workgroup: TEST # Specify the short workgroup name.
# smb_realm: TEST.NET # Specify the realm.
# smb_dns_servers: 192.168.0.1 # Specify the DNS servers.
# smb_username: administrator # Specify an administrative AD account.
# smb_password: password # Specify the password from administrative AD account.
#
#
# Comment:
# Change variable(s) here, in your playbook or set them in your groupvars
#
smb_workgroup : '{{ def_ad_workgroup }}'
smb_realm : '{{ def_ad_realm }}'
smb_dns_servers : '{{ def_ad_dns }}'
smb_username : '{{ def_ad_admin }}'
smb_password : '{{ def_ad_pass }}'
# -- resolv.conf.j2 --
#
# Variable(s):
# smb_dns : '192.168.0.1' # Wil be extracted from variable {{ smb_dns_servers }}
# smb_fallbackdns : '192.168.0.2' # Wil be extracted from variable {{ smb_dns_servers }}.
# smb_domains : 'EXAMPLE.LOCAL' # Specify the realm.
# smb_llmnr : 'no' # Default=no
# smb_multicastdns : 'no' # Default=no
# smb_dnssec : 'no' # Default=no
# smb_cache : 'yes' # Default=yes
# smb_dnsstublistener : 'yes' # Defailt=yes
#
# Notes:
# - https://ubuntuforums.org/showthread.php?t=2391351
#
smb_domains : '{{ smb_realm }}'
smb_llmnr : 'no'
smb_multicastdns : 'no'
smb_dnssec : 'no'
smb_cache : 'yes'
smb_dnsstublistener : 'yes'

15
role-samba4-ad-member/handlers/main.yml Executable file
View File

@@ -0,0 +1,15 @@
---
# Handlers: Samba4 member server
#
# Author: Luc Rutten
# Version: 1.0
- name: "restart_samba_services"
systemd:
name: "{{ item }}"
state: restarted
enabled: yes
with_items:
- smbd
- nmbd
- winbind

19
role-samba4-ad-member/meta/main.yml Executable file
View File

@@ -0,0 +1,19 @@
galaxy_info:
author: L. Rutten
description: Join Ubuntu as a member server to Active Directory
company: Bitfinity-NL
license: MIT
min_ansible_version: 2.4
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
galaxy_tags:
- Ubuntu
- Bionic
- Xenial
- Samba4
- ActiveDirectory
- Domain
- Windows

28
role-samba4-ad-member/tasks/main.yml Normal file
View File

@@ -0,0 +1,28 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: Bitfinity-NL
# File: tasks/ubt-1804-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
- name: "IFor OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubt-2004-amd64.yml
when:
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"
- name: "For OS: Ubuntu 16.04LTS, Arch: amd64"
import_tasks: ubt-1604-amd64.yml
when:
- ansible_distribution_version == "16.04"
- ansible_architecture == "x86_64"
- name: "IFor OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubt-1804-amd64.yml
when:
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"

110
role-samba4-ad-member/tasks/ubt-1604-amd64.yml Executable file
View File

@@ -0,0 +1,110 @@
---
# Title: Samba4 member server
#
# Author: Bitfinity-NL
# File: tasks/ubt-1604-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
- name: "Preseed Kerberos version 5"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba_services
- name: "edit hosts file in order to be reachable from hostname"
lineinfile:
path: /etc/hosts
regexp: "127.0.1.1 {{ ansible_hostname }}"
line: "127.0.1.1 {{ ansible_hostname }}.vgg.local {{ ansible_hostname}}"
backup: yes
- name: "Joining domain: {{ smb_realm }}"
shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
- name: "Configure nsswitch for winbind - passwd"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'passwd: compat'
line: 'passwd: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - group"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'group: compat'
line: 'group: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - shadow"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'shadow: compat'
line: 'shadow: compat winbind'
backup: yes
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Configure PAM - /etc/pam.d/common-password"
replace:
path: /etc/pam.d/common-password
regexp: ' use_authtok'
replace: ''
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes
# - name: "Set disk operator permisions for Domain Admins"
# shell: "net rpc rights grant '{{ smb_workgroup }}\Domain Admins' SeDiskOperatorPrivilege -U{{ smb_username }}%{{ smb_password }}"

131
role-samba4-ad-member/tasks/ubt-1804-amd64.yml Normal file
View File

@@ -0,0 +1,131 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: Bitfinity-NL
# File: tasks/ubt-1804-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
# Comment:
# Fixing DNS resolving
#
- name: "string"
set_fact:
nameservers: "{{ smb_dns_servers }}"
- name: "Set DNS servers for /etc/systemd/resolved.conf"
set_fact:
smb_dns : '{{ smb_dns_servers.split().0 }}'
smb_fallbackdns : "{{ smb_dns_servers.split().1 | default('{{ smb_dns_servers.split().0 }}') }}"
- name: "Print primary DNS server"
debug:
msg: "{{ smb_dns }}"
- name: "Print Secondary DNS server"
debug:
msg: "{{ smb_fallbackdns }}"
- name: "Configure name resolution for static ipaddress"
template:
src: resolved.conf.j2
dest: /etc/systemd/resolved.conf
- name: "Preseed Kerberos version 5"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba_services
- name: "edit hosts file in order to be reachable from hostname"
lineinfile:
path: /etc/hosts
regexp: "127.0.1.1 {{ ansible_hostname }}"
line: "127.0.1.1 {{ ansible_hostname }}.vgg.local {{ ansible_hostname}}"
backup: yes
- name: "Joining domain: {{ smb_realm }}"
shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
- name: "Configure nsswitch for winbind - passwd"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'passwd: compat'
line: 'passwd: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - group"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'group: compat'
line: 'group: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - shadow"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'shadow: compat'
line: 'shadow: compat winbind'
backup: yes
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Configure PAM - /etc/pam.d/common-password"
replace:
path: /etc/pam.d/common-password
regexp: ' use_authtok'
replace: ''
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes

131
role-samba4-ad-member/tasks/ubt-2004-amd64.yml Normal file
View File

@@ -0,0 +1,131 @@
---
# Title: ansible-role-samba4-ad-member
#
# Author: Bitfinity-NL
# File: tasks/ubt-2004-amd64.yml
#
# Description:
# Samba is the standard Windows interoperability
# suite of programs for Linux and Unix.
#
# Comment:
# Fixing DNS resolving
#
- name: "string"
set_fact:
nameservers: "{{ smb_dns_servers }}"
- name: "Set DNS servers for /etc/systemd/resolved.conf"
set_fact:
smb_dns : '{{ smb_dns_servers.split().0 }}'
smb_fallbackdns : "{{ smb_dns_servers.split().1 | default('{{ smb_dns_servers.split().0 }}') }}"
- name: "Print primary DNS server"
debug:
msg: "{{ smb_dns }}"
- name: "Print Secondary DNS server"
debug:
msg: "{{ smb_fallbackdns }}"
- name: "Configure name resolution for static ipaddress"
template:
src: resolved.conf.j2
dest: /etc/systemd/resolved.conf
- name: "Preseed Kerberos version 5"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'smb.conf.j2', dest: '/etc/samba/smb.conf' }
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba_services
- name: "edit hosts file in order to be reachable from hostname"
lineinfile:
path: /etc/hosts
regexp: "127.0.1.1 {{ ansible_hostname }}"
line: "127.0.1.1 {{ ansible_hostname }}.{{ smb_realm|lower }} {{ ansible_hostname}}"
backup: yes
- name: "Joining domain: {{ smb_realm }}"
shell: "net ads join -U {{ smb_username }}%{{ smb_password }}"
- name: "Configure nsswitch for winbind - passwd"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'passwd: compat'
line: 'passwd: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - group"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'group: compat'
line: 'group: compat winbind'
backup: yes
- name: "Configure nsswitch for winbind - shadow"
lineinfile:
path: /etc/nsswitch.conf
regexp: 'shadow: compat'
line: 'shadow: compat winbind'
backup: yes
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Configure PAM - /etc/pam.d/common-password"
replace:
path: /etc/pam.d/common-password
regexp: ' use_authtok'
replace: ''
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes

1
role-samba4-ad-member/templates/domain-admins.j2 Executable file
View File

@@ -0,0 +1 @@
%domain\ admins ALL=(ALL:ALL) ALL

41
role-samba4-ad-member/templates/pam_winbind.conf.j2 Executable file
View File

@@ -0,0 +1,41 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
# For more details see man pam_winbind.conf(5)
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
cached_login = yes
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
warn_pwd_expire = 21
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

22
role-samba4-ad-member/templates/resolved.conf.j2 Normal file
View File

@@ -0,0 +1,22 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details
[Resolve]
DNS={{ smb_dns }}
FallbackDNS= {{ smb_fallbackdns }}
Domains={{ smb_domains }}
LLMNR={{ smb_llmnr }}
MulticastDNS={{ smb_multicastdns }}
DNSSEC={{ smb_dnssec }}
Cache={{ smb_cache }}
DNSStubListener={{ smb_dnsstublistener }}

23
role-samba4-ad-member/templates/smb.conf.j2 Executable file
View File

@@ -0,0 +1,23 @@
[global]
workgroup = {{ smb_workgroup }}
realm = {{ smb_realm }}
netbios name = {{ ansible_hostname }}
security = ADS
#encrypt passwords = yes
dns forwarder = {{ smb_dns_servers }}
idmap config * :backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

21
role-samba4-primary-ad-dc/LICENSE Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2018 bitfinity
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

58
role-samba4-primary-ad-dc/README.md Normal file
View File

@@ -0,0 +1,58 @@
Role Name
=========
Ansible role to setup a Ubuntu Primary Active Directory Domain Controller
Requirements
------------
- Ansible control server
- Ubuntu
Role Variables
--------------
Set defaut variable(s) in group_vars for reusing in other playbooks.
- def_ad_workgroup : 'LAB'
- def_ad_realm : 'LAB.LOCAL'
- def_ad_admin : 'administrator'
- def_ad_pass : 'Welkom123'
- def_ad_dns : '192.168.0.66 192.168.0.67'
- def_ad_dc01 : '192.168.0.67'
- def_ad_dc02 : '192.168.0.67'
- def_ad_basedn : 'OU=lab,DC=lab,DC=local'
You can override these variable(s) in your own playbook
- smb_workgroup : TEST
- smb_realm : TEST.NET
- smb_dns_servers : "{{ ansible_default_ipv4.address }}"
- smb_username : administrator
- smb_password : Welkom123
Example Playbook
----------------
- hosts: adc01
become: true
vars:
# -- Custom settings: role-samba4-primary-ad-dc --
smb_workgroup : 'LAB'
smb_realm : 'LAB.LOCAL'
smb_username : 'administrator'
smb_password : 'Password123'
roles:
- role-samba4-primary-ad-dc
License
-------
GNU GPLv3
Author Information
------------------
www.bitfinity.nl

33
role-samba4-primary-ad-dc/defaults/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: defaults/main.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
# -- Samba4 AD settings --
#
# Variable(s):
# smb_repository : 'default' or 'latest' # Set which repositories wil be used.
# smb_role : 'member' # Set samba4 role primary (only for initial setup), additional, member.
# smb_workgroup : 'LAB' # Set workgroup (should be in capital letters).
# smb_realm : 'LAB.LOCAL' # Set realm (should be in capital letters).
# smb_dns_servers : '{{ ansible_default_ipv4.address }}' # Set current ipv4 address.
# smb_dns_forwarders : '8.8.8.8 8.8.4.4' # Set DNS forwarders.
# smb_username : 'administrator' # Set administrator account.
# smb_password : 'Welkom123' # Set administrator password.
#
# Comment:
# Override variable(s) or set put them in your group_vars folder for reusing.
#
smb_repository : '{{ def_ad_repository }}'
smb_role : 'member'
smb_workgroup : '{{ def_ad_workgroup }}'
smb_realm : '{{ def_ad_realm }}'
smb_dns_servers : '{{ ansible_default_ipv4.address }}'
smb_dns_forwarder : '{{ def_ad_dns_forwarder }}'
smb_username : '{{ def_ad_admin}}'
smb_password : '{{ def_ad_pass }}'

13
role-samba4-primary-ad-dc/handlers/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: handlers/main.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "restart_samba"
systemd:
state: restarted
name: samba-ad-dc.service

18
role-samba4-primary-ad-dc/meta/main.yml Normal file
View File

@@ -0,0 +1,18 @@
galaxy_info:
author: L. Rutten
description: Install Samba4 Active Directory (Primary) Domain Controller
company: Bitfinity-NL
license: GPLv3
min_ansible_version: 2.4
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
galaxy_tags:
- samba4
- AD
- Active Directory
- ubuntu
- Windows
- linux

43
role-samba4-primary-ad-dc/tasks/main.yml Normal file
View File

@@ -0,0 +1,43 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/main.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "For OS: Ubuntu 16.04LTS, Arch: amd64"
import_tasks: ubuntu-1604-amd64.yml
when:
- ansible_distribution_version == "16.04"
- ansible_architecture == "x86_64"
- name: "Role: primary DC, For OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubuntu-1804-amd64.yml
when:
- smb_role == "primary"
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
- name: "Role: additional DC, For OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubuntu-1804-amd64.yml
when:
- smb_role == "additional"
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
- name: "Role: primary DC, For OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubuntu-2004-amd64.yml
when:
- smb_role == "primary"
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"
- name: "Role: additional DC, For OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubuntu-2004-amd64.yml
when:
- smb_role == "additional"
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"

125
role-samba4-primary-ad-dc/tasks/ubt-1804-adc.yml Normal file
View File

@@ -0,0 +1,125 @@
---
# Title: Role Samba4
#
# Author: bitfinity-nl
# File: tasks/ubt-1804-adc.yml
#
# Description:
# Add additional domain controller
#
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Transfer adc/smb.conf.j2 to /etc/samba/smb.conf"
template:
src: adc/smb.conf.j2
dest: /etc/samba/smb.conf
- name: "Join {{ ansible_hostname }} as additional domain controller"
raw: "samba-tool domain join {{ smb_realm }} DC -U{{ smb_workgroup }}\\{{smb_username }} --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "Configure DNS forwarder in /etc/samba/smb.conf"
replace:
path: /etc/samba/smb.conf
regexp: '127.0.0.53'
replace: '{{ def_ad_dns_forwarder }}'
backup: yes
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
- name: "Enable Services"
systemd:
masked: no
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Allow traffic for Application Samba4 AD-DC"
ufw:
rule: allow
name: Samba
- name: "Allow all DNS traffic on port 53/tcp"
ufw:
rule: allow
port: '53'
proto: "{{ item }}"
with_items:
- tcp
- udp
- name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml

120
role-samba4-primary-ad-dc/tasks/ubuntu-1604-amd64.yml Normal file
View File

@@ -0,0 +1,120 @@
---
# title: ansible-role-samba4-primary-ad-dc
#
# Author: Luc Rutten
# Version: 1.0
# File: tasks/ubuntu-1604-amd64.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
when:
- smb_dc_result.failed == true
- name: "Disable Services"
systemd:
enabled: no
state: stopped
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
when:
- smb_dc_result.failed == true
- name: "back-Up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Start domain provisioning"
raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
when:
- smb_dc_result.failed == true
- name: "Enable Services"
systemd:
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
when:
- smb_dc_result.failed == true
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
when:
- smb_dc_result.failed == true

69
role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64-login.yml Normal file
View File

@@ -0,0 +1,69 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/ubt-1804-amd64-login.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Download template smb.conf.j2 to /etc/samba/smb.conf"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'pam_winbind.conf.j2', dest: '/usr/share/doc/libpam-winbind/examples/pam_winbind/pam_winbind.conf' }
notify:
- restart_samba
- name: "Modify /etc/samba/smb.conf for AD logins"
blockinfile:
path: /etc/samba/smb.conf
insertafter: "use rfc2307 = yes"
block: |
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
marker: "# {mark} ANSIBLE MANAGED BLOCK"
notify: restart_samba
- name: "Transfer templates"
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
backup: yes
with_items:
- { src: 'nsswitch.conf.j2', dest: '/etc/nsswitch.conf'}
- name: "Configure PAM Configuration"
shell: DEBIAN_FRONTEND=noninteractive pam-auth-update
- name: "Configure PAM - /etc/pam.d/common-account"
lineinfile:
path: /etc/pam.d/common-account
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
backup: yes
- name: "Download template domain-admins.j2 to /etc/sudoers.d/domain-admins"
template:
src: domain-admins.j2
dest: /etc/sudoers.d/domain-admins
owner: root
group: root
mode: 0440
backup: yes

150
role-samba4-primary-ad-dc/tasks/ubuntu-1804-amd64.yml Normal file
View File

@@ -0,0 +1,150 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/ubt-1804-amd64.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
#- name: "Add additional repositories"
# apt_repository:
# repo: ppa:linux-schools/samba-latest
# when:
# - smb_repository == 'latest'
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Disable Services"
systemd:
enabled: no
state: stopped
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
- systemd-resolved
when:
- smb_dc_result.failed == true
#- name: "Disable Services"
# systemd:
# enabled: no
# state: stopped
# name: "{{ item }}"
# with_items:
# - systemd-resolved
# when:
# - smb_dc_result.failed == true
# - smb_repository == 'latest'
- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Start domain provisioning"
raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "Configure DNS forwarder in /etc/samba/smb.conf"
replace:
path: /etc/samba/smb.conf
regexp: '127.0.0.53'
replace: '{{ def_ad_dns_forwarder }}'
backup: yes
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
- name: "Enable Services"
systemd:
masked: no
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Allow traffic for Application Samba4 AD-DC"
ufw:
rule: allow
name: Samba
- name: "Allow all DNS traffic on port 53/tcp"
ufw:
rule: allow
port: '53'
proto: "{{ item }}"
with_items:
- tcp
- udp
- name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml

150
role-samba4-primary-ad-dc/tasks/ubuntu-2004-amd64.yml Normal file
View File

@@ -0,0 +1,150 @@
---
# title: role-samba4-primary-ad-dc
#
# Author: bitfinity-nl
# Version: 1.0
# File: tasks/ubt-1804-amd64.yml
#
# Description: Creating a primairy Active Directory Domain Controller.
- name: "Check OS if is allready DC"
shell: "samba-tool domain info {{ ansible_default_ipv4.address }}"
register: smb_dc_result
ignore_errors: yes
- name: "Preseed Kerberos version 5: krb5-config/default_realm"
raw: "echo krb5-config krb5-config/default_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed Kerberos version 5: krb5-config/add_servers_realm"
raw: "echo krb5-config krb5-config/add_servers_realm string {{ smb_realm }} | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
- name: "Preseed PAM Configuration"
raw: "echo libpam-runtime libpam-runtime/profiles multiselect unix, winbind, systemd, mkhomedir | sudo debconf-set-selections"
when:
- smb_dc_result.failed == true
#- name: "Add additional repositories"
# apt_repository:
# repo: ppa:linux-schools/samba-latest
# when:
# - smb_repository == 'latest'
- name: "Install dependencies"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- acl
- samba
- smbclient
- krb5-config
- krb5-user
- winbind
- libpam-winbind
- libnss-winbind
- name: "Disable Services"
systemd:
enabled: no
state: stopped
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- smbd.service
- nmbd.service
- winbind.service
- systemd-resolved
when:
- smb_dc_result.failed == true
#- name: "Disable Services"
# systemd:
# enabled: no
# state: stopped
# name: "{{ item }}"
# with_items:
# - systemd-resolved
# when:
# - smb_dc_result.failed == true
# - smb_repository == 'latest'
- name: "back-up the initial /etc/samba/smb.conf to /etc/samba/smb.conf.initial"
copy:
src: /etc/samba/smb.conf
dest: /etc/samba/smb.conf.initial
remote_src: yes
force: no
when:
- smb_dc_result.failed == true
- name: "rm /etc/samba/smb.conf"
file:
path: /etc/samba/smb.conf
state: absent
when:
- smb_dc_result.failed == true
- name: "Start domain provisioning"
raw: "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ smb_realm }} --domain={{ smb_workgroup }} --adminpass={{ smb_password }}"
when:
- smb_dc_result.failed == true
- name: "Configure DNS forwarder in /etc/samba/smb.conf"
replace:
path: /etc/samba/smb.conf
regexp: '127.0.0.53'
replace: '{{ def_ad_dns_forwarder }}'
backup: yes
- name: "back-Up the initial /etc/krb5.conf to /etc/krb5.conf.initial"
copy:
src: /etc/krb5.conf
dest: /etc/krb5.conf.initial
remote_src: yes
force: no
- name: "Symlink to /var/lib/samba/private/krb5.conf to /etc/krb5.conf"
file:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
state: link
force: yes
- name: "Enable Services"
systemd:
masked: no
enabled: yes
state: started
name: "{{ item }}"
with_items:
- samba-ad-dc.service
- name: "Edit Fstab"
replace:
path: /etc/fstab
regexp: 'errors=remount-ro 0'
replace: 'user_xattr,acl,barrier=1,errors=remount-ro,relatime 0'
backup: yes
- name: "Allow traffic for Application Samba4 AD-DC"
ufw:
rule: allow
name: Samba
- name: "Allow all DNS traffic on port 53/tcp"
ufw:
rule: allow
port: '53'
proto: "{{ item }}"
with_items:
- tcp
- udp
- name: "Ubuntu login"
import_tasks: ubuntu-1804-amd64-login.yml

16
role-samba4-primary-ad-dc/templates/adc/smb.conf.j2 Normal file
View File

@@ -0,0 +1,16 @@
# Global parameters
[global]
dns forwarder = {{ smb_dns_forwarder }}
netbios name = {{ ansible_hostname }}
realm = {{ smb_realm }}
server role = active directory domain controller
workgroup = {{ smb_workgroup }}
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/{{ smb_realm }}/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No

1
role-samba4-primary-ad-dc/templates/domain-admins.j2 Normal file
View File

@@ -0,0 +1 @@
%domain\ admins ALL=(ALL:ALL) ALL

20
role-samba4-primary-ad-dc/templates/nsswitch.conf.j2 Normal file
View File

@@ -0,0 +1,20 @@
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

41
role-samba4-primary-ad-dc/templates/pam_winbind.conf.j2 Normal file
View File

@@ -0,0 +1,41 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
# For more details see man pam_winbind.conf(5)
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
cached_login = yes
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
warn_pwd_expire = 21
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

16
samba-dc.yml Normal file
View File

@@ -0,0 +1,16 @@
- hosts: adc01
become: true
vars:
# -- Custom settings: role-samba4-primary-ad-dc --
smb_workgroup : 'LAB'
smb_realm : 'LAB.LOCAL'
smb_username : 'administrator'
smb_password : 'Password123'
smb_role : 'primary'
smb_dns_servers: '10.100.100.12'
smb_dns_forwarder: '8.8.8.8'
roles:
- role-samba4-primary-ad-dc

14
samba-member.yml Normal file
View File

@@ -0,0 +1,14 @@
- hosts: server1
become: true
vars:
# -- Custom settings: role-samba4-primary-ad-dc --
smb_workgroup : 'LAB'
smb_realm : 'LAB.LOCAL'
smb_username : 'administrator'
smb_password : 'Password123'
smb_dns_servers: '10.100.100.12'
roles:
- role-samba4-ad-member