-
Notifications
You must be signed in to change notification settings - Fork 21
/
main.yml
197 lines (178 loc) · 5.71 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
- name: Remove default smb.conf
file:
path: /etc/samba/smb.conf
state: absent
- name: Prepare Samba facts
set_fact:
samba_domain: "{{ '.'.join(inventory_hostname.split('.')[1:]) }}"
samba_netbios: "{{ inventory_hostname.split('.')[0].upper() }}"
samba_workgroup: "{{ inventory_hostname.split('.')[1].upper() }}"
samba_suffix: "{{ inventory_hostname.split('.')[1:] | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
samba_password: "{{ hostvars[inventory_hostname].ansible_password | default(service.samba.password) }}"
- name: Debug Samba facts
debug:
msg: |
Samba domain: "{{ samba_domain }}"
Samba workgroup: "{{ samba_workgroup }}"
Samba suffix: "{{ samba_suffix }}"
Samba netbios: "{{ samba_netbios }}"
- name: Gather the package facts
ansible.builtin.package_facts:
- name: Get rid of systemd-resolved
block:
- name: List mounts
ansible.builtin.command: mount
register: mounts
- name: Disable systemd-resolved to clear DNS port
ansible.builtin.service:
name: systemd-resolved.service
enabled: no
state: stopped
# In VMs we want to use network manager resolv conf instead
# of systemd-resolved stub.
- name: Replace /etc/resolv.conf with network manager
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /etc/resolv.conf
state: link
force: yes
owner: root
group: root
mode: '0660'
when: '"resolv.conf" not in mounts.stdout'
- name: Create NetworkManager dns override
ansible.builtin.copy:
content: |
[main]
dns=none
dest: /etc/NetworkManager/conf.d/90-dns-none.conf
register: NetworkManager_configured
when: '"resolv.conf" not in mounts.stdout'
- name: Restart NetworkManager
ansible.builtin.service:
name: NetworkManager
state: restarted
when:
- '"resolv.conf" not in mounts.stdout'
- NetworkManager_configured.changed
# In containers the file is a mounted from outside so
# we change the content.
- name: Change resolv.conf
lineinfile:
path: /etc/resolv.conf
insertbefore: BOF
line: "nameserver {{ hostvars[groups.dns.0]['ansible_facts']['default_ipv4']['address'] }}"
when:
- '"resolv.conf" in mounts.stdout'
- '"dns" in groups and groups["dns"]'
- name: Remove systemd-resolved package
ansible.builtin.package:
name: systemd-resolved
state: absent
when: "'systemd-resolved' in ansible_facts.packages"
- name: Install Samba domain
shell: |
/usr/bin/samba-tool domain provision \
--realm={{ samba_domain | upper | quote }} \
--domain={{ samba_workgroup | quote }} \
--adminpass={{ samba_password | quote }} \
--krbtgtpass={{ samba_password | quote }} \
--dnspass={{ samba_password | quote }} \
--use-rfc2307
args:
creates: /etc/samba/smb.conf
- name: Setup Kerberos
copy:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
mode: 0644
force: yes
remote_src: yes
# TODO: The hardcoded certs should be replaced
# by ones based on real based on hostnames
- name: Replace TLS certificates
ini_file:
path: /etc/samba/smb.conf
section: global
option: '{{ item.name }}'
value: '{{ item.value }}'
mode: 0600
with_items:
- { name: 'tls keyfile', value: '/data/certs/dc.samba.test.key' }
- { name: 'tls certfile', value: '/data/certs/dc.samba.test.crt' }
- { name: 'tls cafile', value: '/data/certs/ca.crt' }
- name: Select authselect winbind profile
shell: |
if [ ! -f /usr/bin/authselect ]; then
exit 0
fi
authselect select winbind --force
- name: Enable schema extensions
ini_file:
path: /etc/samba/smb.conf
section: global
option: "dsdb:schema update allowed"
value: true
mode: '0600'
backup: no
- name: Enable debug
ini_file:
path: /etc/samba/smb.conf
section: global
option: "log level"
value: "1 auth:7 rpc_srv:7 sam:7 winbind:7"
mode: '0600'
backup: no
- name: Set idmap range
ini_file:
path: /etc/samba/smb.conf
section: global
option: "idmap config * : range"
value: "1000000-1999999"
mode: '0600'
backup: no
- name: Copy sudo schema
template:
src: '{{ item }}.j2'
dest: '/etc/samba/{{ item }}'
owner: root
group: root
mode: 0644
with_items:
- sudo.attrs.ldif
- sudo.class.ldif
- name: Install sudo schema
shell: |
export LDB_MODULES_PATH=/usr/lib64/samba/ldb
ldbadd -H /var/lib/samba/private/sam.ldb /etc/samba/sudo.attrs.ldif
ldbadd -H /var/lib/samba/private/sam.ldb /etc/samba/sudo.class.ldif
retries: 5
delay: 5
- name: Start Samba DC
service:
name: samba.service
enabled: yes
state: started
- name: Set default GPO
shell: |
# Make sure default default GptTmpl.inf exist, otherwise GPO access check will fail
# on SSSD: https://bugzilla.redhat.com/show_bug.cgi?id=1839805#c18
gpo=/var/lib/samba/sysvol/samba.test/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
mkdir -p "$gpo/MACHINE/Microsoft/Windows NT/SecEdit"
chown -R "SAMBA\domain admins":"SAMBA\domain admins" "$gpo"
echo "[System Access]" > "$gpo/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf"
- name: Create samba-sysvolreset.service
template:
src: samba-sysvolreset.service
dest: /etc/systemd/system/samba-sysvolreset.service
owner: root
group: root
mode: 0644
# sysvol permission must be reset every time the container is started
- name: Start samba-sysvolreset.service
service:
name: samba-sysvolreset.service
enabled: yes
state: started
- name: Disable account expiration for Administrator
command: samba-tool user setexpiry Administrator --noexpiry