Add samba role

With sssd.
This commit is contained in:
Timotej Lazar 2024-05-22 20:50:34 +02:00
parent 0907870142
commit 43b9010126
5 changed files with 184 additions and 0 deletions

View file

@ -0,0 +1,7 @@
- name: reload smbd
command: systemctl reload smbd
when: "'handler' not in ansible_skip_tags"
- name: restart sssd
command: systemctl restart sssd
when: "'handler' not in ansible_skip_tags"

View file

@ -0,0 +1,78 @@
- name: Install packages
package:
name:
- adcli
- python3-pexpect
- samba
- sssd
- sssd-tools
- winbind
- name: Configure sssd
template:
dest: /etc/sssd/sssd.conf
src: sssd.conf.j2
mode: 0600
notify: restart sssd
- name: Configure samba
template:
dest: /etc/samba/smb.conf
src: smb.conf.j2
mode: 0600
notify: reload smbd
- name: Enable pam_mkhomedir
lineinfile: # pam-auth-update doesn’t do shit for noninteractive sessions so do it manually
path: /etc/pam.d/common-session-noninteractive
line: session optional pam_mkhomedir.so
- name: Check domain membership
command: 'adcli testjoin -D {{ domain }}'
changed_when: false
failed_when: false
register: ad_join
- name: Join host to AD domain
when: ad_join.rc != 0
block:
- pause:
prompt: 'AD username'
register: ad_user
- pause:
prompt: 'AD password'
echo: no
register: ad_pass
# work around https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52
- name: Get and store domain SID
expect:
command: net -U {{ ad_user.user_input }} rpc getsid -S {{ domain }} -D {{ domain }}
responses:
'Password for': '{{ ad_pass.user_input }}'
# work around https://bugzilla.redhat.com/show_bug.cgi?id=1665794
- name: Set missing keys in secrets.tdb
command: tdbtool /var/lib/samba/private/secrets.tdb store {{ item }}/{{ domain | upper | split('.') | first }} '\0'
loop:
- SECRETS/MACHINE_LAST_CHANGE_TIME
- SECRETS/MACHINE_PASSWORD
- SECRETS/MACHINE_PASSWORD.PREV
- name: Join AD with adcli
expect:
command: adcli join -v -U {{ ad_user.user_input | upper }} -D {{ domain | upper }} --add-samba-data
responses:
'Password for': '{{ ad_pass.user_input }}'
- name: Enable services
service:
name: '{{ item }}'
enabled: true
state: started
loop:
- smbd
- sssd
- winbind

View file

@ -0,0 +1,65 @@
[global]
# update or die
server min protocol = SMB3
smb ports = 445
use sendfile = yes
winbind max domain connections = 10
# disable attack vectors
load printers = no
disable spoolss = yes
disable netbios = yes
# auto-create home directories with pam_mkhomedir
obey pam restrictions = yes
template homedir = /home/%U@%D
template shell = /bin/bash
# domain settings
security = ads
kerberos method = secrets and keytab
realm = {{ domain | upper }}
workgroup = {{ domain | split('.') | first | upper }}
idmap config * : backend = sss
idmap config * : range = 200000-2147483647
[homes]
comment = home directory
valid users = %S "@domain admins@{{ domain }}"
admin users = "@domain admins@{{ domain }}"
browseable = no
read only = no
create mask = 0700
directory mask = 0700
vfs objects = acl_xattr
map acl inherit = yes
inherit acls = yes
inherit permissions = yes
# TODO parametrize this somehow
#[profiles]
#comment = Users profiles
#path = /home/profiles
#read only = no
#browsable = yes
#create mask = 0600
#directory mask = 0700
#vfs objects = acl_xattr
#map acl inherit = yes
##inherit acls = yes # default on for acl_xattr
## inherit permissions = yes
#
#[ucilnice_d]
#comment = Users profiles
#path = /home/ucilnice_d
#read only = no
#guest ok = yes
#browsable = yes
#create mask = 0600
#directory mask = 0700
#vfs objects = acl_xattr
#map acl inherit = yes
##inherit acls = yes # default on for acl_xattr
## inherit permissions = yes

View file

@ -0,0 +1,29 @@
[sssd]
# without this services get socket-activated which seems to be broken for sssd-pac
services = nss, pac, pam
config_file_version = 2
domains = {{ domain }}
[domain/{{ domain }}]
id_provider = ad
access_provider = ad
ad_domain = {{ domain }}
ad_enable_gc = true
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = true
ad_update_samba_machine_account_password = true
krb5_realm = {{ domain | upper }}
krb5_store_password_if_offline = true
cache_credentials = true
ldap_id_mapping = true
use_fully_qualified_names = true
default_shell = /bin/bash
fallback_homedir = /home/%u@%d
# for debugging ticket renewals
#ad_maximum_machine_account_password_age = 1
#ad_machine_account_password_renewal_opts = 86400:10

View file

@ -19,3 +19,8 @@
roles:
- alpine
- dokuwiki
- hosts: samba
roles:
- debian
- samba