Add samba role
With sssd.
This commit is contained in:
parent
0907870142
commit
43b9010126
5 changed files with 184 additions and 0 deletions
65
roles/samba/templates/smb.conf.j2
Normal file
65
roles/samba/templates/smb.conf.j2
Normal file
|
|
@ -0,0 +1,65 @@
|
|||
[global]
|
||||
# update or die
|
||||
server min protocol = SMB3
|
||||
smb ports = 445
|
||||
use sendfile = yes
|
||||
winbind max domain connections = 10
|
||||
|
||||
# disable attack vectors
|
||||
load printers = no
|
||||
disable spoolss = yes
|
||||
disable netbios = yes
|
||||
|
||||
# auto-create home directories with pam_mkhomedir
|
||||
obey pam restrictions = yes
|
||||
|
||||
template homedir = /home/%U@%D
|
||||
template shell = /bin/bash
|
||||
|
||||
# domain settings
|
||||
security = ads
|
||||
kerberos method = secrets and keytab
|
||||
realm = {{ domain | upper }}
|
||||
workgroup = {{ domain | split('.') | first | upper }}
|
||||
|
||||
idmap config * : backend = sss
|
||||
idmap config * : range = 200000-2147483647
|
||||
|
||||
[homes]
|
||||
comment = home directory
|
||||
valid users = %S "@domain admins@{{ domain }}"
|
||||
admin users = "@domain admins@{{ domain }}"
|
||||
browseable = no
|
||||
read only = no
|
||||
create mask = 0700
|
||||
directory mask = 0700
|
||||
vfs objects = acl_xattr
|
||||
map acl inherit = yes
|
||||
inherit acls = yes
|
||||
inherit permissions = yes
|
||||
|
||||
# TODO parametrize this somehow
|
||||
#[profiles]
|
||||
#comment = Users profiles
|
||||
#path = /home/profiles
|
||||
#read only = no
|
||||
#browsable = yes
|
||||
#create mask = 0600
|
||||
#directory mask = 0700
|
||||
#vfs objects = acl_xattr
|
||||
#map acl inherit = yes
|
||||
##inherit acls = yes # default on for acl_xattr
|
||||
## inherit permissions = yes
|
||||
#
|
||||
#[ucilnice_d]
|
||||
#comment = Users profiles
|
||||
#path = /home/ucilnice_d
|
||||
#read only = no
|
||||
#guest ok = yes
|
||||
#browsable = yes
|
||||
#create mask = 0600
|
||||
#directory mask = 0700
|
||||
#vfs objects = acl_xattr
|
||||
#map acl inherit = yes
|
||||
##inherit acls = yes # default on for acl_xattr
|
||||
## inherit permissions = yes
|
||||
29
roles/samba/templates/sssd.conf.j2
Normal file
29
roles/samba/templates/sssd.conf.j2
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
[sssd]
|
||||
# without this services get socket-activated which seems to be broken for sssd-pac
|
||||
services = nss, pac, pam
|
||||
config_file_version = 2
|
||||
|
||||
domains = {{ domain }}
|
||||
|
||||
[domain/{{ domain }}]
|
||||
id_provider = ad
|
||||
access_provider = ad
|
||||
|
||||
ad_domain = {{ domain }}
|
||||
ad_enable_gc = true
|
||||
ad_gpo_access_control = permissive
|
||||
ad_gpo_ignore_unreadable = true
|
||||
ad_update_samba_machine_account_password = true
|
||||
|
||||
krb5_realm = {{ domain | upper }}
|
||||
krb5_store_password_if_offline = true
|
||||
cache_credentials = true
|
||||
ldap_id_mapping = true
|
||||
use_fully_qualified_names = true
|
||||
|
||||
default_shell = /bin/bash
|
||||
fallback_homedir = /home/%u@%d
|
||||
|
||||
# for debugging ticket renewals
|
||||
#ad_maximum_machine_account_password_age = 1
|
||||
#ad_machine_account_password_renewal_opts = 86400:10
|
||||
Loading…
Add table
Add a link
Reference in a new issue