Add samba role

With sssd.

roles/samba/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: reload smbd
+  command: systemctl reload smbd
+  when: "'handler' not in ansible_skip_tags"
+
+- name: restart sssd
+  command: systemctl restart sssd
+  when: "'handler' not in ansible_skip_tags"

roles/samba/tasks/main.yml

@@ -0,0 +1,78 @@
+- name: Install packages
+  package:
+    name:
+      - adcli
+      - python3-pexpect
+      - samba
+      - sssd
+      - sssd-tools
+      - winbind
+
+- name: Configure sssd
+  template:
+    dest: /etc/sssd/sssd.conf
+    src: sssd.conf.j2
+    mode: 0600
+  notify: restart sssd
+
+- name: Configure samba
+  template:
+    dest: /etc/samba/smb.conf
+    src: smb.conf.j2
+    mode: 0600
+  notify: reload smbd
+
+- name: Enable pam_mkhomedir
+  lineinfile: # pam-auth-update doesn’t do shit for noninteractive sessions so do it manually
+    path: /etc/pam.d/common-session-noninteractive
+    line: session optional pam_mkhomedir.so
+
+- name: Check domain membership
+  command: 'adcli testjoin -D {{ domain }}'
+  changed_when: false
+  failed_when: false
+  register: ad_join
+
+- name: Join host to AD domain
+  when: ad_join.rc != 0
+  block:
+    - pause:
+        prompt: 'AD username'
+      register: ad_user
+
+    - pause:
+        prompt: 'AD password'
+        echo: no
+      register: ad_pass
+
+    # work around https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52
+    - name: Get and store domain SID
+      expect:
+        command: net -U {{ ad_user.user_input }} rpc getsid -S {{ domain }} -D {{ domain }}
+        responses:
+          'Password for': '{{ ad_pass.user_input }}'
+
+    # work around https://bugzilla.redhat.com/show_bug.cgi?id=1665794
+    - name: Set missing keys in secrets.tdb
+      command: tdbtool /var/lib/samba/private/secrets.tdb store {{ item }}/{{ domain | upper | split('.') | first }} '\0'
+      loop:
+        - SECRETS/MACHINE_LAST_CHANGE_TIME
+        - SECRETS/MACHINE_PASSWORD
+        - SECRETS/MACHINE_PASSWORD.PREV
+
+    - name: Join AD with adcli
+      expect:
+        command: adcli join -v -U {{ ad_user.user_input | upper }} -D {{ domain | upper }} --add-samba-data
+        responses:
+          'Password for': '{{ ad_pass.user_input }}'
+
+- name: Enable services
+  service:
+    name: '{{ item }}'
+    enabled: true
+    state: started
+  loop:
+    - smbd
+    - sssd
+    - winbind
+

roles/samba/templates/smb.conf.j2

@@ -0,0 +1,65 @@
+[global]
+# update or die
+server min protocol = SMB3
+smb ports = 445
+use sendfile = yes
+winbind max domain connections = 10
+
+# disable attack vectors
+load printers = no
+disable spoolss = yes
+disable netbios = yes
+
+# auto-create home directories with pam_mkhomedir
+obey pam restrictions = yes
+
+template homedir = /home/%U@%D
+template shell = /bin/bash
+
+# domain settings
+security = ads
+kerberos method = secrets and keytab
+realm = {{ domain | upper }}
+workgroup = {{ domain | split('.') | first | upper }}
+
+idmap config * : backend = sss
+idmap config * : range = 200000-2147483647
+
+[homes]
+comment = home directory
+valid users = %S "@domain admins@{{ domain }}"
+admin users = "@domain admins@{{ domain }}"
+browseable = no
+read only = no
+create mask = 0700
+directory mask = 0700
+vfs objects = acl_xattr
+map acl inherit = yes
+inherit acls = yes
+inherit permissions = yes
+
+# TODO parametrize this somehow
+#[profiles]
+#comment = Users profiles
+#path = /home/profiles
+#read only = no
+#browsable = yes
+#create mask = 0600
+#directory mask = 0700
+#vfs objects = acl_xattr
+#map acl inherit = yes
+##inherit acls = yes # default on for acl_xattr
+## inherit permissions = yes
+#
+#[ucilnice_d]
+#comment = Users profiles
+#path = /home/ucilnice_d
+#read only = no
+#guest ok = yes
+#browsable = yes
+#create mask = 0600
+#directory mask = 0700
+#vfs objects = acl_xattr
+#map acl inherit = yes
+##inherit acls = yes # default on for acl_xattr
+## inherit permissions = yes

roles/samba/templates/sssd.conf.j2

@@ -0,0 +1,29 @@
+[sssd]
+# without this services get socket-activated which seems to be broken for sssd-pac
+services = nss, pac, pam
+config_file_version = 2
+
+domains = {{ domain }}
+
+[domain/{{ domain }}]
+id_provider = ad
+access_provider = ad
+
+ad_domain = {{ domain }}
+ad_enable_gc = true
+ad_gpo_access_control = permissive
+ad_gpo_ignore_unreadable = true
+ad_update_samba_machine_account_password = true
+
+krb5_realm = {{ domain | upper }}
+krb5_store_password_if_offline = true
+cache_credentials = true
+ldap_id_mapping = true
+use_fully_qualified_names = true
+
+default_shell = /bin/bash
+fallback_homedir = /home/%u@%d
+
+# for debugging ticket renewals
+#ad_maximum_machine_account_password_age = 1
+#ad_machine_account_password_renewal_opts = 86400:10

setup.yml

@@ -19,3 +19,8 @@
   roles:
     - alpine
     - dokuwiki
+
+- hosts: samba
+  roles:
+    - debian
+    - samba