servers/roles/samba/tasks/main.yml
Timotej Lazar 19431a827b samba: check AD membership with net
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00

79 lines
1.9 KiB
YAML

- name: Install packages
package:
name:
- adcli
- python3-pexpect
- samba
- sssd
- sssd-tools
- winbind
- name: Configure sssd
template:
dest: /etc/sssd/sssd.conf
src: sssd.conf.j2
mode: 0600
notify: restart sssd
- name: Configure samba
template:
dest: /etc/samba/smb.conf
src: smb.conf.j2
mode: 0600
notify: reload smbd
- name: Enable pam_mkhomedir
lineinfile: # pam-auth-update doesn’t do shit for noninteractive sessions so do it manually
path: /etc/pam.d/common-session-noninteractive
line: session optional pam_mkhomedir.so
- name: Check domain membership
command: 'net ads testjoin'
changed_when: false
failed_when: false
register: ad_join
- name: Join host to AD domain
when: ad_join.rc != 0
block:
- pause:
prompt: 'AD username'
register: ad_user
- pause:
prompt: 'AD password'
echo: no
register: ad_pass
# work around https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52
- name: Get and store domain SID
expect:
command: net -U {{ ad_user.user_input }} rpc getsid -S {{ domain }} -D {{ domain }}
responses:
'Password for': '{{ ad_pass.user_input }}'
# work around https://bugzilla.redhat.com/show_bug.cgi?id=1665794
- name: Set missing keys in secrets.tdb
command: tdbtool /var/lib/samba/private/secrets.tdb store {{ item }}/{{ domain | upper | split('.') | first }} '\0'
loop:
- SECRETS/MACHINE_LAST_CHANGE_TIME
- SECRETS/MACHINE_PASSWORD
- SECRETS/MACHINE_PASSWORD.PREV
- name: Join AD with adcli
expect:
command: adcli join -v -U {{ ad_user.user_input | upper }} -D {{ domain | upper }} --add-samba-data
responses:
'Password for': '{{ ad_pass.user_input }}'
- name: Enable services
service:
name: '{{ item }}'
enabled: true
state: started
loop:
- smbd
- sssd
- winbind