Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
samba
Commits
05c1849e
Commit
05c1849e
authored
Mar 07, 2018
by
Hinrikus Wolf
Browse files
add role for ad-replication
parent
2b9e7f2d
Changes
6
Hide whitespace changes
Inline
Side-by-side
ad-server-replication/handlers/main.yml
0 → 100644
View file @
05c1849e
---
# file: roles/ad-auth/handlers/main.yml
-
name
:
restart samba-ad-dc server
service
:
name=samba-ad-dc state=restarted
ad-server-replication/tasks/.main.yml.swo
0 → 100644
View file @
05c1849e
File added
ad-server-replication/tasks/kerberos.yml
0 → 100644
View file @
05c1849e
---
# file: roles/ad-auth/tasks/kerberos.yml
-
name
:
ensure kerberos is installed
apt
:
name=krb5-user state=installed
tags
:
-
kerberos
-
packages
-
name
:
ensure kerberos is configured
template
:
src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
tags
:
-
kerberos
-
config
ad-server-replication/tasks/main.yml
0 → 100644
View file @
05c1849e
---
# file: roles/ad-server/tasks/main.yml
-
import_tasks
:
kerberos.yml
-
name
:
ensure ad-server is installed
apt
:
name=samba state=latest
tags
:
-
packages
-
ad-server
#- name: ensure winbind is for some reasons installed
# apt: name=winbind state=latest
# tags:
# - packages
# - ad-server
-
name
:
figure out if domain is provisioned
stat
:
path=/var/lib/samba/sysvol/{{ domain }}
register
:
domain_provisioned
tags
:
-
ad-server
-
domain-provision
-
block
:
-
name
:
ensure smb.conf is absent for provision
file
:
path=/etc/samba/smb.conf state=absent
tags
:
-
ad-server
-
domain-provision
-
name
:
ensure pexpect is installed
apt
:
name=python-pexpect state=installed
tags
:
-
ad-server
-
domain-provision
when
:
debian_version == "stretch"
-
name
:
ensure domain is provisioned
expect
:
shell
:
samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
responses
:
"
Password
for.*"
:
"
{{
lookup('passwordstore',
'samba-admin')
}}"
no_log
:
True
tags
:
-
ad-server
-
domain-provision
-
name
:
ensure the idmap library is exported
shell
:
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
delegate_to
:
"
{{
ad_primary
}}"
tags
:
-
ad-server
-
domain-provision
# when: domain_provisioned.stat.exists == False
-
name
:
ensure the idmap library is copied to secondary
synchronize
:
src
:
/var/lib/samba/private/idmap.ldb.bak
dest
:
/var/lib/samba/private/idmap.ldb
delegate_to
:
"
{{
ad_primary
}}"
tags
:
-
ad-server
-
domain-provision
when
:
domain_provisioned.stat.exists == False
#- name: ensure the id library is rted to secondary
# shell: samba-tool ntacl sysvolreset
# tags:
# - ad-server
# - domain-provision
# #when: domain_provisioned.stat.exists == False
-
name
:
ensure smb.conf is correct
template
:
src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
notify
:
restart samba-ad-dc server
tags
:
-
ad-server
-
config
-
name
:
ensure smbd is stopped and disabled
service
:
name=smbd state=stopped enabled=no
tags
:
-
ad-server
-
service
-
name
:
ensure nmbd is stopped and disabled
service
:
name=nmbd state=stopped enabled=no
tags
:
-
ad-server
-
service
-
name
:
ensure samba-ad-dc unit is running, enabled and not masked
systemd
:
name=samba-ad-dc masked=no
tags
:
-
ad-server
-
service
-
name
:
ensure samba-ad-dc is running and enabled
service
:
name=samba-ad-dc state=running enabled=yes
tags
:
-
ad-server
-
service
-
meta
:
flush_handlers
ad-server-replication/templates/krb5.conf.j2
0 → 100644
View file @
05c1849e
[libdefaults]
default_realm = {{ domain.upper() }}
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
[domain_realm]
.{{ domain }} = {{ domain.upper() }}
{{ domain }} = {{ domain.upper() }}
ad-server-replication/templates/smb.conf.j2
0 → 100644
View file @
05c1849e
# Global parameters
[global]
workgroup = {{ smb_domain }}
realm = {{ REALM }}
netbios name = {{ ansible_hostname }}
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
idmap config uid : range = 10000-20000
idmap config gid : range = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
registry shares = no
username map = /etc/samba/usermap.map
kdc:service ticket lifetime = {{ service_ticket_lifetime }}
kdc:user ticket lifetime = {{ user_ticket_lifetime }}
kdc:renewal lifetime = {{ renewal_lifetime }}
tls enabled = yes
tls cafile = /etc/ssl/certs/rwth_chain.pem
tls keyfile = {{smb_tls_key}}
tls certfile = {{smb_tls_cert}}
[netlogon]
path = /var/lib/samba/sysvol/{{ domain }}/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment