add role for ad-replication

05c1849e · Hinrikus Wolf · 2b9e7f2d · 05c1849e · 05c1849e · 05c1849e
Commit 05c1849e authored Mar 07, 2018 by Hinrikus Wolf
6 changed files
--- a/ad-server-replication/handlers/main.yml
+++ b/ad-server-replication/handlers/main.yml
+---
+# file: roles/ad-auth/handlers/main.yml
+
+- name: restart samba-ad-dc server
+  service: name=samba-ad-dc state=restarted
+
--- a/ad-server-replication/tasks/.main.yml.swo
+++ b/ad-server-replication/tasks/.main.yml.swo
--- a/ad-server-replication/tasks/kerberos.yml
+++ b/ad-server-replication/tasks/kerberos.yml
+---
+# file: roles/ad-auth/tasks/kerberos.yml
+
+- name: ensure kerberos is installed
+  apt: name=krb5-user state=installed
+  tags:
+    - kerberos
+    - packages
+
+- name: ensure kerberos is configured
+  template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+  tags:
+    - kerberos
+    - config
+
--- a/ad-server-replication/tasks/main.yml
+++ b/ad-server-replication/tasks/main.yml
+---
+# file: roles/ad-server/tasks/main.yml
+
+- import_tasks: kerberos.yml
+
+- name: ensure ad-server is installed
+  apt: name=samba state=latest
+  tags: 
+    - packages
+    - ad-server
+
+    #- name: ensure winbind is for some reasons installed
+    #  apt: name=winbind state=latest
+    #  tags: 
+    #    - packages
+    #    - ad-server
+
+- name: figure out if domain is provisioned
+  stat: path=/var/lib/samba/sysvol/{{ domain }}
+  register: domain_provisioned
+  tags: 
+    - ad-server
+    - domain-provision
+
+
+- block:
+  - name: ensure smb.conf is absent for provision
+    file: path=/etc/samba/smb.conf state=absent
+    tags: 
+      - ad-server
+      - domain-provision
+  
+  - name: ensure pexpect is installed
+    apt: name=python-pexpect state=installed
+    tags: 
+      - ad-server
+      - domain-provision
+    when: debian_version == "stretch"
+  
+  - name: ensure domain is provisioned
+    expect:
+      shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
+      responses:
+        "Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}"
+    no_log: True
+    tags: 
+      - ad-server
+      - domain-provision
+
+  - name: ensure the idmap library is exported
+    shell: tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
+    delegate_to: "{{ ad_primary }}"
+    tags: 
+      - ad-server
+      - domain-provision
+      #  when: domain_provisioned.stat.exists == False
+  
+  - name: ensure the idmap library is copied to secondary
+    synchronize: 
+      src: /var/lib/samba/private/idmap.ldb.bak
+      dest: /var/lib/samba/private/idmap.ldb
+    delegate_to: "{{ ad_primary }}"
+    tags: 
+      - ad-server
+      - domain-provision
+  
+  when: domain_provisioned.stat.exists == False
+
+
+#- name: ensure the id library is rted to secondary
+#  shell: samba-tool ntacl sysvolreset
+#  tags: 
+#    - ad-server
+#    - domain-provision
+#    #when: domain_provisioned.stat.exists == False
+
+- name: ensure smb.conf is correct
+  template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
+  notify: restart samba-ad-dc server
+  tags: 
+    - ad-server
+    - config
+
+- name: ensure smbd is stopped and disabled
+  service: name=smbd state=stopped enabled=no
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure nmbd is stopped and disabled
+  service: name=nmbd state=stopped enabled=no
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure samba-ad-dc unit is running, enabled and not masked
+  systemd: name=samba-ad-dc masked=no 
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure samba-ad-dc is running and enabled
+  service: name=samba-ad-dc state=running enabled=yes
+  tags: 
+    - ad-server
+    - service
+
+
+- meta: flush_handlers
--- a/ad-server-replication/templates/krb5.conf.j2
+++ b/ad-server-replication/templates/krb5.conf.j2
+[libdefaults]
+default_realm = {{ domain.upper() }}
+dns_lookup_realm = false
+dns_lookup_kdc = true
+forwardable = true
+
+[domain_realm]
+.{{ domain }} = {{ domain.upper() }}
+{{ domain }} = {{ domain.upper() }}
+
--- a/ad-server-replication/templates/smb.conf.j2
+++ b/ad-server-replication/templates/smb.conf.j2
+
+# Global parameters
+[global]
+        workgroup = {{ smb_domain }}
+        realm = {{ REALM }}
+        netbios name = {{ ansible_hostname }}
+        server role = active directory domain controller
+        idmap_ldb:use rfc2307 = yes
+        idmap config uid : range = 10000-20000
+        idmap config gid : range = 10000-20000
+        template shell = /bin/bash
+        template homedir = /home/%U
+        registry shares = no
+
+        username map = /etc/samba/usermap.map
+
+        kdc:service ticket lifetime = {{ service_ticket_lifetime }}
+        kdc:user ticket lifetime = {{ user_ticket_lifetime }}
+        kdc:renewal lifetime = {{ renewal_lifetime }}
+
+        tls enabled = yes
+        tls cafile = /etc/ssl/certs/rwth_chain.pem
+        tls keyfile = {{smb_tls_key}}
+        tls certfile = {{smb_tls_cert}}
+
+
+[netlogon]
+        path = /var/lib/samba/sysvol/{{ domain }}/scripts
+        read only = No
+
+[sysvol]
+        path = /var/lib/samba/sysvol
+        read only = No
+
+