From 05c1849e2a8e7bc89483f7ba95903796b4007b2b Mon Sep 17 00:00:00 2001
From: Hinrikus Wolf <hinrikus@fsmpi.rwth-aachen.de>
Date: Wed, 7 Mar 2018 11:40:15 +0100
Subject: [PATCH] add role for ad-replication

---
 ad-server-replication/handlers/main.yml      |   6 +
 ad-server-replication/tasks/.main.yml.swo    | Bin 0 -> 12288 bytes
 ad-server-replication/tasks/kerberos.yml     |  15 +++
 ad-server-replication/tasks/main.yml         | 109 +++++++++++++++++++
 ad-server-replication/templates/krb5.conf.j2 |  10 ++
 ad-server-replication/templates/smb.conf.j2  |  35 ++++++
 6 files changed, 175 insertions(+)
 create mode 100644 ad-server-replication/handlers/main.yml
 create mode 100644 ad-server-replication/tasks/.main.yml.swo
 create mode 100644 ad-server-replication/tasks/kerberos.yml
 create mode 100644 ad-server-replication/tasks/main.yml
 create mode 100644 ad-server-replication/templates/krb5.conf.j2
 create mode 100644 ad-server-replication/templates/smb.conf.j2

diff --git a/ad-server-replication/handlers/main.yml b/ad-server-replication/handlers/main.yml
new file mode 100644
index 0000000..ac970bd
--- /dev/null
+++ b/ad-server-replication/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# file: roles/ad-auth/handlers/main.yml
+
+- name: restart samba-ad-dc server
+  service: name=samba-ad-dc state=restarted
+
diff --git a/ad-server-replication/tasks/.main.yml.swo b/ad-server-replication/tasks/.main.yml.swo
new file mode 100644
index 0000000000000000000000000000000000000000..443d7741c9d859f713df08c380b740a0daf9d041
GIT binary patch
literal 12288
zcmYc?2=nw+u+TGLU|?VnU|>*RJTIzFiI3q@DFZ`BW?oTdc4;w43Lh@WFHbEhE=erO
z%+JH8t`26PeraB&ep<19VoGjio_=Cpab{9Zs(x`sVo_>}Zc%<tYO#KCVs28ReqxGl
zacWUnYLRYHYC%qBGS~|JlEmWdV*T92%sjoy+#Gy1j>?UOz-R~{LV%aS*vJr^)s>YL
z6@-OC5mKY9(GVC7fzc2c4S~@R7!85Z5Eu=C(GVC7fngs4B?XKO^$ZLQOi-UP;-I0z
zqts{!jE2By2#kinXb6mkz-S1JhQMeDjE2By2#kinXb6mkzz__9#1saG`}_<H|M?;F
z|FHf)m_G#lGwS5g5Eu=C(GVC7fzc2c4S~@R7!85Z5Eu=C(GVC7fzc2c4FSv$007p`
BHo5=+

literal 0
HcmV?d00001

diff --git a/ad-server-replication/tasks/kerberos.yml b/ad-server-replication/tasks/kerberos.yml
new file mode 100644
index 0000000..1508279
--- /dev/null
+++ b/ad-server-replication/tasks/kerberos.yml
@@ -0,0 +1,15 @@
+---
+# file: roles/ad-auth/tasks/kerberos.yml
+
+- name: ensure kerberos is installed
+  apt: name=krb5-user state=installed
+  tags:
+    - kerberos
+    - packages
+
+- name: ensure kerberos is configured
+  template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+  tags:
+    - kerberos
+    - config
+
diff --git a/ad-server-replication/tasks/main.yml b/ad-server-replication/tasks/main.yml
new file mode 100644
index 0000000..cdb352c
--- /dev/null
+++ b/ad-server-replication/tasks/main.yml
@@ -0,0 +1,109 @@
+---
+# file: roles/ad-server/tasks/main.yml
+
+- import_tasks: kerberos.yml
+
+- name: ensure ad-server is installed
+  apt: name=samba state=latest
+  tags: 
+    - packages
+    - ad-server
+
+    #- name: ensure winbind is for some reasons installed
+    #  apt: name=winbind state=latest
+    #  tags: 
+    #    - packages
+    #    - ad-server
+
+- name: figure out if domain is provisioned
+  stat: path=/var/lib/samba/sysvol/{{ domain }}
+  register: domain_provisioned
+  tags: 
+    - ad-server
+    - domain-provision
+
+
+- block:
+  - name: ensure smb.conf is absent for provision
+    file: path=/etc/samba/smb.conf state=absent
+    tags: 
+      - ad-server
+      - domain-provision
+  
+  - name: ensure pexpect is installed
+    apt: name=python-pexpect state=installed
+    tags: 
+      - ad-server
+      - domain-provision
+    when: debian_version == "stretch"
+  
+  - name: ensure domain is provisioned
+    expect:
+      shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
+      responses:
+        "Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}"
+    no_log: True
+    tags: 
+      - ad-server
+      - domain-provision
+
+  - name: ensure the idmap library is exported
+    shell: tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
+    delegate_to: "{{ ad_primary }}"
+    tags: 
+      - ad-server
+      - domain-provision
+      #  when: domain_provisioned.stat.exists == False
+  
+  - name: ensure the idmap library is copied to secondary
+    synchronize: 
+      src: /var/lib/samba/private/idmap.ldb.bak
+      dest: /var/lib/samba/private/idmap.ldb
+    delegate_to: "{{ ad_primary }}"
+    tags: 
+      - ad-server
+      - domain-provision
+  
+  when: domain_provisioned.stat.exists == False
+
+
+#- name: ensure the id library is rted to secondary
+#  shell: samba-tool ntacl sysvolreset
+#  tags: 
+#    - ad-server
+#    - domain-provision
+#    #when: domain_provisioned.stat.exists == False
+
+- name: ensure smb.conf is correct
+  template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
+  notify: restart samba-ad-dc server
+  tags: 
+    - ad-server
+    - config
+
+- name: ensure smbd is stopped and disabled
+  service: name=smbd state=stopped enabled=no
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure nmbd is stopped and disabled
+  service: name=nmbd state=stopped enabled=no
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure samba-ad-dc unit is running, enabled and not masked
+  systemd: name=samba-ad-dc masked=no 
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure samba-ad-dc is running and enabled
+  service: name=samba-ad-dc state=running enabled=yes
+  tags: 
+    - ad-server
+    - service
+
+
+- meta: flush_handlers
diff --git a/ad-server-replication/templates/krb5.conf.j2 b/ad-server-replication/templates/krb5.conf.j2
new file mode 100644
index 0000000..8644b56
--- /dev/null
+++ b/ad-server-replication/templates/krb5.conf.j2
@@ -0,0 +1,10 @@
+[libdefaults]
+default_realm = {{ domain.upper() }}
+dns_lookup_realm = false
+dns_lookup_kdc = true
+forwardable = true
+
+[domain_realm]
+.{{ domain }} = {{ domain.upper() }}
+{{ domain }} = {{ domain.upper() }}
+
diff --git a/ad-server-replication/templates/smb.conf.j2 b/ad-server-replication/templates/smb.conf.j2
new file mode 100644
index 0000000..3bd4725
--- /dev/null
+++ b/ad-server-replication/templates/smb.conf.j2
@@ -0,0 +1,35 @@
+
+# Global parameters
+[global]
+        workgroup = {{ smb_domain }}
+        realm = {{ REALM }}
+        netbios name = {{ ansible_hostname }}
+        server role = active directory domain controller
+        idmap_ldb:use rfc2307 = yes
+        idmap config uid : range = 10000-20000
+        idmap config gid : range = 10000-20000
+        template shell = /bin/bash
+        template homedir = /home/%U
+        registry shares = no
+
+        username map = /etc/samba/usermap.map
+
+        kdc:service ticket lifetime = {{ service_ticket_lifetime }}
+        kdc:user ticket lifetime = {{ user_ticket_lifetime }}
+        kdc:renewal lifetime = {{ renewal_lifetime }}
+
+        tls enabled = yes
+        tls cafile = /etc/ssl/certs/rwth_chain.pem
+        tls keyfile = {{smb_tls_key}}
+        tls certfile = {{smb_tls_cert}}
+
+
+[netlogon]
+        path = /var/lib/samba/sysvol/{{ domain }}/scripts
+        read only = No
+
+[sysvol]
+        path = /var/lib/samba/sysvol
+        read only = No
+
+
-- 
GitLab