add ad-server to ansible

2f6ece5e · Hinrikus Wolf · 4afd54d5 · 2f6ece5e · 2f6ece5e · 2f6ece5e
Commit 2f6ece5e authored 8 years ago by Hinrikus Wolf
--- a/ad-server/handlers/main.yml
+++ b/ad-server/handlers/main.yml
+---
+# file: roles/ad-auth/handlers/main.yml
+
+- name: restart samba-ad-dc server
+  service: name=samba-ad-dc state=restarted
+
--- a/ad-server/tasks/main.yml
+++ b/ad-server/tasks/main.yml
+---
+# file: roles/ad-server/tasks/main.yml
+
+- name: ensure ad-server is installed
+  apt: name=samba state=latest
+  tags: 
+    - packages
+    - ad-server
+
+- name: ensure winbind is for some reasons installed
+  apt: name=samba state=latest
+  tags: 
+    - packages
+    - ad-server
+
+- name: figure out if domain is provisioned
+  stat: path=/var/lib/samba/sysvol/{{ domain }}
+  register: domain_provisioned
+  tags: 
+    - ad-server
+    - domain-provision
+
+
+- name: ensure smb.conf is absent for provision
+  file: path=/etc/samba/smb.conf state=absent
+  when: domain_provisioned.stat.exists == False
+  tags: 
+    - ad-server
+    - domain-provision
+
+- name: get admin password for SAMBA
+  local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
+  register: adminpass
+  when: domain_provisioned.stat.exists == False
+  tags:
+    - ad-server
+    - domain-provision
+    - password
+
+
+# provision smb-domain. passwords will be selected at random and safed to /root/smb-provision.log)
+# TODO: Evaluate if internal DNS-backend is powerful enough for usecase otherwise bind9 is needed
+
+- name: ensure domain is provisioned
+  shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=SAMBA_INTERNAL --adminpass={{ adminpass.password }}  2> /root/smb-provision.log
+  when: domain_provisioned.stat.exists == False
+  tags: 
+    - ad-server
+    - domain-provision
+
+- name: ensure smb.conf is correct
+  template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
+  notify: restart samba-ad-dc server
+  tags: 
+    - ad-server
+    - config
+
+- name: ensure smbd is stopped and disabled
+  service: name=smbd state=stopped enabled=no
+  tags: 
+    - ad-server
+    - service
+
+- name: ensure nmbd is stopped and disabled
+  service: name=nmbd state=stopped enabled=no
+  tags: 
+    - ad-server
+    - service
+
+#- name: ensure samba-ad-dc unit is running, enabled and not masked
+# systemd: name=samba-ad-dc masked=no state=running enabled=yes
+- debug:
+    msg: "Ensure samba-ad-dc unit is not masked.  This functionality will come in ansible 2.2, you should refactor this role"  
+
+- name: ensure samba-ad-dc is running and enabled
+  service: name=samba-ad-dc state=running enabled=yes
+  tags: 
+    - ad-server
+    - service
+
+
+- meta: flush_handlers
--- a/ad-server/templates/smb.conf.j2
+++ b/ad-server/templates/smb.conf.j2
+
+# Global parameters
+[global]
+        workgroup = {{ smb_domain }}
+        realm = {{ REALM }}
+        netbios name = {{ ansible_hostname }}
+        server role = active directory domain controller
+        idmap_ldb:use rfc2307 = yes
+        idmap config uid : range = 10000-20000
+        idmap config gid : range = 10000-20000
+        template shell = /bin/bash
+        template homedir = /home/%U
+        registry shares = no
+	dns forwarder = {{ dns_forward }} 
+
+        username map = /etc/samba/usermap.map
+
+[netlogon]
+        path = /var/lib/samba/sysvol/{{ domain }}/scripts
+        read only = No
+
+[sysvol]
+        path = /var/lib/samba/sysvol
+        read only = No
+
+