Commit 2f6ece5e authored by Hinrikus Wolf's avatar Hinrikus Wolf

add ad-server to ansible

parent 4afd54d5
---
# file: roles/ad-auth/handlers/main.yml
- name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted
---
# file: roles/ad-server/tasks/main.yml
- name: ensure ad-server is installed
apt: name=samba state=latest
tags:
- packages
- ad-server
- name: ensure winbind is for some reasons installed
apt: name=samba state=latest
tags:
- packages
- ad-server
- name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }}
register: domain_provisioned
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent
when: domain_provisioned.stat.exists == False
tags:
- ad-server
- domain-provision
- name: get admin password for SAMBA
local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
register: adminpass
when: domain_provisioned.stat.exists == False
tags:
- ad-server
- domain-provision
- password
# provision smb-domain. passwords will be selected at random and safed to /root/smb-provision.log)
# TODO: Evaluate if internal DNS-backend is powerful enough for usecase otherwise bind9 is needed
- name: ensure domain is provisioned
shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=SAMBA_INTERNAL --adminpass={{ adminpass.password }} 2> /root/smb-provision.log
when: domain_provisioned.stat.exists == False
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
notify: restart samba-ad-dc server
tags:
- ad-server
- config
- name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no
tags:
- ad-server
- service
- name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no
tags:
- ad-server
- service
#- name: ensure samba-ad-dc unit is running, enabled and not masked
# systemd: name=samba-ad-dc masked=no state=running enabled=yes
- debug:
msg: "Ensure samba-ad-dc unit is not masked. This functionality will come in ansible 2.2, you should refactor this role"
- name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=running enabled=yes
tags:
- ad-server
- service
- meta: flush_handlers
# Global parameters
[global]
workgroup = {{ smb_domain }}
realm = {{ REALM }}
netbios name = {{ ansible_hostname }}
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
idmap config uid : range = 10000-20000
idmap config gid : range = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
registry shares = no
dns forwarder = {{ dns_forward }}
username map = /etc/samba/usermap.map
[netlogon]
path = /var/lib/samba/sysvol/{{ domain }}/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment