Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
samba
Commits
8e070350
Commit
8e070350
authored
Dec 13, 2018
by
Lars Beckers
Browse files
lint yaml files
parent
74b4658d
Changes
19
Hide whitespace changes
Inline
Side-by-side
.yamllint
0 → 100644
View file @
8e070350
---
extends: default
rules:
comments-indentation:
level: warning
document-start:
level: error
empty-lines:
max: 1
empty-values:
forbid-in-flow-mappings: true
forbid-in-block-mappings: true
line-length:
level: warning
octal-values:
forbid-implicit-octal: true
level: warning
ad-auth/tasks/kerberos.yml
View file @
8e070350
...
@@ -2,14 +2,18 @@
...
@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml
# file: roles/ad-auth/tasks/kerberos.yml
-
name
:
ensure kerberos is installed
-
name
:
ensure kerberos is installed
apt
:
name=krb5-user state=present
apt
:
name
:
krb5-user
state
:
present
tags
:
tags
:
-
kerberos
-
kerberos
-
packages
-
name
:
ensure kerberos is configured
-
name
:
ensure kerberos is configured
template
:
src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
template
:
src
:
krb5.conf.j2
dest
:
/etc/krb5.conf
owner
:
root
group
:
root
mode
:
'
0644'
tags
:
tags
:
-
kerberos
-
kerberos
-
config
ad-auth/tasks/ldap.yml
View file @
8e070350
...
@@ -2,14 +2,18 @@
...
@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/ldap.yml
# file: roles/ad-auth/tasks/ldap.yml
-
name
:
ensure ldap-utils is installed
-
name
:
ensure ldap-utils is installed
apt
:
name=ldap-utils state=present
apt
:
name
:
ldap-utils
state
:
present
tags
:
tags
:
-
ldap
-
ldap
-
packages
-
name
:
ensure proper global ldap configuration
-
name
:
ensure proper global ldap configuration
template
:
src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
template
:
src
:
ldap.conf.j2
dest
:
/etc/ldap/ldap.conf
owner
:
root
group
:
root
mode
:
'
0644'
tags
:
tags
:
-
ldap
-
ldap
-
config
ad-auth/tasks/main.yml
View file @
8e070350
...
@@ -18,8 +18,10 @@
...
@@ -18,8 +18,10 @@
-
meta
:
flush_handlers
-
meta
:
flush_handlers
-
name
:
ensure there is no local users group
-
name
:
ensure there is no local users group
lineinfile
:
path=/etc/group state=absent regexp="^users:"
lineinfile
:
path
:
/etc/group
state
:
absent
regexp
:
"
^users:"
tags
:
tags
:
-
groups
-
groups
-
config
-
ad-auth
-
ad-auth
ad-auth/tasks/pam.yml
View file @
8e070350
...
@@ -2,9 +2,13 @@
...
@@ -2,9 +2,13 @@
# file: roles/ad-auth/tasks/pam.yml
# file: roles/ad-auth/tasks/pam.yml
-
name
:
ensure pam applies a general umask
-
name
:
ensure pam applies a general umask
copy
:
src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644
copy
:
src
:
pam/umask
dest
:
/usr/share/pam-configs/umask
owner
:
root
group
:
root
mode
:
'
0644'
notify
:
notify
:
-
regenerate pam config
-
regenerate pam config
tags
:
tags
:
-
pam
-
pam
-
config
ad-auth/tasks/sssd.yml
View file @
8e070350
...
@@ -9,41 +9,60 @@
...
@@ -9,41 +9,60 @@
-
libnss-sss
-
libnss-sss
-
sssd-tools
-
sssd-tools
-
realmd
-
realmd
-
policykit-1
# this is required for realm to discover realms...
# yamllint disable rule:line-length
-
adcli
# this is required for realm to join realms...
-
policykit-1
# this is required for realm to discover realms...
-
packagekit
# this is required for realm to i don't know and don't even care anymore...
-
adcli
# this is required for realm to join realms...
-
packagekit
# this is required for realm to i don't know and don't even care anymore...
# yamllint enable rule:line-length
-
cracklib-runtime
-
cracklib-runtime
state
:
present
state
:
present
install_recommends
:
no
install_recommends
:
false
notify
:
notify
:
-
clear sssd cache
-
clear sssd cache
tags
:
tags
:
-
sssd
-
sssd
-
packages
-
name
:
check if our realm is configured
-
name
:
check if our realm is configured
shell
:
realm list | grep "{{ domain }}"
shell
:
realm list | grep "{{ domain }}"
register
:
current_realms
register
:
current_realms
changed_when
:
"
current_realms.rc
!=
0"
changed_when
:
"
current_realms.rc
!=
0"
failed_when
:
"
current_realms.rc
!=
0
and
current_realms.rc
!=
1"
failed_when
:
"
current_realms.rc
!=
0
and
current_realms.rc
!=
1"
tags
:
-
sssd
-
block
:
-
block
:
-
name
:
discover our realm
-
name
:
discover our realm
command
:
realm discover -v "{{ domain }}"
command
:
realm discover -v "{{ domain }}"
tags
:
-
sssd
-
name
:
get a kerberos ticket
-
name
:
get a kerberos ticket
# yamllint disable-line rule:line-length
shell
:
echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
shell
:
echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
when
:
debian_version == "jessie"
when
:
debian_version == "jessie"
no_log
:
True
no_log
:
true
tags
:
-
sssd
-
name
:
ensure pexpect is installed
-
name
:
ensure pexpect is installed
apt
:
name=python-pexpect state=present
apt
:
name
:
python-pexpect
state
:
present
when
:
debian_version == "stretch"
when
:
debian_version == "stretch"
tags
:
-
sssd
-
name
:
get a kerberos ticket
-
name
:
get a kerberos ticket
expect
:
expect
:
command
:
kinit Administrator
command
:
kinit Administrator
responses
:
responses
:
# yamllint disable-line rule:line-length
"
Passwor(d|t)
for
Administrator.*"
:
"
{{
lookup('passwordstore',
ad_admin_password)
}}"
"
Passwor(d|t)
for
Administrator.*"
:
"
{{
lookup('passwordstore',
ad_admin_password)
}}"
when
:
debian_version == "stretch"
when
:
debian_version == "stretch"
no_log
:
True
no_log
:
true
tags
:
-
sssd
-
name
:
leave any other realm
-
name
:
leave any other realm
command
:
realm leave
command
:
realm leave
register
:
result
register
:
result
...
@@ -51,38 +70,50 @@
...
@@ -51,38 +70,50 @@
retries
:
9001
retries
:
9001
delay
:
0
delay
:
0
failed_when
:
"
result.rc
!=
0
and
result.rc
!=
1"
failed_when
:
"
result.rc
!=
0
and
result.rc
!=
1"
tags
:
-
sssd
-
name
:
join our realm
-
name
:
join our realm
command
:
realm join -v "{{ domain }}"
command
:
realm join -v "{{ domain }}"
notify
:
notify
:
-
clear sssd cache
-
clear sssd cache
-
restart sssd
-
restart sssd
tags
:
-
sssd
-
name
:
destroy kerberos ticket
-
name
:
destroy kerberos ticket
command
:
kdestroy
command
:
kdestroy
tags
:
-
sssd
when
:
"
current_realms.rc
!=
0"
when
:
"
current_realms.rc
!=
0"
-
name
:
ensure sssd is configured
-
name
:
ensure sssd is configured
template
:
src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
template
:
src
:
sssd.conf.j2
dest
:
/etc/sssd/sssd.conf
owner
:
root
group
:
root
mode
:
'
0600'
notify
:
notify
:
-
restart sssd
-
restart sssd
-
clear sssd cache
-
clear sssd cache
tags
:
tags
:
-
sssd
-
sssd
-
config
-
name
:
ensure sssd is enabled and running
-
name
:
ensure sssd is enabled and running
service
:
name=sssd state=started enabled=yes
service
:
name
:
sssd
state
:
started
enabled
:
true
tags
:
tags
:
-
sssd
-
sssd
-
service
-
name
:
ensure we have a cronjob which renews krb credenitials once a day
-
name
:
ensure we have a cronjob which renews krb credenitials once a day
template
:
template
:
src
:
templates/renew_krb5.j2
src
:
templates/renew_krb5.j2
dest
:
/etc/cron.daily/renew_krb5
dest
:
/etc/cron.daily/renew_krb5
mode
:
0755
mode
:
'
0755
'
owner
:
root
owner
:
root
group
:
root
group
:
root
tags
:
tags
:
-
sssd
-
sssd
ad-auth/tasks/sudo.yml
View file @
8e070350
...
@@ -2,10 +2,13 @@
...
@@ -2,10 +2,13 @@
# file: roles/ad-auth/tasks/sudo.yml
# file: roles/ad-auth/tasks/sudo.yml
-
name
:
ensure users of group admin are in the sudoers
-
name
:
ensure users of group admin are in the sudoers
template
:
src=sudo.j2 dest=/etc/sudoers.d/admin owner=root group=root mode=0440
template
:
src
:
sudo.j2
dest
:
/etc/sudoers.d/admin
owner
:
root
group
:
root
mode
:
'
0440'
notify
:
notify
:
-
check sudo config
-
check sudo config
tags
:
tags
:
-
sudo
-
sudo
-
config
ad-server-replication/defaults/main.yml
0 → 100644
View file @
8e070350
---
ad_admin_password
:
samba-admin
ad-server-replication/handlers/main.yml
View file @
8e070350
...
@@ -3,4 +3,3 @@
...
@@ -3,4 +3,3 @@
-
name
:
restart samba-ad-dc server
-
name
:
restart samba-ad-dc server
service
:
name=samba-ad-dc state=restarted
service
:
name=samba-ad-dc state=restarted
ad-server-replication/tasks/kerberos.yml
View file @
8e070350
...
@@ -2,14 +2,18 @@
...
@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml
# file: roles/ad-auth/tasks/kerberos.yml
-
name
:
ensure kerberos is installed
-
name
:
ensure kerberos is installed
apt
:
name=krb5-user state=present
apt
:
name
:
krb5-user
state
:
present
tags
:
tags
:
-
kerberos
-
kerberos
-
packages
-
name
:
ensure kerberos is configured
-
name
:
ensure kerberos is configured
template
:
src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
template
:
src
:
krb5.conf.j2
dest
:
/etc/krb5.conf
owner
:
root
group
:
root
mode
:
'
0644'
tags
:
tags
:
-
kerberos
-
kerberos
-
config
ad-server-replication/tasks/main.yml
View file @
8e070350
...
@@ -4,109 +4,114 @@
...
@@ -4,109 +4,114 @@
-
import_tasks
:
kerberos.yml
-
import_tasks
:
kerberos.yml
-
name
:
ensure ad-server is installed
-
name
:
ensure ad-server is installed
apt
:
name=samba state=latest
apt
:
tags
:
name
:
samba
-
packages
state
:
present
tags
:
-
ad-server
-
ad-server
#- name: ensure winbind is for some reasons installed
# apt: name=winbind state=latest
# tags:
# - packages
# - ad-server
-
name
:
figure out if domain is provisioned
-
name
:
figure out if domain is provisioned
stat
:
path=/var/lib/samba/sysvol/{{ domain }}
stat
:
path
:
"
/var/lib/samba/sysvol/{{
domain
}}"
register
:
domain_provisioned
register
:
domain_provisioned
tags
:
tags
:
-
ad-server
-
ad-server
-
domain-provision
-
domain-provision
-
block
:
-
block
:
-
name
:
ensure smb.conf is absent for provision
-
name
:
ensure smb.conf is absent for provision
file
:
path=/etc/samba/smb.conf state=absent
file
:
tags
:
path
:
/etc/samba/smb.conf
-
ad-server
state
:
absent
-
domain-provision
tags
:
-
ad-server
-
name
:
ensure pexpect is installed
-
domain-provision
apt
:
name=python-pexpect state=present
tags
:
-
name
:
ensure pexpect is installed
-
ad-server
apt
:
-
domain-provision
name
:
python-pexpect
when
:
debian_version == "stretch"
state
:
present
tags
:
-
name
:
ensure domain is provisioned
-
ad-server
expect
:
-
domain-provision
shell
:
samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
when
:
debian_version == "stretch"
responses
:
"
Password
for.*"
:
"
{{
lookup('passwordstore',
'samba-admin')
}}"
-
name
:
ensure domain is provisioned
no_log
:
True
expect
:
tags
:
# yamllint disable-line rule:line-length
-
ad-server
shell
:
samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option="idmap_ldb:use rfc2307=yes" 2> /root/provision.log
-
domain-provision
responses
:
"
Password
for.*"
:
"
{{
lookup('passwordstore',
ad_admin_password)
}}"
-
name
:
ensure the idmap library is exported
no_log
:
true
shell
:
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
tags
:
delegate_to
:
"
{{
ad_primary
}}"
-
ad-server
tags
:
-
domain-provision
-
ad-server
-
domain-provision
-
name
:
ensure the idmap library is exported
# when: domain_provisioned.stat.exists == False
shell
:
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
delegate_to
:
"
{{
ad_primary
}}"
-
name
:
ensure the idmap library is copied to secondary
tags
:
synchronize
:
-
ad-server
src
:
/var/lib/samba/private/idmap.ldb.bak
-
domain-provision
dest
:
/var/lib/samba/private/idmap.ldb
delegate_to
:
"
{{
ad_primary
}}"
-
name
:
ensure the idmap library is copied to secondary
tags
:
synchronize
:
-
ad-server
src
:
/var/lib/samba/private/idmap.ldb.bak
-
domain-provision
dest
:
/var/lib/samba/private/idmap.ldb
delegate_to
:
"
{{
ad_primary
}}"
tags
:
-
ad-server
-
domain-provision
when
:
domain_provisioned.stat.exists == False
when
:
domain_provisioned.stat.exists == False
#- name: ensure the id library is rted to secondary
# shell: samba-tool ntacl sysvolreset
# tags:
# - ad-server
# - domain-provision
# #when: domain_provisioned.stat.exists == False
-
name
:
ensure smb.conf is correct
-
name
:
ensure smb.conf is correct
template
:
src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
template
:
src
:
smb.conf.j2
dest
:
/etc/samba/smb.conf
owner
:
root
group
:
root
mode
:
'
0644'
notify
:
restart samba-ad-dc server
notify
:
restart samba-ad-dc server
tags
:
tags
:
-
ad-server
-
ad-server
-
config
-
name
:
ensure smbd is stopped and disabled
-
name
:
ensure smbd is stopped and disabled
service
:
name=smbd state=stopped enabled=no
service
:
tags
:
name
:
smbd
state
:
stopped
enabled
:
false
tags
:
-
ad-server
-
ad-server
-
service
-
name
:
ensure nmbd is stopped and disabled
-
name
:
ensure nmbd is stopped and disabled
service
:
name=nmbd state=stopped enabled=no
service
:
tags
:
name
:
nmbd
state
:
stopped
enabled
:
false
tags
:
-
ad-server
-
ad-server
-
service
-
name
:
ensure samba-ad-dc unit is running, enabled and not masked
-
name
:
ensure samba-ad-dc unit is running, enabled and not masked
systemd
:
name=samba-ad-dc masked=no
systemd
:
tags
:
name
:
samba-ad-dc
masked
:
false
state
:
started
enabled
:
true
tags
:
-
ad-server
-
ad-server
-
service
-
name
:
ensure samba-ad-dc is running and enabled
-
name
:
ensure samba-ad-dc is running and enabled
service
:
name=samba-ad-dc state=started enabled=yes
service
:
tags
:
name
:
samba-ad-dc
state
:
started
enabled
:
true
tags
:
-
ad-server
-
ad-server
-
service
-
name
:
ensure we have a replication cronjob for sysvol
-
name
:
ensure we have a replication cronjob for sysvol
template
:
src=templates/replication-cron dest=/etc/cron.d/samba-replication-cron
template
:
src
:
replication-cron
dest
:
/etc/cron.d/samba-replication-cron
delegate_to
:
"
{{
ad_primary
}}"
delegate_to
:
"
{{
ad_primary
}}"
tags
:
tags
:
-
ad-server
-
ad-server
...
...
ad-server/defaults/main.yml
0 → 100644
View file @
8e070350
---
ad_admin_password
:
samba-admin
ad-server/handlers/main.yml
View file @
8e070350
...
@@ -3,4 +3,3 @@
...
@@ -3,4 +3,3 @@
-
name
:
restart samba-ad-dc server
-
name
:
restart samba-ad-dc server
service
:
name=samba-ad-dc state=restarted
service
:
name=samba-ad-dc state=restarted
ad-server/tasks/main.yml
View file @
8e070350
...
@@ -2,81 +2,88 @@
...
@@ -2,81 +2,88 @@
# file: roles/ad-server/tasks/main.yml
# file: roles/ad-server/tasks/main.yml
-
name
:
ensure ad-server is installed
-
name
:
ensure ad-server is installed
apt
:
name=samba state=latest
apt
:
tags
:
name
:
samba
-
packages
state
:
present
tags
:
-
ad-server
-
ad-server
-
name
:
ensure winbind is for some reasons installed
-
name
:
ensure winbind is for some reasons installed
apt
:
name=winbind state=latest
apt
:
tags
:
name
:
winbind
-
packages
state
:
present
tags
:
-
ad-server
-
ad-server
-
name
:
figure out if domain is provisioned
-
name
:
figure out if domain is provisioned
stat
:
path=/var/lib/samba/sysvol/{{ domain }}
stat
:
path
:
"
/var/lib/samba/sysvol/{{
domain
}}"
register
:
domain_provisioned
register
:
domain_provisioned
tags
:
tags
:
-
ad-server
-
ad-server
-
domain-provision
-
domain-provision