From 5181ddaa00e39fb10d821f844756505eff24732d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 11 Mar 2018 18:14:51 -0500
Subject: [PATCH] domain-controller: Configure local AD authentication

Samba AD DCs are now configured to use Active Directory for local
authentication as well, using the Winbind implementation in the Samba
daemon.
---
 domain-controller.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/domain-controller.yml b/domain-controller.yml
index 5e05f55..7e23bec 100644
--- a/domain-controller.yml
+++ b/domain-controller.yml
@@ -4,3 +4,17 @@
     include_vars: '{{ item }}'
     with_fileglob: vault/samba-dc/{{ krb5_realm }}
 - import_playbook: samba-dc.yml
+- hosts: samba-dc
+  roles:
+  - nsswitch
+  - system-auth
+  - sudo
+  tasks:
+  - name: ensure domain admins can use sudo
+    copy:
+      content: |
+        %domain\ admins ALL=(ALL) ALL
+        %{{ workgroup }}\\domain\ admins ALL=(ALL) ALL
+      dest: /etc/sudoers.d/10_domain-admins
+      mode: '0440'
+      validate: visudo -cf %s