From 5a91cb731a19bc0914447bba404cc5ae3601a6c2 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 11 Mar 2018 18:02:51 -0500 Subject: [PATCH] samba-dc: Configure samba4 winbind The *samba-dc* role now configures `winbindd` on domain controllers to support identity mapping on the local machine. This will allow domain users to log into the domain controller itself, e.g. via SSH. The Fedora packaging of *samba4* still has some warts. Specifically, it does not have a proper SELinux policy, so some work-arounds need to be put into place in order for confined processes to communicate with winbind. --- group_vars/samba-dc.yml | 12 ++++++++ roles/samba-dc/defaults/main.yml | 2 ++ roles/samba-dc/files/relabel-winbindd.conf | 12 ++++++++ roles/samba-dc/handlers/main.yml | 6 ++++ roles/samba-dc/tasks/main.yml | 34 ++++++++++++++++++++++ roles/samba-dc/templates/smb.conf.j2 | 20 +++++++++++++ samba-dc.yml | 5 ++++ 7 files changed, 91 insertions(+) create mode 100644 group_vars/samba-dc.yml create mode 100644 roles/samba-dc/files/relabel-winbindd.conf create mode 100644 roles/samba-dc/templates/smb.conf.j2 diff --git a/group_vars/samba-dc.yml b/group_vars/samba-dc.yml new file mode 100644 index 0000000..608ffcf --- /dev/null +++ b/group_vars/samba-dc.yml @@ -0,0 +1,12 @@ +samba_use_winbind: false +samba_server_role: active directory domain controller +samba_options: +- idmap_ldb:use rfc2307: 'yes' + +samba_shares: +- name: sysvol + path: /var/lib/samba/sysvol + read_only: no +- name: netlogon + path: /var/lib/samba/sysvol/{{ krb5_realm|lower }}/scripts + read_only: no diff --git a/roles/samba-dc/defaults/main.yml b/roles/samba-dc/defaults/main.yml index 45f3335..e9e8295 100644 --- a/roles/samba-dc/defaults/main.yml +++ b/roles/samba-dc/defaults/main.yml @@ -1,2 +1,4 @@ samba_dc_use_rfc2307: true samba_is_first_dc: false +workgroup: '{{ krb5_realm.split(".")[0] if krb5_realm is defined else "WORKGROUP" }}' +winbind_template_homedir: /home/%U diff --git a/roles/samba-dc/files/relabel-winbindd.conf b/roles/samba-dc/files/relabel-winbindd.conf new file mode 100644 index 0000000..bd7bba7 --- /dev/null +++ b/roles/samba-dc/files/relabel-winbindd.conf @@ -0,0 +1,12 @@ +# Fedora does not yet have a SELinux policy for the Samba AD DC process, +# so it runs as unconfined_service_t. This causes all of its child +# processes to run there as well, which prevents they create from being +# labelled correctly. This is particularly problematic for winbindd, as +# several outside processes need to communicate with it for identity +# mapping, etc., so its socket absolutely must have the right label. +# +# To work around this problem, restorecon is run after samba starts up +# to set the correct label on the winbindd socket directory. + +[Service] +ExecStartPost=/usr/sbin/restorecon -RFv /run/samba/winbindd diff --git a/roles/samba-dc/handlers/main.yml b/roles/samba-dc/handlers/main.yml index 392c4a3..9454649 100644 --- a/roles/samba-dc/handlers/main.yml +++ b/roles/samba-dc/handlers/main.yml @@ -1,3 +1,5 @@ +- name: reload systemd + command: systemctl daemon-reload - name: restore samba file contexts command: restorecon -RF /var/lib/samba/bind-dns - name: display generated admin password @@ -5,3 +7,7 @@ var=samba_dc_provision.admin_password - name: save firewalld configuration command: firewall-cmd --runtime-to-permanent +- name: restart samba + service: + name=samba + state=restarted diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml index d97e2c5..495ee09 100644 --- a/roles/samba-dc/tasks/main.yml +++ b/roles/samba-dc/tasks/main.yml @@ -36,6 +36,27 @@ - restore samba file contexts - display generated admin password +- name: ensure smb.conf is configured + template: + src=smb.conf.j2 + dest=/etc/samba/smb.conf + mode=0644 + notify: restart samba + +- name: ensure samba systemd unit extension directory exists + file: + path=/etc/systemd/system/samba.service.d + mode=0755 + state=directory +- name: ensure samba4/winbind selinux work-around is in place + copy: + src=relabel-winbindd.conf + dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf + mode=0644 + notify: + - reload systemd + - restart samba + - name: ensure samba starts at boot service: name=samba @@ -57,3 +78,16 @@ when: host_users_firewalld|d(true)|bool tags: - firewalld + +# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab, +# however it uses HOST/ instead of host/ SPNs. mit-krb5 seems to +# treat SPNs case-sensitively, breaking SSH GSSAPI authentication. +# +# It is likely that this keytab will become state, as domain controller account +# keys may rotate. Hopefully, I will find a better way to manage this at some +# point. +- name: ensure host keytab exists + command: >- + samba-tool domain exportkeytab /etc/krb5.keytab + --principal=host/{{ ansible_fqdn }}} + creates=/etc/krb5.keytab diff --git a/roles/samba-dc/templates/smb.conf.j2 b/roles/samba-dc/templates/smb.conf.j2 new file mode 100644 index 0000000..b66941e --- /dev/null +++ b/roles/samba-dc/templates/smb.conf.j2 @@ -0,0 +1,20 @@ +# Global parameters +[global] + netbios name = {{ ansible_hostname|upper }} + realm = {{ krb5_realm }} + server role = active directory domain controller + workgroup = {{ workgroup }} +{% if samba_is_first_dc and samba_dc_use_rfc2307 %} + idmap_ldb:use rfc2307 = yes +{% endif %} + + template homedir = {{ winbind_template_homedir }} + template shell = /bin/bash + +[netlogon] + path = /var/lib/samba/sysvol/{{ krb5_realm|lower }}/scripts + read only = No + +[sysvol] + path = /var/lib/samba/sysvol + read only = No diff --git a/samba-dc.yml b/samba-dc.yml index 7446ec5..9edb768 100644 --- a/samba-dc.yml +++ b/samba-dc.yml @@ -2,3 +2,8 @@ roles: - kerberos - samba-dc + tasks: + - name: set samba configuration facts + set_fact: + workgroup: '{{ workgroup }}' + tags: always