samba-dc: Configure samba4 winbind

The *samba-dc* role now configures `winbindd` on domain controllers to
support identity mapping on the local machine. This will allow domain
users to log into the domain controller itself, e.g. via SSH.

The Fedora packaging of *samba4* still has some warts. Specifically, it
does not have a proper SELinux policy, so some work-arounds need to be
put into place in order for confined processes to communicate with
winbind.

group_vars/samba-dc.yml

@@ -0,0 +1,12 @@
+samba_use_winbind: false
+samba_server_role: active directory domain controller
+samba_options:
+- idmap_ldb:use rfc2307: 'yes'
+
+samba_shares:
+- name: sysvol
+  path: /var/lib/samba/sysvol
+  read_only: no
+- name: netlogon
+  path: /var/lib/samba/sysvol/{{ krb5_realm|lower }}/scripts
+  read_only: no

roles/samba-dc/defaults/main.yml

@@ -1,2 +1,4 @@
 samba_dc_use_rfc2307: true
 samba_is_first_dc: false
+workgroup: '{{ krb5_realm.split(".")[0] if krb5_realm is defined else "WORKGROUP" }}'
+winbind_template_homedir: /home/%U

roles/samba-dc/files/relabel-winbindd.conf

@@ -0,0 +1,12 @@
+# Fedora does not yet have a SELinux policy for the Samba AD DC process,
+# so it runs as unconfined_service_t. This causes all of its child
+# processes to run there as well, which prevents they create from being
+# labelled correctly. This is particularly problematic for winbindd, as
+# several outside processes need to communicate with it for identity
+# mapping, etc., so its socket absolutely must have the right label.
+#
+# To work around this problem, restorecon is run after samba starts up
+# to set the correct label on the winbindd socket directory.
+
+[Service]
+ExecStartPost=/usr/sbin/restorecon -RFv /run/samba/winbindd

roles/samba-dc/handlers/main.yml

@@ -1,3 +1,5 @@
+- name: reload systemd
+  command: systemctl daemon-reload
 - name: restore samba file contexts
   command: restorecon -RF /var/lib/samba/bind-dns
 - name: display generated admin password
@@ -5,3 +7,7 @@
     var=samba_dc_provision.admin_password
 - name: save firewalld configuration
   command: firewall-cmd --runtime-to-permanent
+- name: restart samba
+  service:
+    name=samba
+    state=restarted

roles/samba-dc/tasks/main.yml

@@ -36,6 +36,27 @@
   - restore samba file contexts
   - display generated admin password
 
+- name: ensure smb.conf is configured
+  template:
+    src=smb.conf.j2
+    dest=/etc/samba/smb.conf
+    mode=0644
+  notify: restart samba
+
+- name: ensure samba systemd unit extension directory exists
+  file:
+    path=/etc/systemd/system/samba.service.d
+    mode=0755
+    state=directory
+- name: ensure samba4/winbind selinux work-around is in place
+  copy:
+    src=relabel-winbindd.conf
+    dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf
+    mode=0644
+  notify:
+  - reload systemd
+  - restart samba
+
 - name: ensure samba starts at boot
   service:
     name=samba
@@ -57,3 +78,16 @@
   when: host_users_firewalld|d(true)|bool
   tags:
   - firewalld
+
+# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab,
+# however it uses HOST/<fqdn> instead of host/<fqdn> SPNs. mit-krb5 seems to
+# treat SPNs case-sensitively, breaking SSH GSSAPI authentication.
+#
+# It is likely that this keytab will become state, as domain controller account
+# keys may rotate. Hopefully, I will find a better way to manage this at some
+# point.
+- name: ensure host keytab exists
+  command: >-
+    samba-tool domain exportkeytab /etc/krb5.keytab
+    --principal=host/{{ ansible_fqdn }}}
+    creates=/etc/krb5.keytab

roles/samba-dc/templates/smb.conf.j2

@@ -0,0 +1,20 @@
+# Global parameters
+[global]
+	netbios name = {{ ansible_hostname|upper }}
+	realm = {{ krb5_realm }}
+	server role = active directory domain controller
+	workgroup = {{ workgroup }}
+{% if samba_is_first_dc and samba_dc_use_rfc2307 %}
+	idmap_ldb:use rfc2307 = yes
+{% endif %}
+
+	template homedir = {{ winbind_template_homedir }}
+	template shell = /bin/bash
+
+[netlogon]
+	path = /var/lib/samba/sysvol/{{ krb5_realm|lower }}/scripts
+	read only = No
+
+[sysvol]
+	path = /var/lib/samba/sysvol
+	read only = No

samba-dc.yml

@@ -2,3 +2,8 @@
   roles:
   - kerberos
   - samba-dc
+  tasks:
+  - name: set samba configuration facts
+    set_fact:
+      workgroup: '{{ workgroup }}'
+    tags: always