From cb7c36d65a7c3ffcb8ba89c87c316a5a5d1637ea Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 29 Jan 2018 13:35:26 -0600 Subject: [PATCH] roles/samba-dc: Support joining existing domain The *samba-dc* role now supports joining an existing Active Directory domain as an additional domain controller. The `samba_is_first_dc` variable controls whether the machine will be provisioned with a new domain (when true) or added to an existing domain (when false). Joining an existing domain naturally requires credentials of a user with permission to add a new DC, the `samba_dc_join_username` and `samba_dc_join_password` variables can be used to specify them. Alternatively, if these variables are not defined, then the process will attempt to use Kerberos credentials. This would require playbooks to make a ticket-granting-ticket available somehow, such as by executing `kinit` prior to applying the *samba-dc* role. --- roles/samba-dc/defaults/main.yml | 1 + roles/samba-dc/library/samba_domain | 45 +++++++++++++++++++++++++---- roles/samba-dc/tasks/main.yml | 3 ++ 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/roles/samba-dc/defaults/main.yml b/roles/samba-dc/defaults/main.yml index d788643..45f3335 100644 --- a/roles/samba-dc/defaults/main.yml +++ b/roles/samba-dc/defaults/main.yml @@ -1 +1,2 @@ samba_dc_use_rfc2307: true +samba_is_first_dc: false diff --git a/roles/samba-dc/library/samba_domain b/roles/samba-dc/library/samba_domain index 78fe228..759e10a 100644 --- a/roles/samba-dc/library/samba_domain +++ b/roles/samba-dc/library/samba_domain @@ -55,6 +55,20 @@ def main(): 'SAMBA_INTERNAL', ], ), + username=dict( + required=False, + ), + password=dict( + required=False, + no_log=True, + ), + state=dict( + required=True, + choices=[ + 'provisioned', + 'joined', + ], + ), ), supports_check_mode=True, ) @@ -63,6 +77,9 @@ def main(): domain = module.params['domain'] or realm.split('.')[0] use_rfc2307 = module.params['use_rfc2307'] dns_backend = module.params['dns_backend'] + state = module.params['state'] + username = module.params['username'] + password = module.params['password'] samba_tool = module.get_bin_path('samba-tool', required=True) samba = module.get_bin_path('samba', required=True) @@ -93,12 +110,30 @@ def main(): cmd = [ samba_tool, 'domain', - 'provision', - '--realm={}'.format(realm), - '--domain={}'.format(domain), ] - if use_rfc2307: - cmd.append('--use-rfc2307') + if state == 'provisioned': + cmd += [ + 'provision', + '--realm={}'.format(realm), + '--domain={}'.format(domain), + ] + if use_rfc2307: + cmd.append('--use-rfc2307') + else: + cmd += [ + 'join', + realm, + 'DC', + ] + if username and password: + cmd += [ + '--username', username, + '--password', password, + ] + else: + cmd += [ + '--kerberos', 'true', + ] if dns_backend: cmd += ('--dns-backend', dns_backend) rc, out, err = module.run_command(cmd, check_rc=True) diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml index 2635240..ed3ec3a 100644 --- a/roles/samba-dc/tasks/main.yml +++ b/roles/samba-dc/tasks/main.yml @@ -32,6 +32,9 @@ domain={{ netbios_domain|d(omit) }} use_rfc2307={{ samba_dc_use_rfc2307 }} dns_backend={{ samba_dc_dns_backend|d(omit) }} + username={{ samba_dc_join_username|d(omit) }} + password={{ samba_dc_join_password|d(omit) }} + state={{ 'provisioned' if samba_is_first_dc else 'joined' }} register: samba_dc_provision notify: - restore samba file contexts