- hosts: samba-dc
  tasks:
  - name: load domain secrets
    include_vars: '{{ item }}'
    with_fileglob: vault/samba-dc/{{ krb5_realm }}
- import_playbook: samba-dc.yml
- hosts: samba-dc
  roles:
  - nsswitch
  - system-auth
  - sudo
  tasks:
  - name: ensure domain admins can use sudo
    copy:
      content: |
        %domain\ admins ALL=(ALL) ALL
        %{{ workgroup }}\\domain\ admins ALL=(ALL) ALL
      dest: /etc/sudoers.d/10_domain-admins
      mode: '0440'
      validate: visudo -cf %s