- name: load distribution-specific values include_vars: '{{ item }}' with_first_found: - '{{ ansible_distribution }}.yml' - defaults.yml tags: - always - name: ensure packages are installed package: name={{ samba_dc_packages|join(',') }} state=present tags: - install - name: ensure bind9 dlz plugin is configured include_tasks: bind9-dlz.yml when: samba_dc_dns_backend|d == 'BIND9_DLZ' - name: ensure kerberos is configured template: src=krb5.conf.j2 dest=/etc/krb5.conf.d/samba.conf - name: ensure domain is provisioned samba_domain: realm={{ krb5_realm }} domain={{ netbios_domain|d(omit) }} use_rfc2307={{ samba_dc_use_rfc2307 }} dns_backend={{ samba_dc_dns_backend|d(omit) }} username={{ samba_dc_join_username|d(omit) }} password={{ samba_dc_join_password|d(omit) }} state={{ 'provisioned' if samba_is_first_dc else 'joined' }} register: samba_dc_provision notify: - restore samba file contexts - display generated admin password - sync sysvol tags: - provision-domain - name: ensure samba certificate is installed copy: src={{ item }} dest={{ samba_tls_certfile }} mode=0644 with_fileglob: - certs/samba/{{ inventory_hostname }}/samba.cer notify: restart samba - name: ensure samba certificate private key is installed copy: src={{ item }} dest={{ samba_tls_keyfile }} mode=0600 with_fileglob: - certs/samba/{{ inventory_hostname }}/samba.key notify: restart samba - name: ensure samba ca certificate is installed copy: src={{ item }} dest={{ samba_tls_cafile }} mode=0644 with_fileglob: - certs/samba/{{ inventory_hostname }}/samba-ca.crt when: samba_tls_cafile is defined notify: restart samba - name: ensure smb.conf is configured template: src=smb.conf.j2 dest=/etc/samba/smb.conf mode=0644 notify: restart samba - name: ensure samba systemd unit extension directory exists file: path=/etc/systemd/system/samba.service.d mode=0755 state=directory tags: - systemd - name: ensure samba service auto restart is configurd copy: src: auto-restart.conf dest: /etc/systemd/system/samba.service.d owner: root group: root mode: u=rw,go=r notify: - reload systemd - restart samba tags: - systemd - name: ensure samba starts at boot service: name=samba enabled=yes - name: ensure sysvolsync ssh key exists openssh_keypair: type: ed25519 comment: '{{ inventory_hostname }}' path: /var/lib/samba/private/sysvolsync.key owner: root group: root mode: u=r,go= state: present register: sysvolsync_key tags: - sysvolsync - name: ensure sysvolsync key is trusted on other domain controllers delegate_to: '{{ item }}' authorized_key: user: root path: /root/.ssh/authorized_keys_sysvolsync key: >- {{ sysvolsync_key.public_key }} key_options: command="/usr/local/libexec/sysvolsync-server" state: present # openssh_keypair module doesn't return public_key in check mode when: not ansible_check_mode loop: '{{ groups["samba-dc"] }}' tags: - sysvolsync - name: ensure sysvolsync cache directory exists file: path: /var/cache/sysvolsync mode: u=rwx,go=rx state: directory tags: - sysvolsync - name: ensure sysvolsync ssh host key database is populated template: src: sysvolsync.ssh_known_hosts.j2 dest: /var/cache/sysvolsync/ssh_known_hosts mode: u=rw,go=r tags: - sysvolsync - ssh_known_hosts - name: ensure sysvolsync script is installed copy: src: sysvolsync.sh dest: /usr/local/sbin/sysvolsync mode: u=rwx,go=rx notify: - restart sysvolsync.timer tags: - sysvolsync - name: ensure sysvolsync systemd units are installed copy: src: '{{ item }}' dest: /etc/systemd/system mode: u=rw,go=r loop: - sysvolsync.service - sysvolsync.timer notify: - reload systemd - restart sysvolsync.timer tags: - sysvolsync - systemd - name: ensure sysvolsync timer unit is enabled systemd: name: sysvolsync.timer enabled: true tags: - sysvolsync - service - name: ensure sysvolsync timer unit is running systemd: name: sysvolsync.timer state: started tags: - sysvolsync - service - name: ensure sysvolsync-server script is installed copy: src: sysvolsync-server.sh dest: /usr/local/libexec/sysvolsync-server mode: u=rwx,go=rx tags: - sysvolsync - name: ensure sshd is configured for sysvolsync copy: src: sysvolsync.sshd.conf dest: /etc/ssh/sshd_config.d/80-sysvolsync.conf mode: u=rw,go=r notify: - reload sshd tags: - sysvolsync - name: ensure idmap-backup systemd units are installed copy: src: '{{ item }}' dest: /etc/systemd/system/ mode: u=rw,go=r loop: - idmap-backup.service - idmap-backup.timer notify: - reload systemd - restart idmap-backup.timer tags: - idmap-backup - systemd - name: ensure idmap-backup timer unit is enabled systemd: name: idmap-backup.timer enabled: true tags: - idmap-backup - service - name: ensure idmap-backup timer unit is running systemd: name: idmap-backup.timer state: started tags: - idmap-backup - service - name: flush_handlers meta: flush_handlers - name: ensure samba is running service: name=samba state=started - name: ensure firewall is configured for samba firewalld: service={{ item if '/' not in item else omit }} port={{ item if '/' in item else omit }} state=enabled permanent=no immediate=yes with_items: '{{ samba_firewall }}' notify: save firewalld configuration when: host_users_firewalld|d(true)|bool tags: - firewalld # Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab, # however it uses HOST/ instead of host/ SPNs. mit-krb5 seems to # treat SPNs case-sensitively, breaking SSH GSSAPI authentication. # # It is likely that this keytab will become state, as domain controller account # keys may rotate. Hopefully, I will find a better way to manage this at some # point. - name: ensure host keytab exists command: >- samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/{{ ansible_fqdn }} creates=/etc/krb5.keytab - name: ensure logroate is configured for samba kdc copy: src: krb5kdc.logrotate.conf dest: /etc/logrotate.d/krb5kdc mode: u=rw,go=r tags: - logrotate