Ansible configuration policy for the private network/home lab of Dustin C. Hatch
http://dustin.hatch.name/
Dustin
5661910a21
Samba AD DC does not implement [DFS-R for replication of the SYSVOL][0] contents. This does not make much of a difference to me, since the SYSVOL is really only used for Group Policy. Windows machines may log an error if they cannot access the (basically empty) GPO files, but that's pretty much the only effect if the SYSVOL is in sync between domain controllers. Unfortunately, there is one side-effect of the missing DFS-R functionality that does matter. On domain controllers, all user, computer, and group accounts need to have Unix UID/GID numbers mapped. This is different than regular member machines, which only need UID/GID numbers for users that will/are allowed to log into them. LDAP entries only have ID numbers mapped for the latter class of users, which does not include machine accounts. As a result, Samba falls back to generating local ID numbers for the rest of the accounts. Those ID numbers are stored in a local database file, `/var/lib/samba/private/idmap.ldb`. It would seem that it wouldn't actually matter if accounts have different ID numbers on different domain controllers, but there are evidently [situations][1] where DCs refuse to allocate ID numbers at all, which can cause authentication to fail. As such, the `idmap.ldb` file needs to be kept in sync. If we're going to go through the effort of synchronizing `idmap.ldb`, we might as well keep the SYSVOL in sync as well. To that end, I've written a script to synchronize both the SYSVOL contents and the `idmap.ldb` file. It performs a simple one-way synchronization using `rsync` from the DC with the PDC emulator role, as discovered using DNS SRV records. To ensure the `idmap.ldb` file is in a consistent state, it only copies the most recent backup file. If the copied file differs from the local one, the script stops Samba and restores the local database from the backup. It then flushes Samba's caches and restarts the service. Finally, it fixes the NT ACLs on the contents of the SYSVOL. Since the contents of the SYSVOL are owned by root, naturally the synchronization process has to run as root as well. To attempt to limit the scope of control this would give the process, we use as much of the systemd sandbox capabilities as possible. Further, the SSH key pairs the DCs use to authenticate to one another are restricted to only running rsync. As such, the `sysvolsync` script itself cannot run `tdbbackup` to back up `idmap.ldb`. To handle that, I've created a systemd service and corresponding timer unit to run `tdbbackup` periodically. I considered for a long time how to best implement this process, and although I chose this naïve implementation, I am not exactly happy with it. Since I do not fully understand *why* keeping the `idmap.ldb` file in sync is necessary, there are undoubtedly cases where blindly copying it from the PDC emulator is not correct. There are definitely cases where the contents of the SYSVOL can be updated on a DC besides the PDC emulator, but again, we should not run into them because we don't really use the SYSVOL at all. In the end, I think this solution is good enough for our needs, without being so complicated [0]: https://wiki.samba.org/index.php?title=SysVol_replication_(DFS-R)&oldid=18120 [1]: https://lists.samba.org/archive/samba/2021-November/238370.html |
||
|---|---|---|
| .certs@13f97e4fa1 | ||
| certs | ||
| ci | ||
| group_vars | ||
| host_vars | ||
| passwords/kojiweb_secret | ||
| roles | ||
| vars | ||
| vault | ||
| .gitignore | ||
| .gitmodules | ||
| .vault-secret.sh | ||
| alertmanager.yml | ||
| ansible.cfg | ||
| ansible.yml | ||
| aria2.yml | ||
| base.yml | ||
| bitwarden_rs.yml | ||
| blackbox-exporter.yml | ||
| burp-client.yml | ||
| burp-server.yml | ||
| certbot.yml | ||
| collectd.yml | ||
| dch-gw.yml | ||
| dch-proxy.yml | ||
| dch-root-ca.crt | ||
| dch-vpn.yml | ||
| dhcpcd.yml | ||
| dhcpd.yml | ||
| docker.yml | ||
| domain-controller.yml | ||
| dyngroups.yml | ||
| fileserver.yml | ||
| firewalld.yml | ||
| frigate.yml | ||
| gitea.yml | ||
| grafana.yml | ||
| graylog.yml | ||
| hassdb.yml | ||
| homeassistant.yml | ||
| hostname.yml | ||
| hosts | ||
| hosts.offline | ||
| jenkins-slave.yml | ||
| koji-builder.yml | ||
| koji-hub.yml | ||
| koji-web.yml | ||
| koji.yml | ||
| metricspi.yml | ||
| motioneye.yml | ||
| named-server.yml | ||
| net-ifaces.yml | ||
| network.yml | ||
| nextcloud.yml | ||
| ntp.yml | ||
| nut.yml | ||
| postgresql.yml | ||
| protonvpn.yml | ||
| pxe.yml | ||
| pyrocufflink.yml | ||
| radius.yml | ||
| radvd.yml | ||
| remount.yml | ||
| rngd.yml | ||
| samba-dc.yml | ||
| smtp-relay.yml | ||
| squid.yml | ||
| synapse.yml | ||
| systemd-networkd.yml | ||
| systemd-resolved.yml | ||
| taiga.yml | ||
| victoria-metrics.yml | ||
| vmhost.yml | ||
| websites.yml | ||
| wheelhost.yml | ||
| zabbix-agent.yml | ||
| zabbix-server.yml | ||
| zabbix.yml | ||
| zezere.yml | ||
| zigbee2mqtt.yml | ||
| zwavejs2mqtt.yml | ||