From 2c1b5706bdeb7795adba3dfb41abdc78850cc81e Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 19 Oct 2022 17:00:09 +0200
Subject: [PATCH] Update to 2022-10-19 17:00

---
 .../{unmaintained => }/nas/defaults/main.yml  |  0
 roles/{unmaintained => }/nas/files/mkhomedir  |  0
 .../{unmaintained => }/nas/handlers/main.yml  |  0
 roles/{unmaintained => }/nas/meta/main.yml    |  0
 roles/{unmaintained => }/nas/tasks/main.yml   | 12 +++++------
 .../nas/templates/exports.j2                  |  0
 .../nas/templates/httpd.conf.j2               |  0
 .../nas/templates/mod_authnz_external.conf.j2 |  0
 .../nas/templates/mod_dav.conf.j2             |  0
 .../nas/templates/rsync.secrets.j2            |  0
 .../nas/templates/rsyncd.conf.j2              |  0
 .../nas/templates/setfacl.sh.j2               |  0
 .../nas/templates/smb.conf.j2                 |  0
 roles/samba/meta/main.yml                     |  1 +
 roles/samba/tasks/conf.yml                    | 21 ++++++++++++-------
 roles/samba/tasks/install.yml                 | 16 ++++++--------
 roles/samba/templates/smb.conf.j2             |  3 ++-
 roles/samba/vars/RedHat-8.yml                 |  3 +++
 roles/ssh/tasks/conf.yml                      |  1 +
 roles/zabbix_agent/tasks/psk.yml              |  2 +-
 20 files changed, 33 insertions(+), 26 deletions(-)
 rename roles/{unmaintained => }/nas/defaults/main.yml (100%)
 rename roles/{unmaintained => }/nas/files/mkhomedir (100%)
 rename roles/{unmaintained => }/nas/handlers/main.yml (100%)
 rename roles/{unmaintained => }/nas/meta/main.yml (100%)
 rename roles/{unmaintained => }/nas/tasks/main.yml (95%)
 rename roles/{unmaintained => }/nas/templates/exports.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/httpd.conf.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/mod_authnz_external.conf.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/mod_dav.conf.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/rsync.secrets.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/rsyncd.conf.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/setfacl.sh.j2 (100%)
 rename roles/{unmaintained => }/nas/templates/smb.conf.j2 (100%)

diff --git a/roles/unmaintained/nas/defaults/main.yml b/roles/nas/defaults/main.yml
similarity index 100%
rename from roles/unmaintained/nas/defaults/main.yml
rename to roles/nas/defaults/main.yml
diff --git a/roles/unmaintained/nas/files/mkhomedir b/roles/nas/files/mkhomedir
similarity index 100%
rename from roles/unmaintained/nas/files/mkhomedir
rename to roles/nas/files/mkhomedir
diff --git a/roles/unmaintained/nas/handlers/main.yml b/roles/nas/handlers/main.yml
similarity index 100%
rename from roles/unmaintained/nas/handlers/main.yml
rename to roles/nas/handlers/main.yml
diff --git a/roles/unmaintained/nas/meta/main.yml b/roles/nas/meta/main.yml
similarity index 100%
rename from roles/unmaintained/nas/meta/main.yml
rename to roles/nas/meta/main.yml
diff --git a/roles/unmaintained/nas/tasks/main.yml b/roles/nas/tasks/main.yml
similarity index 95%
rename from roles/unmaintained/nas/tasks/main.yml
rename to roles/nas/tasks/main.yml
index 4fe1fa0..b782165 100644
--- a/roles/unmaintained/nas/tasks/main.yml
+++ b/roles/nas/tasks/main.yml
@@ -8,14 +8,14 @@
   tags: nas
 
 - name: Install needed packages
-  yum:
+  package:
     name:
-      - rssh
-  tags: nas
-
-- name: Allow every user to use rssh
-  file: path=/bin/rssh mode=755
+      - mod_authnz_external
   tags: nas
+#
+#- name: Allow every user to use rssh
+#  file: path=/bin/rssh mode=755
+#  tags: nas
 
 - name: Create directories
   file: path={{ nas_root_dir }}/{{ item[1] }}/{{ item[0].name }} state=directory
diff --git a/roles/unmaintained/nas/templates/exports.j2 b/roles/nas/templates/exports.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/exports.j2
rename to roles/nas/templates/exports.j2
diff --git a/roles/unmaintained/nas/templates/httpd.conf.j2 b/roles/nas/templates/httpd.conf.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/httpd.conf.j2
rename to roles/nas/templates/httpd.conf.j2
diff --git a/roles/unmaintained/nas/templates/mod_authnz_external.conf.j2 b/roles/nas/templates/mod_authnz_external.conf.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/mod_authnz_external.conf.j2
rename to roles/nas/templates/mod_authnz_external.conf.j2
diff --git a/roles/unmaintained/nas/templates/mod_dav.conf.j2 b/roles/nas/templates/mod_dav.conf.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/mod_dav.conf.j2
rename to roles/nas/templates/mod_dav.conf.j2
diff --git a/roles/unmaintained/nas/templates/rsync.secrets.j2 b/roles/nas/templates/rsync.secrets.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/rsync.secrets.j2
rename to roles/nas/templates/rsync.secrets.j2
diff --git a/roles/unmaintained/nas/templates/rsyncd.conf.j2 b/roles/nas/templates/rsyncd.conf.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/rsyncd.conf.j2
rename to roles/nas/templates/rsyncd.conf.j2
diff --git a/roles/unmaintained/nas/templates/setfacl.sh.j2 b/roles/nas/templates/setfacl.sh.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/setfacl.sh.j2
rename to roles/nas/templates/setfacl.sh.j2
diff --git a/roles/unmaintained/nas/templates/smb.conf.j2 b/roles/nas/templates/smb.conf.j2
similarity index 100%
rename from roles/unmaintained/nas/templates/smb.conf.j2
rename to roles/nas/templates/smb.conf.j2
diff --git a/roles/samba/meta/main.yml b/roles/samba/meta/main.yml
index c02a913..cf30aec 100644
--- a/roles/samba/meta/main.yml
+++ b/roles/samba/meta/main.yml
@@ -1,6 +1,7 @@
 ---
 dependencies:
   - role: repo_samba4
+    when: samba_role in ['dc', 'rodc']
   - role: repo_base
   - role: mkdir
   - role: rsync_server
diff --git a/roles/samba/tasks/conf.yml b/roles/samba/tasks/conf.yml
index b7c0d4e..95b8944 100644
--- a/roles/samba/tasks/conf.yml
+++ b/roles/samba/tasks/conf.yml
@@ -6,7 +6,7 @@
 
 - name: Link our DC keytab to the system keytab
   file: src=/var/lib/samba/private/secrets.keytab dest=/etc/krb5.keytab state=link force=True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
   # This is for DC where their principal is added as uppercase HOST/FQDN
@@ -14,7 +14,7 @@
 - name: Check if the keytab contains lowercase host principal
   shell: klist -k /etc/krb5.keytab | grep 'host/{{ ansible_hostname }}.{{ samba_realm }}'
   ignore_errors: True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   changed_when: False
   register: samba_lc_principal
   tags: samba
@@ -22,13 +22,13 @@
 - name: Add lower case host principal to the keytab file
   command: samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/{{ ansible_hostname }}.{{ samba_realm }}
   when:
-    - samba_role == 'dc' or samba_role == 'rodc'
+    - samba_role in ['dc', 'rodc']
     - samba_lc_principal.stdout_lines | length < 1
   tags: samba
 
 - name: Add a tmpfiles.d snippet for permissions on ntp_signd socket dir
   copy: content="d /var/lib/samba/ntp_signd 750 root chrony" dest=/etc/tmpfiles.d/samba_ntp.conf
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   register: samba_tmpfiles
   tags: samba
 
@@ -59,12 +59,12 @@
     user: root
     job: rsync -XAavz --delete-after {{ (samba_sysvol_rsync_pass is defined) | ternary('--password-file=/etc/samba/rsync-sysvol.secret','') }} rsync://{{ (samba_sysvol_rsync_pass is defined) | ternary('sysvol-replication@','') }}{{ samba_primary_dc }}/sysvol/ /var/lib/samba/sysvol/
     state: "{{ samba_i_am_primary_dc | ternary('absent','present') }}"
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Deploy dehydrated hook
   copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/samba.sh mode=755
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Remove dehydrated hook
@@ -105,7 +105,7 @@
 
 - name: Start and enable the samba daemon
   service: name=samba state=started enabled=True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Reconfigure sssd
@@ -128,7 +128,12 @@
 
 - name: Start and enable the smb daemon
   service: name=smb state=started enabled=True
-  when: samba_role != 'dc' and samba_role != 'rodc'
+  when: samba_role not in ['dc', 'rodc']
+  tags: samba
+
+- name: Start and enable winbind service
+  service: name=winbind state=started enabled=True
+  when: samba_role == 'member'
   tags: samba
 
   # Here we just read the actual policy. This way, on the next task, we can update only the items we need
diff --git a/roles/samba/tasks/install.yml b/roles/samba/tasks/install.yml
index 56b5d5b..cac9c52 100644
--- a/roles/samba/tasks/install.yml
+++ b/roles/samba/tasks/install.yml
@@ -6,20 +6,16 @@
 
 - name: Install DC components
   yum: name={{ samba_dc_packages }}
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
+- name: Install members components
+  package: name={{ samba_member_packages }}
+  when: samba_role == 'member'
+
 - name: Update ldb
   yum: name=ldb-tools state=latest
-  when: samba_role == 'dc' or samba_role == 'rodc'
-  tags: samba
-
-  # sssd-libwbclient breaks DC so only install on members
-- name: Install members components
-  yum: name=sssd-libwbclient
-  when:
-    - samba_role != 'dc'
-    - samba_role != 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Remove config files
diff --git a/roles/samba/templates/smb.conf.j2 b/roles/samba/templates/smb.conf.j2
index 028094f..1909273 100644
--- a/roles/samba/templates/smb.conf.j2
+++ b/roles/samba/templates/smb.conf.j2
@@ -5,7 +5,8 @@
   kerberos method = secrets and keytab
   idmap config * : backend = tdb
   idmap config * : range = 10000-19999
-  idmap config {{ samba_realm | upper }} : backend = sss
+  idmap config {{ samba_domain | upper }} : backend = sss
+  idmap config {{ samba_domain | upper }} : range 200000-2147483647
 {% for domain in samba_trusted_domains %}
   idmap config {{ domain.name | upper }} : backend = sss
 {% endfor %}
diff --git a/roles/samba/vars/RedHat-8.yml b/roles/samba/vars/RedHat-8.yml
index 756181b..7c4a5fd 100644
--- a/roles/samba/vars/RedHat-8.yml
+++ b/roles/samba/vars/RedHat-8.yml
@@ -14,3 +14,6 @@ samba_dc_packages:
   - krb5-workstation
   - python3-markdown
   - patch
+
+samba_member_packages:
+  - samba-winbind
diff --git a/roles/ssh/tasks/conf.yml b/roles/ssh/tasks/conf.yml
index 73379ff..86d70ee 100644
--- a/roles/ssh/tasks/conf.yml
+++ b/roles/ssh/tasks/conf.yml
@@ -68,6 +68,7 @@
 - name: Ensure permissions and ownership on authorized_keys files
   file:
     path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
+    state: file
     mode: 0600
     owner: "{{ item.name }}"
   when: item.ssh_keys is defined
diff --git a/roles/zabbix_agent/tasks/psk.yml b/roles/zabbix_agent/tasks/psk.yml
index d2ab42d..fe437c5 100644
--- a/roles/zabbix_agent/tasks/psk.yml
+++ b/roles/zabbix_agent/tasks/psk.yml
@@ -7,6 +7,6 @@
   tags: zabbix
 
 - name: Restrict permission on PSK file
-  file: path=/etc/zabbix/zabbix_agentd.psk owner=root group=zabbix mode=0640
+  file: path=/etc/zabbix/zabbix_agentd.psk state=file owner=root group=zabbix mode=0640
   tags: zabbix