Update to 2022-10-19 17:00

2025-07-27 08:15:54 +02:00 · 2022-10-19 17:00:09 +02:00
parent 347d0c8590
commit 2c1b5706bd
20 changed files with 33 additions and 26 deletions
--- a/roles/samba/meta/main.yml
+++ b/roles/samba/meta/main.yml
@@ -1,6 +1,7 @@
 ---
 dependencies:
  - role: repo_samba4
+    when: samba_role in ['dc', 'rodc']
  - role: repo_base
  - role: mkdir
  - role: rsync_server
--- a/roles/samba/tasks/conf.yml
+++ b/roles/samba/tasks/conf.yml
@@ -6,7 +6,7 @@

 - name: Link our DC keytab to the system keytab
  file: src=/var/lib/samba/private/secrets.keytab dest=/etc/krb5.keytab state=link force=True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  tags: samba

  # This is for DC where their principal is added as uppercase HOST/FQDN
@@ -14,7 +14,7 @@
 - name: Check if the keytab contains lowercase host principal
  shell: klist -k /etc/krb5.keytab | grep 'host/{{ ansible_hostname }}.{{ samba_realm }}'
  ignore_errors: True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  changed_when: False
  register: samba_lc_principal
  tags: samba
@@ -22,13 +22,13 @@
 - name: Add lower case host principal to the keytab file
  command: samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/{{ ansible_hostname }}.{{ samba_realm }}
  when:
-    - samba_role == 'dc' or samba_role == 'rodc'
+    - samba_role in ['dc', 'rodc']
    - samba_lc_principal.stdout_lines | length < 1
  tags: samba

 - name: Add a tmpfiles.d snippet for permissions on ntp_signd socket dir
  copy: content="d /var/lib/samba/ntp_signd 750 root chrony" dest=/etc/tmpfiles.d/samba_ntp.conf
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  register: samba_tmpfiles
  tags: samba

@@ -59,12 +59,12 @@
    user: root
    job: rsync -XAavz --delete-after {{ (samba_sysvol_rsync_pass is defined) | ternary('--password-file=/etc/samba/rsync-sysvol.secret','') }} rsync://{{ (samba_sysvol_rsync_pass is defined) | ternary('sysvol-replication@','') }}{{ samba_primary_dc }}/sysvol/ /var/lib/samba/sysvol/
    state: "{{ samba_i_am_primary_dc | ternary('absent','present') }}"
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  tags: samba

 - name: Deploy dehydrated hook
  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/samba.sh mode=755
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  tags: samba

 - name: Remove dehydrated hook
@@ -105,7 +105,7 @@

 - name: Start and enable the samba daemon
  service: name=samba state=started enabled=True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  tags: samba

 - name: Reconfigure sssd
@@ -128,7 +128,12 @@

 - name: Start and enable the smb daemon
  service: name=smb state=started enabled=True
-  when: samba_role != 'dc' and samba_role != 'rodc'
+  when: samba_role not in ['dc', 'rodc']
+  tags: samba
+
+- name: Start and enable winbind service
+  service: name=winbind state=started enabled=True
+  when: samba_role == 'member'
  tags: samba

  # Here we just read the actual policy. This way, on the next task, we can update only the items we need
--- a/roles/samba/tasks/install.yml
+++ b/roles/samba/tasks/install.yml
@@ -6,20 +6,16 @@

 - name: Install DC components
  yum: name={{ samba_dc_packages }}
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
  tags: samba

+- name: Install members components
+  package: name={{ samba_member_packages }}
+  when: samba_role == 'member'
+
 - name: Update ldb
  yum: name=ldb-tools state=latest
-  when: samba_role == 'dc' or samba_role == 'rodc'
-  tags: samba
-
-  # sssd-libwbclient breaks DC so only install on members
- name: Install members components
-  yum: name=sssd-libwbclient
-  when:
-    - samba_role != 'dc'
-    - samba_role != 'rodc'
+  when: samba_role in ['dc', 'rodc']
  tags: samba

 - name: Remove config files
--- a/roles/samba/templates/smb.conf.j2
+++ b/roles/samba/templates/smb.conf.j2
@@ -5,7 +5,8 @@
  kerberos method = secrets and keytab
  idmap config * : backend = tdb
  idmap config * : range = 10000-19999
-  idmap config {{ samba_realm | upper }} : backend = sss
+  idmap config {{ samba_domain | upper }} : backend = sss
+  idmap config {{ samba_domain | upper }} : range 200000-2147483647
 {% for domain in samba_trusted_domains %}
  idmap config {{ domain.name | upper }} : backend = sss
 {% endfor %}
--- a/roles/samba/vars/RedHat-8.yml
+++ b/roles/samba/vars/RedHat-8.yml
@@ -14,3 +14,6 @@ samba_dc_packages:
  - krb5-workstation
  - python3-markdown
  - patch
+
+samba_member_packages:
+  - samba-winbind