Update to 2022-10-19 17:00

roles/nas/tasks/main.yml

@@ -8,14 +8,14 @@
   tags: nas
 
 - name: Install needed packages
-  yum:
+  package:
     name:
-      - rssh
+      - mod_authnz_external
-  tags: nas
-
-- name: Allow every user to use rssh
-  file: path=/bin/rssh mode=755
   tags: nas
+#
+#- name: Allow every user to use rssh
+#  file: path=/bin/rssh mode=755
+#  tags: nas
 
 - name: Create directories
   file: path={{ nas_root_dir }}/{{ item[1] }}/{{ item[0].name }} state=directory

roles/samba/meta/main.yml

@@ -1,6 +1,7 @@
 ---
 dependencies:
   - role: repo_samba4
+    when: samba_role in ['dc', 'rodc']
   - role: repo_base
   - role: mkdir
   - role: rsync_server

roles/samba/tasks/conf.yml

@@ -6,7 +6,7 @@
 
 - name: Link our DC keytab to the system keytab
   file: src=/var/lib/samba/private/secrets.keytab dest=/etc/krb5.keytab state=link force=True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
   # This is for DC where their principal is added as uppercase HOST/FQDN
@@ -14,7 +14,7 @@
 - name: Check if the keytab contains lowercase host principal
   shell: klist -k /etc/krb5.keytab | grep 'host/{{ ansible_hostname }}.{{ samba_realm }}'
   ignore_errors: True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   changed_when: False
   register: samba_lc_principal
   tags: samba
@@ -22,13 +22,13 @@
 - name: Add lower case host principal to the keytab file
   command: samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/{{ ansible_hostname }}.{{ samba_realm }}
   when:
-    - samba_role == 'dc' or samba_role == 'rodc'
+    - samba_role in ['dc', 'rodc']
     - samba_lc_principal.stdout_lines | length < 1
   tags: samba
 
 - name: Add a tmpfiles.d snippet for permissions on ntp_signd socket dir
   copy: content="d /var/lib/samba/ntp_signd 750 root chrony" dest=/etc/tmpfiles.d/samba_ntp.conf
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   register: samba_tmpfiles
   tags: samba
 
@@ -59,12 +59,12 @@
     user: root
     job: rsync -XAavz --delete-after {{ (samba_sysvol_rsync_pass is defined) | ternary('--password-file=/etc/samba/rsync-sysvol.secret','') }} rsync://{{ (samba_sysvol_rsync_pass is defined) | ternary('sysvol-replication@','') }}{{ samba_primary_dc }}/sysvol/ /var/lib/samba/sysvol/
     state: "{{ samba_i_am_primary_dc | ternary('absent','present') }}"
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Deploy dehydrated hook
   copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/samba.sh mode=755
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Remove dehydrated hook
@@ -105,7 +105,7 @@
 
 - name: Start and enable the samba daemon
   service: name=samba state=started enabled=True
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
 - name: Reconfigure sssd
@@ -128,7 +128,12 @@
 
 - name: Start and enable the smb daemon
   service: name=smb state=started enabled=True
-  when: samba_role != 'dc' and samba_role != 'rodc'
+  when: samba_role not in ['dc', 'rodc']
+  tags: samba
+
+- name: Start and enable winbind service
+  service: name=winbind state=started enabled=True
+  when: samba_role == 'member'
   tags: samba
 
   # Here we just read the actual policy. This way, on the next task, we can update only the items we need

roles/samba/tasks/install.yml

@@ -6,20 +6,16 @@
 
 - name: Install DC components
   yum: name={{ samba_dc_packages }}
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
   tags: samba
 
+- name: Install members components
+  package: name={{ samba_member_packages }}
+  when: samba_role == 'member'
+
 - name: Update ldb
   yum: name=ldb-tools state=latest
-  when: samba_role == 'dc' or samba_role == 'rodc'
+  when: samba_role in ['dc', 'rodc']
-  tags: samba
-
-  # sssd-libwbclient breaks DC so only install on members
-- name: Install members components
-  yum: name=sssd-libwbclient
-  when:
-    - samba_role != 'dc'
-    - samba_role != 'rodc'
   tags: samba
 
 - name: Remove config files

roles/samba/templates/smb.conf.j2

@@ -5,7 +5,8 @@
   kerberos method = secrets and keytab
   idmap config * : backend = tdb
   idmap config * : range = 10000-19999
-  idmap config {{ samba_realm | upper }} : backend = sss
+  idmap config {{ samba_domain | upper }} : backend = sss
+  idmap config {{ samba_domain | upper }} : range 200000-2147483647
 {% for domain in samba_trusted_domains %}
   idmap config {{ domain.name | upper }} : backend = sss
 {% endfor %}

roles/samba/vars/RedHat-8.yml

@@ -14,3 +14,6 @@ samba_dc_packages:
   - krb5-workstation
   - python3-markdown
   - patch
+
+samba_member_packages:
+  - samba-winbind

roles/ssh/tasks/conf.yml

@@ -68,6 +68,7 @@
 - name: Ensure permissions and ownership on authorized_keys files
   file:
     path: /etc/ssh/authorized_keys/{{ item.name }}/authorized_keys
+    state: file
     mode: 0600
     owner: "{{ item.name }}"
   when: item.ssh_keys is defined

roles/zabbix_agent/tasks/psk.yml

@@ -7,6 +7,6 @@
   tags: zabbix
 
 - name: Restrict permission on PSK file
-  file: path=/etc/zabbix/zabbix_agentd.psk owner=root group=zabbix mode=0640
+  file: path=/etc/zabbix/zabbix_agentd.psk state=file owner=root group=zabbix mode=0640
   tags: zabbix