Update to 2021-12-01 19:13

roles/samba/defaults/main.yml

@@ -0,0 +1,100 @@
+---
+
+# Can be dc, standalone, or member
+samba_role: member
+
+# Netbios name. Default is the hostname part of the dns name
+# samba_netbios_name: 
+
+# The following settings are only needed when role is dc or member
+#
+# Default samba domain will be your domain name without the TLD
+# samba_domain: FWS
+# samba_realm: ad.fws.fr
+# Must be defined manually
+# samba_dc_admin_pass:
+
+# log level directive in smb.conf
+samba_log_level: >
+  1
+  auth_audit:3@/var/log/samba/auth.log
+  auth_json_audit:4@/var/log/samba/json/auth.log
+  dsdb_json_audit:5@/var/log/samba/json/dsdb.log
+  dsdb_password_json_audit:5@/var/log/samba/json/dsdb_password.log
+  dsdb_transaction_json_audit:5@/var/log/samba/json/dsdb_transaction.log
+  dns:3@/var/log/samba/dns.log
+  kerberos:2@/var/log/samba/kerberos.log
+  ldb:2@/var/log/samba/ldb.log
+
+samba_serve_homes: False
+
+# The following are only used when role is dc
+
+# There's no real "primary" DC, but you should set this to the
+# first DC. It'll be provisionned, get the FSMO roles and setup
+# rsync share for the sysvol. Others DC will replicate its sysvol
+# samba_primary_dc: dc1.domain.net
+
+# Password used for rsyncd. Used to fetch sysvol from the primary DC
+samba_sysvol_rsync_pass: "{{ samba_dc_admin_pass | password_hash('sha512', 65534 | random(seed=samba_realm) | string) }}"
+
+# The following are for the password policy to apply to the domain
+samba_base_pwd_policy:
+  complexity: 'off'
+  min-pwd-length: 6
+  max-pwd-age: 0
+  min-pwd-age: 0
+  history-length: 1
+  account-lockout-duration: 30
+  account-lockout-threshold: 0
+  reset-account-lockout-after: 30
+samba_pwd_policy: {}
+
+# Used to parse the output of samba-tool domain passwordsettings show. You shouldn't modify this
+samba_pwd_policy_descriptions:
+  complexity: Password complexity
+  min-pwd-length: Minimum password length
+  max-pwd-age: Maximum password age \(days\)
+  min-pwd-age: Minimum password age \(days\)
+  history-length: Password history length
+  account-lockout-duration: Account lockout duration \(mins\)
+  account-lockout-threshold: Account lockout threshold \(attempts\)
+  reset-account-lockout-after: Reset account lockout after \(mins\)
+
+# List of DNS servers to which requests for non local domains should be forwarded
+# samba_dns_forwarder:
+
+# Ports used by the internal DNS server, and the IP allowed to access this
+# This port will be opened for both TCP and UDP
+samba_dns_ports: [53]
+# Empty list means nobody can access the service
+samba_dns_src_ip: []
+
+# Ports needed when acting as a DC
+samba_dc_tcp_ports: [389,636,88,135,137,138,139,445,464,3268,3269,'49152:65535']
+samba_dc_udp_ports: [389,88,464,123,137,138]
+
+samba_dc_src_ip: []
+
+# Ports needed when acting as a file server
+samba_file_tcp_ports: [137,138,139,445]
+samba_file_udp_ports: [137,138]
+samba_file_src_ip: []
+
+samba_trusted_domains: {}
+# samba_trusted_domains:
+#   - name: ad.fws.fr
+#     admin_user: administrator
+#     admin_pass: s3cret
+
+# samba_tls_cert: 
+# samba_tls_key: 
+# samba_tls_ca: 
+#
+# Or
+#
+# samba_tls_letsencrypt_cert: 
+
+
+# samba_min_protocol: NT1
+# samba_max_protocol: SMB3

roles/samba/files/dehydrated_deploy_hook

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/service samba restart

roles/samba/files/ldb_modules_samba.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+export LDB_MODULES_PATH=/usr/lib64/samba/ldb

roles/samba/files/samba-dc.te

@@ -0,0 +1,11 @@
+module samba-dc 1.0;
+
+require {
+        type ntpd_var_run_t;
+        type chronyd_t;
+        class sock_file write;
+}
+
+#============= chronyd_t ==============
+allow chronyd_t ntpd_var_run_t:sock_file write;
+

roles/samba/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+
+- include: ../common/handlers/main.yml
+
+- name: reload samba
+  service:
+    name: "{{ (samba_role == 'dc' or samba_role == 'rodc') | ternary('samba','smb') }}"
+    state: reloaded
+

roles/samba/meta/main.yml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: repo_samba4
+  - role: repo_base
+  - role: mkdir
+  - role: rsync_server
+    when:
+      - samba_role == 'dc'
+      - inventory_hostname == samba_primary_dc

roles/samba/tasks/conf.yml

@@ -0,0 +1,157 @@
+---
+
+- name: Setup env var for ldb tools
+  copy: src=ldb_modules_samba.sh dest=/etc/profile.d/ldb_modules_samba.sh mode=755
+  tags: samba
+
+- name: Link our DC keytab to the system keytab
+  file: src=/var/lib/samba/private/secrets.keytab dest=/etc/krb5.keytab state=link remote_src=True force=True
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba
+
+  # This is for DC where their principal is added as uppercase HOST/FQDN
+  # it mostly work, except for ssh kerberos auth which requires lower case host/fqdn principal
+- name: Check if the keytab contains lowercase host principal
+  shell: klist -k /etc/krb5.keytab | grep 'host/{{ ansible_hostname }}.{{ samba_realm }}'
+  ignore_errors: True
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  changed_when: False
+  register: samba_lc_principal
+  tags: samba
+
+- name: Add lower case host principal to the keytab file
+  command: samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/{{ ansible_hostname }}.{{ samba_realm }}
+  when:
+    - samba_role == 'dc' or samba_role == 'rodc'
+    - samba_lc_principal.stdout_lines | length < 1
+  tags: samba
+
+- name: Add a tmpfiles.d snippet for permissions on ntp_signd socket dir
+  copy: content="d /var/lib/samba/ntp_signd 750 root chrony" dest=/etc/tmpfiles.d/samba_ntp.conf
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  register: samba_tmpfiles
+  tags: samba
+
+- name: Create tmpfiles
+  command: systemd-tmpfiles --create
+  when: samba_tmpfiles.changed
+  tags: samba
+
+- name: Deploy rsyncd snippet
+  template: src=rsyncd.conf.j2 dest=/etc/rsyncd.conf.d/samba_dc.conf
+  when: samba_i_am_primary_dc == True
+  tags: samba
+
+- name: Remove rsyncd snippet
+  file: path=/etc/rsyncd.conf.d/samba_dc.conf state=absent
+  when: not samba_i_am_primary_dc == True
+  tags: samba
+
+- name: Deploy sysvol rsync password file
+  copy: content={{ (samba_sysvol_rsync_pass is defined) | ternary(samba_i_am_primary_dc | ternary('sysvol-replication:','') + samba_sysvol_rsync_pass,'# No password defined') }} dest=/etc/samba/rsync-sysvol.secret mode=600
+  tags: samba
+
+- name: Setup cron to sync sysvol from primary DC
+  cron:
+    name: samba_sync_sysvol
+    cron_file: samba_sync_sysvol
+    minute: '*/16'
+    user: root
+    job: rsync -XAavz --delete-after {{ (samba_sysvol_rsync_pass is defined) | ternary('--password-file=/etc/samba/rsync-sysvol.secret','') }} rsync://{{ (samba_sysvol_rsync_pass is defined) | ternary('sysvol-replication@','') }}{{ samba_primary_dc }}/sysvol/ /var/lib/samba/sysvol/
+    state: "{{ samba_i_am_primary_dc | ternary('absent','present') }}"
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba
+
+- name: Deploy dehydrated hook
+  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/samba.sh mode=755
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba
+
+- name: Remove dehydrated hook
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/samba.sh state=absent
+  when: samba_role != 'dc' and samba_role != 'rodc'
+  tags: samba
+
+- name: Create DH param
+  command: openssl dhparam -out /var/lib/samba/private/tls/dhparam.pem 2048
+  args:
+    creates: /var/lib/samba/private/tls/dhparam.pem
+  tags: samba
+
+- name: Deploy smb.conf
+  template: src=smb.conf.j2 dest=/etc/samba/smb.conf
+  notify: reload samba
+  tags: samba
+
+- name: Check if there's a shares.conf snippet
+  stat: path=/etc/samba/smb.conf.d/shares.conf
+  register: samba_shares_snippet
+  tags: samba
+
+- name: Deploy an empty shares conf snippet
+  copy: content="# No shares defined yet" dest=/etc/samba/smb.conf.d/shares.conf
+  when: not samba_shares_snippet.stat.exists
+  tags: samba
+
+- name: Check if /etc/krb5.conf exists
+  stat: path=/etc/krb5.conf
+  register: samba_krb5_conf
+  tags: samba
+
+- name: Start and enable the samba daemon
+  service: name=samba state=started enabled=True
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba
+
+- name: Reconfigure sssd
+  include_role: name=sssd_ad_auth
+  when:
+    - not samba_krb5_conf.stat.exists
+    - ad_auth is defined
+    - ad_auth
+  tags: samba
+
+- name: Check if winbind_cache exists
+  stat: path=/var/lib/samba/winbindd_cache.tdb
+  register: samba_winbind_cache
+  tags: samba
+
+- include_tasks: member_join.yml
+  when:
+    - samba_role == 'member'
+    - not samba_winbind_cache.stat.exists
+
+- name: Start and enable the smb daemon
+  service: name=smb state=started enabled=True
+  when: samba_role != 'dc' and samba_role != 'rodc'
+  tags: samba
+
+  # Here we just read the actual policy. This way, on the next task, we can update only the items we need
+- name: Check current password policy
+  shell: "samba-tool domain passwordsettings show | perl -ne 'm/^{{ samba_pwd_policy_descriptions[item] }}: (.*)/ && print $1'"
+  register: samba_dc_current_pwd_policy
+  changed_when: False
+  with_items: "{{ samba_pwd_policy.keys() | list }}"
+  when: samba_i_am_primary_dc == True
+  tags: samba
+
+- name: Set password policy
+  command: samba-tool domain passwordsettings set --{{ item.item }}={{ samba_pwd_policy[item.item] }}
+  with_items: "{{ samba_dc_current_pwd_policy.results }}"
+  when:
+    - samba_i_am_primary_dc == True
+    - item.stdout | string != samba_pwd_policy[item.item] | string
+  tags: samba
+
+- name: Deploy pre and post backup script
+  template: src={{ item.src }} dest={{ item.dest }} mode=755
+  with_items:
+    - src: samba_pre_backup.sh.j2
+      dest: /etc/backup/pre.d/samba.sh
+    - src: samba_post_backup.sh.j2
+      dest: /etc/backup/post.d/samba.sh
+  tags: samba
+
+- name: Deploy logrotate configuration
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/samba
+  tags: samba

roles/samba/tasks/directory.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Create samba tls dir
+  file: path=/var/lib/samba/private/tls state=directory mode=700
+  tags: samba
+
+- name: Create rsyncd conf snippet dir
+  file: path=/etc/rsyncd.conf.d/ state=directory
+  tags: samba
+
+- name: Create samba scripts dir
+  file: path=/var/lib/samba/scripts state=directory
+  tags: samba
+
+- name: Create conf.d directory
+  file: path=/etc/samba/smb.conf.d/ state=directory
+  tags: samba
+
+- name: Create JSON log dir
+  file: path=/var/log/samba/json state=directory
+  tags: samba
+

roles/samba/tasks/facts.yml

@@ -0,0 +1,49 @@
+---
+
+- set_fact: samba_tls_cert={{ '/var/lib/dehydrated/certificates/certs/' + samba_letsencrypt_cert + '/fullchain.pem' }}
+  when: samba_letsencrypt_cert is defined
+  tags: [cert,samba]
+
+- set_fact: samba_tls_key={{ '/var/lib/dehydrated/certificates/certs/' + samba_letsencrypt_cert + '/privkey.pem' }}
+  when: samba_letsencrypt_cert is defined
+  tags: [cert,samba]
+
+- set_fact: samba_i_am_primary_dc={{ (inventory_hostname == samba_primary_dc and samba_role == 'dc') | ternary(True,False) }}
+  tags: samba
+
+- name: Merge custom password complexity rules with default ones
+  set_fact: samba_pwd_policy={{ samba_base_pwd_policy | combine(samba_pwd_policy) }}
+  tags: samba
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: samba
+
+- name: Set a default samba domain
+  set_fact: samba_domain={{ ansible_domain | regex_replace('\.[a-z]+$','') }}
+  when: samba_domain is not defined
+  tags: samba
+
+- name: Check if domain is provisionned
+  stat: path=/var/lib/samba/sysvol/{{ samba_realm }}
+  register: samba_dc_sysvol
+  tags: samba
+
+- name: Add rsyncd port to the list of ports
+  set_fact: samba_dc_tcp_ports={{ samba_dc_tcp_ports + ['873'] }}
+  when: samba_i_am_primary_dc == True
+  tags: samba
+
+# sssd-ad can now be installed on EL8 with samba4 build from Tranquil IT
+# so don't turn ad_auth off anymore
+#- name: Disable ad_auth for samba DC
+#  set_fact: ad_auth=False
+#  when:
+#    - samba_role in [ 'dc', 'rodc' ]
+#    - ansible_os_family == 'RedHat'
+#    - ansible_distribution_major_version is version('8','>=')
+#  tags: samba

roles/samba/tasks/filebeat.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/samba.yml
+  tags: samba,log

roles/samba/tasks/install.yml

@@ -0,0 +1,107 @@
+---
+
+- name: Install common packages
+  yum: name={{ samba_common_packages }}
+  tags: samba
+
+- name: Install DC components
+  yum: name={{ samba_dc_packages }}
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba
+
+- name: Update ldb
+  yum: name=ldb-tools state=latest
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba
+
+  # sssd-libwbclient breaks DC so only install on members
+- name: Install members components
+  yum: name=sssd-libwbclient
+  when:
+    - samba_role != 'dc'
+    - samba_role != 'rodc'
+  tags: samba
+
+- name: Remove config files
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/samba/smb.conf
+    - /etc/krb5.conf
+  when:
+    - samba_role == 'dc' or samba_role == 'rodc'
+    - not samba_dc_sysvol.stat.exists
+  tags: samba
+
+- name: Stop samba services
+  service: name={{ item }} state=stopped
+  with_items:
+    - samba
+    - smb
+    - nmb
+  when:
+    - samba_role == 'dc' or samba_role == 'rodc'
+    - not samba_dc_sysvol.stat.exists
+  tags: samba
+
+  # We need to have our correct hostname before joining the domain !!
+- name: Set system hostname
+  hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
+  tags: samba
+
+- name: Try to join the domain (as DC)
+  command: >-
+    samba-tool domain join {{ samba_realm }} DC
+      --dns-backend SAMBA_INTERNAL
+      --realm {{ samba_realm }}
+      -U Administrator
+      --password={{ samba_dc_admin_pass | quote }}
+  when:
+    - samba_role == 'dc'
+    - not samba_dc_sysvol.stat.exists
+  register: samba_dc_join
+  environment:
+    LDB_MODULES_PATH: /usr/lib64/samba/ldb
+  ignore_errors: True
+  tags: samba
+
+  # If we're not the primary domain, and we can't join the domain
+  # and we haven't done it yet, we must fail
+- name: Fail if not the primary DC and joining the domain failed
+  fail: msg="Failed to join the domaine"
+  when:
+    - samba_dc_join is defined
+    - samba_dc_join.rc is defined
+    - samba_dc_join.rc != 0
+    - not samba_i_am_primary_dc == True
+    - not samba_dc_sysvol.stat.exists
+  tags: samba
+
+- name: Provision the domain
+  command: >-
+    samba-tool domain provision --server-role=dc
+      --dns-backend SAMBA_INTERNAL --realm {{ samba_realm }}
+      --domain {{ samba_domain }} --use-rfc2307
+      --adminpass={{ samba_dc_admin_pass | quote }}
+  when:
+    - not samba_dc_sysvol.stat.exists
+    - samba_i_am_primary_dc == True
+    - samba_dc_join.rc != 0
+  environment:
+    LDB_MODULES_PATH: /usr/lib64/samba/ldb
+  tags: samba
+
+- name: Join the domain (as RODC)
+  command: >-
+    samba-tool domain join {{ samba_realm }} RODC
+      --dns-backend SAMBA_INTERNAL
+      --realm {{ samba_realm }}
+      -U Administrator
+      --password={{ samba_dc_admin_pass | quote }}
+  no_log: True
+  when:
+    - samba_role == 'rodc'
+    - not samba_dc_sysvol.stat.exists
+  environment:
+    LDB_MODULES_PATH: /usr/lib64/samba/ldb
+  tags: samba
+

roles/samba/tasks/iptables.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Handle DNS ports
+  iptables_raw:
+    name: samba_dns_ports
+    state: "{{ (samba_dns_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ samba_dns_ports | join(',') }} -s {{ samba_dns_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p udp -m multiport --dports {{ samba_dns_ports | join(',') }} -s {{ samba_dns_src_ip | join(',') }} -j ACCEPT"
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba,firewall
+
+- name: Handle DC services ports
+  iptables_raw:
+    name: samba_dc_ports
+    state: "{{ (samba_dc_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ samba_dc_tcp_ports | join(',') }} -s {{ samba_dc_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p udp -m multiport --dports {{ samba_dc_udp_ports | join(',') }} -s {{ samba_dc_src_ip | join(',') }} -j ACCEPT"
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  tags: samba,firewall
+
+- name: Handle other ports
+  iptables_raw:
+    name: samba_file_ports
+    state: "{{ (samba_file_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ samba_file_tcp_ports | join(',') }} -s {{ samba_file_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p udp -m multiport --dports {{ samba_file_udp_ports | join(',') }} -s {{ samba_file_src_ip | join(',') }} -j ACCEPT"
+  tags: samba,firewall

roles/samba/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- include: facts.yml
+- include: directory.yml
+- include: install.yml
+- include: conf.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: filebeat.yml

roles/samba/tasks/member_join.yml

@@ -0,0 +1,10 @@
+---
+
+  # We should already be in the domain with adcli, but this is an
+  # easy way to add cifs/hostname principal to our keytab, and is needed to
+  # populate the secrets in secrets.tdb, which adcli doesn't do
+- name: Join the domain with net ads
+  command: net ads join {{ samba_realm | upper }} -U 'Administrator%{{ samba_dc_admin_pass }}'
+  no_log: True
+  tags: samba
+

roles/samba/tasks/selinux.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Set correct SELinux context on the ntp_signd socket dir
+  sefcontext:
+    target: "/var/lib/samba/ntp_signd(/.*)?"
+    setype: ntpd_var_run_t
+    state: present
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  register: samba_ntp_selinux
+  tags: samba
+
+- name: Restore SELinux context
+  command: restorecon -R /var/lib/samba/
+  when: samba_ntp_selinux is defined and samba_ntp_selinux.changed
+  tags: samba
+
+- name: Set SEbool
+  seboolean: name={{ item }} state=True persistent=True
+  when: samba_role == 'dc' or samba_role == 'rodc'
+  with_items:
+    - samba_domain_controller
+  tags: samba
+
+- name: Copy custom policy
+  copy: src=samba-dc.te dest=/etc/selinux/targeted/local/
+  register: samba_dc_selinux
+  tags: samba
+
+- name: Compile and load SELinux policy
+  shell: |
+    cd /etc/selinux/targeted/local/
+    checkmodule -M -m -o samba-dc.mod samba-dc.te
+    semodule_package -o samba-dc.pp -m samba-dc.mod
+    semodule -i /etc/selinux/targeted/local/samba-dc.pp
+  when: samba_dc_selinux is defined and samba_dc_selinux.changed
+  tags: samba

roles/samba/templates/filebeat.yml.j2

@@ -0,0 +1,7 @@
+- type: log
+  enabled: True
+  paths:
+    - /var/log/samba/json/*.log
+  exclude_files:
+    - '\.[gx]z$'
+    - '\.\d+$'

roles/samba/templates/logrotate.conf.j2

@@ -0,0 +1,11 @@
+/var/log/samba/*.log
+/var/log/samba/json/*.log
+/var/log/samba/log.*[!.][!xg][!z]
+{
+  daily
+  rotate 180
+  notifempty
+  compress
+  missingok
+  copytruncate
+}

roles/samba/templates/rsyncd.conf.j2

@@ -0,0 +1,10 @@
+[sysvol]
+path = /var/lib/samba/sysvol/
+comment = DC sysvol
+uid = root
+gid = root
+read only = yes
+{% if samba_sysvol_rsync_pass is defined %}
+auth users = sysvol-replication
+secrets file = /etc/samba/rsync-sysvol.secret
+{% endif %}

roles/samba/templates/samba_post_backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -rf /home/lbkp/samba

roles/samba/templates/samba_pre_backup.sh.j2

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eo pipefail
+
+LDB_MODULES_PATH=/usr/lib64/samba/ldb
+export LDB_MODULES_PATH
+
+mkdir -p /home/lbkp/samba/{private,ldif/sam.ldb.d,offline}
+tar cf /home/lbkp/samba/sysvol.tar.zst --use-compress-program=zstd -C /var/lib/samba/sysvol .
+find /var/lib/samba/private/ -type f -name \*.ldb | xargs tdbbackup
+pushd /var/lib/samba/private/ > /dev/null
+find . -type f -name \*.bak | xargs cp --parents -t /home/lbkp/samba/private/
+popd > /dev/null
+find /var/lib/samba/private -type f -name \*.bak | xargs rm -f
+find /home/lbkp/samba/private/ -type f -name \*.bak | while read F; do mv "$F" "${F%.bak}"; done
+tar cf /home/lbkp/samba/private.tar.zst --use-compress-program=zstd -C /home/lbkp/samba/private .
+rm -rf /home/lbkp/samba/private/
+for LDIF in $(find /var/lib/samba/private/ -type f -name \*.ldb); do
+  ldbsearch --url=$LDIF | zstd -c > /home/lbkp/samba/ldif/$(echo $LDIF | sed -e 's/\/var\/lib\/samba\/private//').ldif.zst
+done
+# Also take a more standard offline backup
+samba-tool domain backup offline --targetdir=/home/lbkp/samba/offline/

roles/samba/templates/smb.conf.j2

@@ -0,0 +1,55 @@
+[global]
+  netbios name = {{ samba_netbios_name | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1') | upper ) }}
+  realm = {{ samba_realm | upper }}
+  workgroup = {{ samba_domain | upper }}
+  kerberos method = secrets and keytab
+  idmap config * : backend = tdb
+  idmap config * : range = 10000-19999
+  idmap config {{ samba_realm | upper }} : backend = sss
+{% for domain in samba_trusted_domains %}
+  idmap config {{ domain.name | upper }} : backend = sss
+{% endfor %}
+{% if samba_role == 'dc' %}
+  server role = active directory domain controller
+{% if samba_dns_forwarder is defined %}
+  dns forwarder = {{ samba_dns_forwarder }}
+{% endif %}
+{% elif samba_role == 'member' %}
+  server role = member server
+{% elif samba_role == 'standalone' %}
+  server role = standalone
+{% endif %}
+  logging = systemd@1 file
+  log level = {{ samba_log_level }}
+{% if samba_min_protocol is defined %}
+  server min protocol = {{ samba_min_protocol }}
+{% endif %}
+{% if samba_max_protocol is defined %}
+  server max protocol = {{ samba_max_protocol }}
+{% endif %}
+
+  # Log rotation is handled by logrotate
+  max log size = 0
+
+{% if samba_role == 'dc' or samba_role == 'rodc' %}
+  tls dh params file = tls/dhparam.pem
+{% if samba_tls_cert is defined and samba_tls_key is defined %}
+{% if samba_tls_ca is defined %}
+  tls cafile = {{ samba_tls_ca }}
+{% else %}
+  tls cafile = /etc/pki/tls/cert.pem
+{% endif %}
+  tls certfile = {{ samba_tls_cert }}
+  tls keyfile = {{ samba_tls_key }}
+{% endif %}
+
+[netlogon]
+  path = /var/lib/samba/sysvol/{{ samba_realm }}/scripts
+  read only = no
+
+[sysvol]
+  path = /var/lib/samba/sysvol
+  read only = no
+{% endif %}
+
+include = /etc/samba/smb.conf.d/shares.conf

roles/samba/vars/RedHat-7.yml

@@ -0,0 +1,16 @@
+---
+
+samba_common_packages:
+  - samba
+  - samba-client
+  - sssd-winbind-idmap
+  - openldap-clients
+  - policycoreutils-python
+  - tdb-tools
+
+samba_dc_packages:
+  - samba-dc
+  - ldb-tools
+  - krb5-workstation
+  - python36-markdown
+  - patch

roles/samba/vars/RedHat-8.yml

@@ -0,0 +1,16 @@
+---
+
+samba_common_packages:
+  - samba
+  - samba-client
+  - sssd-winbind-idmap
+  - openldap-clients
+  - policycoreutils-python-utils
+  - tdb-tools
+
+samba_dc_packages:
+  - samba-dc
+  - ldb-tools
+  - krb5-workstation
+  - python3-markdown
+  - patch