Update to 2021-12-01 19:13

roles/samba/templates/filebeat.yml.j2

@@ -0,0 +1,7 @@
+- type: log
+  enabled: True
+  paths:
+    - /var/log/samba/json/*.log
+  exclude_files:
+    - '\.[gx]z$'
+    - '\.\d+$'

roles/samba/templates/logrotate.conf.j2

@@ -0,0 +1,11 @@
+/var/log/samba/*.log
+/var/log/samba/json/*.log
+/var/log/samba/log.*[!.][!xg][!z]
+{
+  daily
+  rotate 180
+  notifempty
+  compress
+  missingok
+  copytruncate
+}

roles/samba/templates/rsyncd.conf.j2

@@ -0,0 +1,10 @@
+[sysvol]
+path = /var/lib/samba/sysvol/
+comment = DC sysvol
+uid = root
+gid = root
+read only = yes
+{% if samba_sysvol_rsync_pass is defined %}
+auth users = sysvol-replication
+secrets file = /etc/samba/rsync-sysvol.secret
+{% endif %}

roles/samba/templates/samba_post_backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -rf /home/lbkp/samba

roles/samba/templates/samba_pre_backup.sh.j2

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eo pipefail
+
+LDB_MODULES_PATH=/usr/lib64/samba/ldb
+export LDB_MODULES_PATH
+
+mkdir -p /home/lbkp/samba/{private,ldif/sam.ldb.d,offline}
+tar cf /home/lbkp/samba/sysvol.tar.zst --use-compress-program=zstd -C /var/lib/samba/sysvol .
+find /var/lib/samba/private/ -type f -name \*.ldb | xargs tdbbackup
+pushd /var/lib/samba/private/ > /dev/null
+find . -type f -name \*.bak | xargs cp --parents -t /home/lbkp/samba/private/
+popd > /dev/null
+find /var/lib/samba/private -type f -name \*.bak | xargs rm -f
+find /home/lbkp/samba/private/ -type f -name \*.bak | while read F; do mv "$F" "${F%.bak}"; done
+tar cf /home/lbkp/samba/private.tar.zst --use-compress-program=zstd -C /home/lbkp/samba/private .
+rm -rf /home/lbkp/samba/private/
+for LDIF in $(find /var/lib/samba/private/ -type f -name \*.ldb); do
+  ldbsearch --url=$LDIF | zstd -c > /home/lbkp/samba/ldif/$(echo $LDIF | sed -e 's/\/var\/lib\/samba\/private//').ldif.zst
+done
+# Also take a more standard offline backup
+samba-tool domain backup offline --targetdir=/home/lbkp/samba/offline/

roles/samba/templates/smb.conf.j2

@@ -0,0 +1,55 @@
+[global]
+  netbios name = {{ samba_netbios_name | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1') | upper ) }}
+  realm = {{ samba_realm | upper }}
+  workgroup = {{ samba_domain | upper }}
+  kerberos method = secrets and keytab
+  idmap config * : backend = tdb
+  idmap config * : range = 10000-19999
+  idmap config {{ samba_realm | upper }} : backend = sss
+{% for domain in samba_trusted_domains %}
+  idmap config {{ domain.name | upper }} : backend = sss
+{% endfor %}
+{% if samba_role == 'dc' %}
+  server role = active directory domain controller
+{% if samba_dns_forwarder is defined %}
+  dns forwarder = {{ samba_dns_forwarder }}
+{% endif %}
+{% elif samba_role == 'member' %}
+  server role = member server
+{% elif samba_role == 'standalone' %}
+  server role = standalone
+{% endif %}
+  logging = systemd@1 file
+  log level = {{ samba_log_level }}
+{% if samba_min_protocol is defined %}
+  server min protocol = {{ samba_min_protocol }}
+{% endif %}
+{% if samba_max_protocol is defined %}
+  server max protocol = {{ samba_max_protocol }}
+{% endif %}
+
+  # Log rotation is handled by logrotate
+  max log size = 0
+
+{% if samba_role == 'dc' or samba_role == 'rodc' %}
+  tls dh params file = tls/dhparam.pem
+{% if samba_tls_cert is defined and samba_tls_key is defined %}
+{% if samba_tls_ca is defined %}
+  tls cafile = {{ samba_tls_ca }}
+{% else %}
+  tls cafile = /etc/pki/tls/cert.pem
+{% endif %}
+  tls certfile = {{ samba_tls_cert }}
+  tls keyfile = {{ samba_tls_key }}
+{% endif %}
+
+[netlogon]
+  path = /var/lib/samba/sysvol/{{ samba_realm }}/scripts
+  read only = no
+
+[sysvol]
+  path = /var/lib/samba/sysvol
+  read only = no
+{% endif %}
+
+include = /etc/samba/smb.conf.d/shares.conf