2025-01-10 14:05:26 +00:00
|
|
|
# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC).
|
|
|
|
|
# The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows:
|
|
|
|
|
# 1. Installation of Samba and associated packages
|
|
|
|
|
# 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files
|
|
|
|
|
# 3. Provisioning of Samba using the automatic provisioning tool
|
|
|
|
|
# 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information
|
|
|
|
|
# 5. Any environmental configuration based on Unix/Linux Distribution
|
|
|
|
|
#
|
|
|
|
|
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance
|
|
|
|
|
# https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename
|
|
|
|
|
#
|
|
|
|
|
# Check local login with
|
|
|
|
|
# smbclient -L //localhost -U Administrator
|
|
|
|
|
# apt install ldb-tools
|
|
|
|
|
#
|
|
|
|
|
# samba-tool domain provision --use-rfc2307 --interactive
|
2025-01-16 10:53:07 +00:00
|
|
|
#
|
|
|
|
|
# If we want to go 4.21
|
|
|
|
|
# - name: Add Debian backports repository
|
2025-01-20 13:04:46 +00:00
|
|
|
# apt_repository:
|
|
|
|
|
# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
|
|
|
|
|
# state: present
|
|
|
|
|
#
|
2025-01-16 10:53:07 +00:00
|
|
|
# - name: Update apt cache
|
2025-01-20 13:04:46 +00:00
|
|
|
# apt:
|
|
|
|
|
# update_cache: yes
|
2025-01-10 14:05:26 +00:00
|
|
|
|
2025-01-16 10:50:41 +00:00
|
|
|
- name: Install adSamba packages
|
|
|
|
|
package:
|
|
|
|
|
name: "{{ dcsamba_base_packages }}"
|
|
|
|
|
# default_release: bookworm-backports # If we want to go 4.21
|
|
|
|
|
state: latest
|
|
|
|
|
|
2025-01-16 10:53:07 +00:00
|
|
|
- name: Add adsamba host to hosts file
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: /etc/hosts
|
|
|
|
|
marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
|
|
|
|
|
block: |
|
2025-01-20 13:04:46 +00:00
|
|
|
{{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ host_domain }} {{ realm }}
|
2025-01-16 10:53:07 +00:00
|
|
|
|
2025-01-16 15:11:25 +00:00
|
|
|
- name: Check if metadata.tdb exists
|
2025-01-10 14:05:26 +00:00
|
|
|
stat:
|
|
|
|
|
path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
|
|
|
|
|
register: metadata_tdb
|
|
|
|
|
|
2025-01-16 15:11:25 +00:00
|
|
|
- when: metadata_tdb.stat.exists is false
|
2025-01-13 13:43:59 +00:00
|
|
|
block:
|
2025-01-16 10:50:41 +00:00
|
|
|
|
2025-01-13 13:43:59 +00:00
|
|
|
- name: Force remove smb.conf file
|
|
|
|
|
file:
|
|
|
|
|
path: /etc/samba/smb.conf
|
|
|
|
|
state: absent
|
|
|
|
|
force: yes
|
2025-01-16 10:54:37 +00:00
|
|
|
|
2025-01-16 15:11:25 +00:00
|
|
|
- when: main_ad is true
|
|
|
|
|
block:
|
|
|
|
|
- name: Provision domain
|
|
|
|
|
command:
|
|
|
|
|
cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
|
|
|
|
|
register: domain_join
|
|
|
|
|
|
|
|
|
|
- name: Show the domain join output with Administrator password
|
|
|
|
|
debug:
|
|
|
|
|
msg: "{{ domain_join.stderr_lines[-6:] }}"
|
|
|
|
|
|
2025-01-20 13:04:46 +00:00
|
|
|
- when: main_ad is false
|
|
|
|
|
block:
|
|
|
|
|
|
2025-01-16 15:11:25 +00:00
|
|
|
- name: Join domain
|
2025-01-20 13:04:46 +00:00
|
|
|
shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator"
|
2025-01-20 07:45:47 +00:00
|
|
|
environment:
|
2025-01-24 14:47:01 +00:00
|
|
|
PASSWD: "{{ lookup(passbolt, 'ad_admin_password', folder_parent_id=passbolt_folder).password }}"
|
2024-12-20 12:29:56 +00:00
|
|
|
|
2025-01-13 13:43:59 +00:00
|
|
|
- name: Copy Kerberos configuration
|
|
|
|
|
copy:
|
|
|
|
|
src: /var/lib/samba/private/krb5.conf
|
|
|
|
|
dest: /etc/krb5.conf
|
|
|
|
|
remote_src: true
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0644'
|
2025-01-10 14:05:26 +00:00
|
|
|
|
2025-01-13 13:43:59 +00:00
|
|
|
- name: Enable and start Samba AD DC service
|
|
|
|
|
systemd:
|
|
|
|
|
name: samba-ad-dc
|
|
|
|
|
state: started
|
|
|
|
|
enabled: yes
|
2025-01-16 13:49:22 +00:00
|
|
|
|
2025-01-16 10:54:37 +00:00
|
|
|
- name: Disable Samba client services and mask them
|
|
|
|
|
systemd:
|
|
|
|
|
name: "{{ item }}"
|
|
|
|
|
state: stopped
|
|
|
|
|
enabled: no
|
|
|
|
|
masked: yes
|
|
|
|
|
loop: "{{ samba_client_services }}"
|
2025-01-20 13:04:46 +00:00
|
|
|
|
|
|
|
|
- name: Add A record to DNS
|
|
|
|
|
nsupdate:
|
2025-01-29 13:13:57 +00:00
|
|
|
key_name: 'rndc-key'
|
|
|
|
|
key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}"
|
2025-01-20 13:04:46 +00:00
|
|
|
key_algorithm: '{{ key_algorithm }}'
|
|
|
|
|
server: "{{ main_dns_server }}"
|
|
|
|
|
zone: '{{ host_domain }}'
|
|
|
|
|
ttl: '{{ ttl }}'
|
|
|
|
|
type: 'A'
|
|
|
|
|
record: '{{ inventory_hostname_short }}.{{ realm }}.'
|
|
|
|
|
value: '{{ ip_serverad }}'
|
|
|
|
|
state: present
|
|
|
|
|
|
|
|
|
|
- name: Add NS record to DNS
|
|
|
|
|
nsupdate:
|
2025-01-29 13:13:57 +00:00
|
|
|
key_name: 'rndc-key'
|
|
|
|
|
key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}"
|
2025-01-20 13:04:46 +00:00
|
|
|
key_algorithm: '{{ key_algorithm }}'
|
|
|
|
|
server: '{{ main_dns_server }}'
|
|
|
|
|
zone: '{{ host_domain }}'
|
|
|
|
|
ttl: '{{ ttl }}'
|
|
|
|
|
type: 'NS'
|
|
|
|
|
record: '{{ realm }}.'
|
|
|
|
|
value: '{{ inventory_hostname_short }}.{{ realm }}.'
|
|
|
|
|
state: present
|
