diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index 77fbac6..31d27a4 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -1,4 +1,4 @@ -realm: "{{domain}}.{{resolv_domain}}" +realm: "{{domain}}.{{host_domain}}" samba_client_services: - smbd - nmbd diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 7852165..0fae7b3 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -14,71 +14,62 @@ # apt install ldb-tools # # samba-tool domain provision --use-rfc2307 --interactive +# +# If we want to go 4.21 +# - name: Add Debian backports repository +# apt_repository: +# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" +# state: present +# +# - name: Update apt cache +# apt: +# update_cache: yes -- name: Gather installed packages - package_facts: +- name: Install adSamba packages + package: + name: "{{ dcsamba_base_packages }}" + # default_release: bookworm-backports # If we want to go 4.21 + state: latest -- name: Check if metadata.tdb exists and is not empty +- name: Add adsamba host to hosts file + blockinfile: + path: /etc/hosts + marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" + block: | + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ host_domain }} {{ realm }} + +- name: Check if metadata.tdb exists stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb register: metadata_tdb -- name: Register domain existence - set_fact: - domain_exists: >- - {{ - ('samba-ad-provision' in ansible_facts.packages or - 'samba-ad-dc' in ansible_facts.packages) and - (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0) - }} - -# If we want to go 4.21 -#- name: Add Debian backports repository -# apt_repository: -# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" -# state: present - -#- name: Update apt cache -# apt: -# update_cache: yes - -- when: "not domain_exists" +- when: metadata_tdb.stat.exists is false block: - - name: Install adSamba packages - package: - name: "{{ dcsamba_base_packages }}" - # default_release: bookworm-backports # If we want to go 4.21 - state: latest - - - name: Add adsamba host to hosts file - blockinfile: - path: /etc/hosts - marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" - block: | - {{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }} - + - name: Force remove smb.conf file file: path: /etc/samba/smb.conf state: absent force: yes - - - name: Disable Samba client services and mask them - systemd: - name: "{{ item }}" - state: stopped - enabled: no - masked: yes - loop: "{{ samba_client_services }}" - - - name: Join domain - command: - cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 - register: domain_join - - name: Show the domain join output with Administrator password - debug: - msg: "{{ domain_join.stderr_lines[-6:] }}" + - when: main_ad is true + block: + - name: Provision domain + command: + cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 + register: domain_join + + - name: Show the domain join output with Administrator password + debug: + msg: "{{ domain_join.stderr_lines[-6:] }}" + + - when: main_ad is false + block: + + - name: Join domain + shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator" + environment: + PASSWD: "{{ lookup(passbolt, 'ad_admin_password', folder_parent_id=passbolt_folder).password }}" - name: Copy Kerberos configuration copy: @@ -88,18 +79,43 @@ owner: root group: root mode: '0644' - when: domain_join.changed - name: Enable and start Samba AD DC service systemd: name: samba-ad-dc state: started enabled: yes - when: domain_join.changed - - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS - # Luego hay que crear la delegaciĆ³n # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. - # Bloque de inizializaciĆ³n del dominio ## Hecho - # Revisar la condicion de domain_join ## Hecho. - # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. - \ No newline at end of file + +- name: Disable Samba client services and mask them + systemd: + name: "{{ item }}" + state: stopped + enabled: no + masked: yes + loop: "{{ samba_client_services }}" + +- name: Add A record to DNS + nsupdate: + key_name: 'rndc-key' + key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}" + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ host_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ inventory_hostname_short }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + +- name: Add NS record to DNS + nsupdate: + key_name: 'rndc-key' + key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}" + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ host_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ inventory_hostname_short }}.{{ realm }}.' + state: present