From 37d035491b0c2fe9f7b7af4b40343ce260da99cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 14 Jan 2025 09:49:12 +0100 Subject: [PATCH 01/16] Refs #8142: Samba Server Deploy - Refactor variables to set hosts file --- roles/services/tasks/adsamba.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 7852165..1addaf2 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -55,7 +55,7 @@ path: /etc/hosts marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" block: | - {{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }} + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} - name: Force remove smb.conf file file: From 010b01c5b7a98fbff8e522de2f60c5b5640034f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 15 Jan 2025 15:54:54 +0100 Subject: [PATCH 02/16] refs #8142: Add dynamic DNS NS and A records for Samba server deployment --- roles/services/tasks/adsamba.yml | 49 ++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 1addaf2..4a3bd80 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -97,9 +97,52 @@ enabled: yes when: domain_join.changed - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS - # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. - # Bloque de inizialización del dominio ## Hecho + # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. + # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. + # Bloque de inizialización del dominio ## Hecho. # Revisar la condicion de domain_join ## Hecho. # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. + +- name: Perform a DNS query to get the IP of google.es + command: "dig @{{ main_dns_server }} google.es +short" + register: dns_exists + +- name: Show the result of the DNS query + debug: + var: dns_exists.stdout + +- when: dns_exists + block: + + - name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, 'rndc.key', folder_parent_id=passbolt_folder).password }}" + + - name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + + + - name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present \ No newline at end of file From e9c6253812b5893a2e1e2fd4d2b31d2a64849df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 15 Jan 2025 15:56:22 +0100 Subject: [PATCH 03/16] refs #8142: Reorder yml --- roles/services/tasks/adsamba.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 4a3bd80..4d1769c 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -97,12 +97,6 @@ enabled: yes when: domain_join.changed - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. - # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. - # Bloque de inizialización del dominio ## Hecho. - # Revisar la condicion de domain_join ## Hecho. - # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. - - name: Perform a DNS query to get the IP of google.es command: "dig @{{ main_dns_server }} google.es +short" register: dns_exists @@ -132,7 +126,6 @@ value: '{{ ip_serverad }}' state: present - - name: Add NS record to DNS nsupdate: key_name: '{{ key_name }}' @@ -145,4 +138,9 @@ record: '{{ realm }}.' value: '{{ name_ad }}.{{ realm }}.' state: present - \ No newline at end of file + + # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. + # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. + # Bloque de inizialización del dominio ## Hecho. + # Revisar la condicion de domain_join ## Hecho. + # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. \ No newline at end of file From 40c1e21e93685ca1abbe11bafdb68264433103d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:50:41 +0100 Subject: [PATCH 04/16] =?UTF-8?q?refs=20#8142:=20Package=20installation=20?= =?UTF-8?q?moved=20to=20the=20beginning.=C3=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/services/tasks/adsamba.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 4d1769c..b702422 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -18,6 +18,12 @@ - name: Gather installed packages package_facts: +- name: Install adSamba packages + package: + name: "{{ dcsamba_base_packages }}" + # default_release: bookworm-backports # If we want to go 4.21 + state: latest + - name: Check if metadata.tdb exists and is not empty stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb @@ -44,12 +50,7 @@ - when: "not domain_exists" block: - - name: Install adSamba packages - package: - name: "{{ dcsamba_base_packages }}" - # default_release: bookworm-backports # If we want to go 4.21 - state: latest - + - name: Add adsamba host to hosts file blockinfile: path: /etc/hosts @@ -109,9 +110,13 @@ block: - name: Extracting variables - no_log: true + #no_log: true set_fact: - passwords: "{{ lookup(passbolt, 'rndc.key', folder_parent_id=passbolt_folder).password }}" + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + + - name: + debug: + msg: "Las variables son {{ key_name }} -- {{ passwords }} -- {{ key_algorithm }} -- {{ main_dns_server }} -- {{ resolv_domain }} -- {{ name_ad }}.{{ realm }}. -- {{ ip_serverad }}" - name: Add A record to DNS nsupdate: @@ -139,8 +144,3 @@ value: '{{ name_ad }}.{{ realm }}.' state: present - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. - # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. - # Bloque de inizialización del dominio ## Hecho. - # Revisar la condicion de domain_join ## Hecho. - # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. \ No newline at end of file From 375cb1c1ccfece8e1cd5fb4cacba20552d9d1676 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:53:07 +0100 Subject: [PATCH 05/16] refs #8142: Refactor hosts file moved to the beginning. --- roles/services/tasks/adsamba.yml | 34 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index b702422..9b659bb 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -14,6 +14,16 @@ # apt install ldb-tools # # samba-tool domain provision --use-rfc2307 --interactive +# +# If we want to go 4.21 +# - name: Add Debian backports repository +# apt_repository: +# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" +# state: present + +# - name: Update apt cache +# apt: +# update_cache: yes - name: Gather installed packages package_facts: @@ -24,6 +34,13 @@ # default_release: bookworm-backports # If we want to go 4.21 state: latest +- name: Add adsamba host to hosts file + blockinfile: + path: /etc/hosts + marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" + block: | + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} + - name: Check if metadata.tdb exists and is not empty stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb @@ -38,26 +55,9 @@ (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0) }} -# If we want to go 4.21 -#- name: Add Debian backports repository -# apt_repository: -# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" -# state: present - -#- name: Update apt cache -# apt: -# update_cache: yes - - when: "not domain_exists" block: - - name: Add adsamba host to hosts file - blockinfile: - path: /etc/hosts - marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" - block: | - {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} - - name: Force remove smb.conf file file: path: /etc/samba/smb.conf From 40ea739925bfb61983105efb8f3e6d2b3506c08d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:54:37 +0100 Subject: [PATCH 06/16] refs #8142: Disable Samba client services and mask them goes out block slice --- roles/services/tasks/adsamba.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 9b659bb..3325e0b 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -63,15 +63,7 @@ path: /etc/samba/smb.conf state: absent force: yes - - - name: Disable Samba client services and mask them - systemd: - name: "{{ item }}" - state: stopped - enabled: no - masked: yes - loop: "{{ samba_client_services }}" - + - name: Join domain command: cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 @@ -97,6 +89,14 @@ state: started enabled: yes when: domain_join.changed + +- name: Disable Samba client services and mask them + systemd: + name: "{{ item }}" + state: stopped + enabled: no + masked: yes + loop: "{{ samba_client_services }}" - name: Perform a DNS query to get the IP of google.es command: "dig @{{ main_dns_server }} google.es +short" From 541a71c83ae5e7c905c66f014d7fa3381585624c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:57:48 +0100 Subject: [PATCH 07/16] refs #8142: - Remove DNS query used to check if main_dns_server failed --- roles/services/tasks/adsamba.yml | 71 +++++++++++++------------------- 1 file changed, 28 insertions(+), 43 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 3325e0b..f2025df 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -98,49 +98,34 @@ masked: yes loop: "{{ samba_client_services }}" -- name: Perform a DNS query to get the IP of google.es - command: "dig @{{ main_dns_server }} google.es +short" - register: dns_exists +- name: Extracting variables + #no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" -- name: Show the result of the DNS query - debug: - var: dns_exists.stdout +- name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present -- when: dns_exists - block: - - - name: Extracting variables - #no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - - name: - debug: - msg: "Las variables son {{ key_name }} -- {{ passwords }} -- {{ key_algorithm }} -- {{ main_dns_server }} -- {{ resolv_domain }} -- {{ name_ad }}.{{ realm }}. -- {{ ip_serverad }}" - - - name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - - - name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present +- name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present From 56ed72d0a11db2ef1d9985cd11f9ad1294ae7f3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:59:17 +0100 Subject: [PATCH 08/16] refs #8142: - Extracting variables - no_log: yes --- roles/services/tasks/adsamba.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index f2025df..0449343 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -99,7 +99,7 @@ loop: "{{ samba_client_services }}" - name: Extracting variables - #no_log: true + no_log: true set_fact: passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" From 0283612eb40d5391676fd678c40a28b4623b191f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 14:49:22 +0100 Subject: [PATCH 09/16] refs #8142: Remove recollecting package facts and add DNS records within the block. --- roles/services/tasks/adsamba.yml | 66 +++++++++++++++----------------- 1 file changed, 31 insertions(+), 35 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 0449343..a48dbe2 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -25,9 +25,6 @@ # apt: # update_cache: yes -- name: Gather installed packages - package_facts: - - name: Install adSamba packages package: name: "{{ dcsamba_base_packages }}" @@ -90,6 +87,37 @@ enabled: yes when: domain_join.changed + - name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + + - name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + + - name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present + - name: Disable Samba client services and mask them systemd: name: "{{ item }}" @@ -97,35 +125,3 @@ enabled: no masked: yes loop: "{{ samba_client_services }}" - -- name: Extracting variables - no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - -- name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - -- name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present - From e460ddba6b40f5dc64b34ed872c513ef6a4d06b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 16:11:25 +0100 Subject: [PATCH 10/16] refs #8142: Split tasks using the new main_ad variable --- roles/services/tasks/adsamba.yml | 101 +++++++++++++++---------------- 1 file changed, 50 insertions(+), 51 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index a48dbe2..34b6b92 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -38,21 +38,12 @@ block: | {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} -- name: Check if metadata.tdb exists and is not empty +- name: Check if metadata.tdb exists stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb register: metadata_tdb -- name: Register domain existence - set_fact: - domain_exists: >- - {{ - ('samba-ad-provision' in ansible_facts.packages or - 'samba-ad-dc' in ansible_facts.packages) and - (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0) - }} - -- when: "not domain_exists" +- when: metadata_tdb.stat.exists is false block: - name: Force remove smb.conf file @@ -61,14 +52,55 @@ state: absent force: yes - - name: Join domain - command: - cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 - register: domain_join + - when: main_ad is true + block: + - name: Provision domain + command: + cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 + register: domain_join + + - name: Show the domain join output with Administrator password + debug: + msg: "{{ domain_join.stderr_lines[-6:] }}" + + - name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - name: Show the domain join output with Administrator password - debug: - msg: "{{ domain_join.stderr_lines[-6:] }}" + - name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + + - name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present + + - when: main_ad is false + block: + - name: Join domain + debug: + msg: + - "metadata_tdb: {{ metadata_tdb }}" + - "main_ad: {{ main_ad }}" - name: Copy Kerberos configuration copy: @@ -78,45 +110,12 @@ owner: root group: root mode: '0644' - when: domain_join.changed - name: Enable and start Samba AD DC service systemd: name: samba-ad-dc state: started enabled: yes - when: domain_join.changed - - - name: Extracting variables - no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - - name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - - - name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present - name: Disable Samba client services and mask them systemd: From bf86ac2f1664a675d976b6229daccd9ecc77c9a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 17 Jan 2025 10:35:43 +0100 Subject: [PATCH 11/16] refs #8142: - Comments to get second ad server with samba-tool --- roles/services/tasks/adsamba.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 34b6b92..9652416 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -101,6 +101,7 @@ msg: - "metadata_tdb: {{ metadata_tdb }}" - "main_ad: {{ main_ad }}" + # Hay que recoger la password de passbolt, meterla en un fichero y leerla con --password-file para por último borrarla - name: Copy Kerberos configuration copy: From 67231faaf5b2e7ef5c08955f5a2eba5c24fc6160 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 20 Jan 2025 08:45:47 +0100 Subject: [PATCH 12/16] refs #8142: - Second domain --- roles/services/tasks/adsamba.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 9652416..30aff38 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -67,6 +67,10 @@ no_log: true set_fact: passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + + - name: + debug: + msg: "{{ key_name }} {{ passwords }} {{ key_algorithm }} {{ main_dns_server }} {{ resolv_domain }} {{ ttl }} {{ name_ad }}.{{ realm }}. {{ ip_serverad }}" - name: Add A record to DNS nsupdate: @@ -97,11 +101,9 @@ - when: main_ad is false block: - name: Join domain - debug: - msg: - - "metadata_tdb: {{ metadata_tdb }}" - - "main_ad: {{ main_ad }}" - # Hay que recoger la password de passbolt, meterla en un fichero y leerla con --password-file para por último borrarla + shell: samba-tool domain join "activedirectory.lab.verdnatura.es" DC -U"ACTIVEDIRECTORY\administrator" + environment: + PASSWD: aWZ::bpl))6&r)iHd,7-8NH&-M - name: Copy Kerberos configuration copy: From 4e7cc34e15e620da14b4d6046b079b66307e8c54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 20 Jan 2025 14:04:46 +0100 Subject: [PATCH 13/16] refs #8142: - Second domain final tasks --- roles/services/tasks/adsamba.yml | 86 ++++++++++++++++---------------- 1 file changed, 44 insertions(+), 42 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 30aff38..187e6dc 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -17,13 +17,13 @@ # # If we want to go 4.21 # - name: Add Debian backports repository -# apt_repository: -# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" -# state: present - +# apt_repository: +# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" +# state: present +# # - name: Update apt cache -# apt: -# update_cache: yes +# apt: +# update_cache: yes - name: Install adSamba packages package: @@ -36,7 +36,7 @@ path: /etc/hosts marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" block: | - {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ host_domain }} {{ realm }} - name: Check if metadata.tdb exists stat: @@ -63,47 +63,18 @@ debug: msg: "{{ domain_join.stderr_lines[-6:] }}" + - when: main_ad is false + block: + - name: Extracting variables no_log: true set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - - name: - debug: - msg: "{{ key_name }} {{ passwords }} {{ key_algorithm }} {{ main_dns_server }} {{ resolv_domain }} {{ ttl }} {{ name_ad }}.{{ realm }}. {{ ip_serverad }}" + passwad_admin_password: "{{ lookup(passbolt, ad_admin_password_name, folder_parent_id=passbolt_folder).password }}" - - name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - - - name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present - - - when: main_ad is false - block: - name: Join domain - shell: samba-tool domain join "activedirectory.lab.verdnatura.es" DC -U"ACTIVEDIRECTORY\administrator" + shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator" environment: - PASSWD: aWZ::bpl))6&r)iHd,7-8NH&-M + PASSWD: "{{ passwad_admin_password }}" - name: Copy Kerberos configuration copy: @@ -127,3 +98,34 @@ enabled: no masked: yes loop: "{{ samba_client_services }}" + +- name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + +- name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ host_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ inventory_hostname_short }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + +- name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ host_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ inventory_hostname_short }}.{{ realm }}.' + state: present From 25c7f62cc34b2fefdabd432c8e4f7db63e01487e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 20 Jan 2025 14:39:38 +0100 Subject: [PATCH 14/16] refs #8142: - Second domain - change variable resolv_domain to host_domain --- roles/services/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index efbbcdd..05c6778 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -1,4 +1,4 @@ -realm: "{{domain}}.{{resolv_domain}}" +realm: "{{domain}}.{{host_domain}}" samba_client_services: - smbd - nmbd From 654b263523dc398562ef742778bcebd8b5935cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 15:47:01 +0100 Subject: [PATCH 15/16] refs #8142 Simplify the way to extract passwords and variables and secrets --- roles/services/tasks/adsamba.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 187e6dc..75e95d3 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -66,15 +66,10 @@ - when: main_ad is false block: - - name: Extracting variables - no_log: true - set_fact: - passwad_admin_password: "{{ lookup(passbolt, ad_admin_password_name, folder_parent_id=passbolt_folder).password }}" - - name: Join domain shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator" environment: - PASSWD: "{{ passwad_admin_password }}" + PASSWD: "{{ lookup(passbolt, 'ad_admin_password', folder_parent_id=passbolt_folder).password }}" - name: Copy Kerberos configuration copy: From 892f3c61e2178e420a0945f85450e47e7332740d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 14:13:57 +0100 Subject: [PATCH 16/16] refs #8142 - Refactor the method for retrieving the RNDC key --- roles/services/tasks/adsamba.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 75e95d3..0fae7b3 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -94,15 +94,10 @@ masked: yes loop: "{{ samba_client_services }}" -- name: Extracting variables - no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - name: Add A record to DNS nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' + key_name: 'rndc-key' + key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}" key_algorithm: '{{ key_algorithm }}' server: "{{ main_dns_server }}" zone: '{{ host_domain }}' @@ -114,8 +109,8 @@ - name: Add NS record to DNS nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' + key_name: 'rndc-key' + key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}" key_algorithm: '{{ key_algorithm }}' server: '{{ main_dns_server }}' zone: '{{ host_domain }}'