Merge pull request 'Refs #8142: Samba Server Deploy - Refactor variables to set hosts file' (!51) from 8142-samba_server_final into main

Reviewed-on: #51 Reviewed-by: Juan Ferrer <juan@verdnatura.es>
2025-01-30 07:11:04 +00:00 · 2025-01-30 07:11:04 +00:00 · 0cfd0bfea5
parent d02bf2a5e3 892f3c61e2
commit 0cfd0bfea5
2 changed files with 78 additions and 62 deletions
--- a/roles/services/defaults/main.yaml
+++ b/roles/services/defaults/main.yaml
@ -1,4 +1,4 @@
-realm: "{{domain}}.{{resolv_domain}}"
+realm: "{{domain}}.{{host_domain}}"
 samba_client_services:  
  - smbd 
  - nmbd 
--- a/roles/services/tasks/adsamba.yml
+++ b/roles/services/tasks/adsamba.yml
@ -14,71 +14,62 @@
 # apt install ldb-tools
 #
 # samba-tool domain provision --use-rfc2307 --interactive 
 #
 # If we want to go 4.21
 # - name: Add Debian backports repository
 #   apt_repository:
 #     repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
 #     state: present
 #
 # - name: Update apt cache
 #   apt:
 #     update_cache: yes
- name: Gather installed packages
+- name: Install adSamba packages
-  package_facts:
+  package:
    name: "{{ dcsamba_base_packages }}"
    # default_release: bookworm-backports # If we want to go 4.21
    state: latest
- name: Check if metadata.tdb exists and is not empty
+- name: Add adsamba host to hosts file
  blockinfile:
    path: /etc/hosts
    marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
    block: |
      {{ ip_serverad | default(ansible_default_ipv4.address) }}  {{ ansible_facts['hostname'] }}.{{ domain }}.{{ host_domain }} {{ realm }}
 - name: Check if metadata.tdb exists
  stat:
    path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
  register: metadata_tdb
- name: Register domain existence
+- when: metadata_tdb.stat.exists is false
  set_fact:
    domain_exists: >-
      {{
        ('samba-ad-provision' in ansible_facts.packages or
        'samba-ad-dc' in ansible_facts.packages) and
        (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0)
      }}
 # If we want to go 4.21
 #- name: Add Debian backports repository
 #  apt_repository:
 #    repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
 #    state: present
 #- name: Update apt cache
 #  apt:
 #    update_cache: yes
 - when: "not domain_exists"
  block:
-  - name: Install adSamba packages
+
    package:
      name: "{{ dcsamba_base_packages }}"
      # default_release: bookworm-backports # If we want to go 4.21
      state: latest
  - name: Add adsamba host to hosts file
    blockinfile:
      path: /etc/hosts
      marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
      block: |
        {{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }}
  - name: Force remove smb.conf file
    file:
      path: /etc/samba/smb.conf
      state: absent
      force: yes
  - name: Disable Samba client services and mask them
    systemd:
      name: "{{ item }}"
      state: stopped
      enabled: no
      masked: yes
    loop: "{{ samba_client_services }}"
  - name: Join domain 
    command:
      cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
    register: domain_join
-  - name: Show the domain join output with Administrator password
+  - when: main_ad is true
-    debug:
+    block:
-      msg: "{{ domain_join.stderr_lines[-6:] }}"
+    - name: Provision domain 
      command:
        cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
      register: domain_join
    - name: Show the domain join output with Administrator password
      debug:
        msg: "{{ domain_join.stderr_lines[-6:] }}"
  - when: main_ad is false
    block:
    - name: Join domain
      shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator"
      environment:
        PASSWD: "{{ lookup(passbolt, 'ad_admin_password', folder_parent_id=passbolt_folder).password }}"
  - name: Copy Kerberos configuration
    copy:
@ -88,18 +79,43 @@
      owner: root
      group: root
      mode: '0644'
    when: domain_join.changed
  - name: Enable and start Samba AD DC service
    systemd:
      name: samba-ad-dc
      state: started
      enabled: yes
-    when: domain_join.changed
+
-  
+- name: Disable Samba client services and mask them
-  # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS
+  systemd:
-  # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es.
+    name: "{{ item }}"
-  # Bloque de inizialización del dominio ## Hecho
+    state: stopped
-  # Revisar la condicion de domain_join ## Hecho.
+    enabled: no
-  # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho.
+    masked: yes
-  
+  loop: "{{ samba_client_services }}"
 - name: Add A record to DNS
  nsupdate:
    key_name: 'rndc-key'
    key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}"
    key_algorithm: '{{ key_algorithm }}'
    server: "{{ main_dns_server }}"
    zone: '{{ host_domain }}'
    ttl: '{{ ttl }}'
    type: 'A'
    record: '{{ inventory_hostname_short }}.{{ realm }}.'
    value: '{{ ip_serverad }}'
    state: present
 - name: Add NS record to DNS
  nsupdate:
    key_name: 'rndc-key'
    key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}"
    key_algorithm: '{{ key_algorithm }}'
    server: '{{ main_dns_server }}'
    zone: '{{ host_domain }}'
    ttl: '{{ ttl }}'
    type: 'NS'
    record: '{{ realm }}.'
    value: '{{ inventory_hostname_short }}.{{ realm }}.'
    state: present