From 3591e9be837a44e8f8ba93b7dc5e49b534d74668 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 10 Jan 2025 15:01:58 +0100
Subject: [PATCH 1/3] refs #8142 Samba Packages

---
 roles/services/defaults/main.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml
index f102d75..262279c 100644
--- a/roles/services/defaults/main.yaml
+++ b/roles/services/defaults/main.yaml
@@ -7,6 +7,13 @@ dcsamba_base_packages:
   - krb5-user
   - winbind
   - acl
+  - libnss-winbind
+  - libpam-winbind
+  - samba-ad-provision
+  - smbclient
+  - ldb-tools
+  - samba-dsdb-modules
+  - samba-vfs-modules
 mariadb_base_packages:
   - mariadb-server
   - mariadb-backup

From 46ba4a2b113239ec315829ec343b5590dfa687c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 10 Jan 2025 15:05:26 +0100
Subject: [PATCH 2/3] Refs #8142: Samba Server Deploy - Role WIP - Playbook in
 Services

---
 roles/services/tasks/adsamba.yml | 92 ++++++++++++++++++++++++++------
 1 file changed, 77 insertions(+), 15 deletions(-)

diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml
index fe8b880..fcb2419 100644
--- a/roles/services/tasks/adsamba.yml
+++ b/roles/services/tasks/adsamba.yml
@@ -1,15 +1,78 @@
+# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC).
+# The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows:
+# 1. Installation of Samba and associated packages
+# 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files
+# 3. Provisioning of Samba using the automatic provisioning tool
+# 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information
+# 5. Any environmental configuration based on Unix/Linux Distribution
+# 
+# https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance
+# https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename
+# 
+# Check local login with
+# smbclient -L //localhost -U Administrator
+# apt install ldb-tools
+#
+# samba-tool domain provision --use-rfc2307 --interactive 
+
+- name: Gather installed packages
+  package_facts:
+
+- name: Check if metadata.tdb exists and is not empty
+  stat:
+    path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
+  register: metadata_tdb
+
+- name: Register domain existence
+  set_fact:
+    domain_exists: >-
+      {{
+        ('samba-ad-provision' in ansible_facts.packages or
+        'samba-ad-dc' in ansible_facts.packages) and
+        (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0)
+      }}
+
+- name: Fail if domain already exists and show message
+  fail:
+    msg: >-
+      The domain already exists on this machine. 
+      Detected packages: 
+      - samba-ad-provision: {{ 'samba-ad-provision' in ansible_facts.packages }}.
+      - samba-ad-dc: {{ 'samba-ad-dc' in ansible_facts.packages }}.
+      Metadata file exists: {{ metadata_tdb.stat.exists }}.
+      Metadata file size: {{ metadata_tdb.stat.size }}.
+      We can not continue.
+  when: domain_exists
+
+# If we want to go 4.21
+#- name: Add Debian backports repository
+#  apt_repository:
+#    repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
+#    state: present
+
+#- name: Update apt cache
+#  apt:
+#    update_cache: yes
+
 - name: Install adSamba packages
   package:
     name: "{{ dcsamba_base_packages }}"
-    state: present
-    install_recommends: no
+    # default_release: bookworm-backports # If we want to go 4.21
+    state: latest
 
 - name: Add adsamba host to hosts file
   blockinfile:
     path: /etc/hosts
     marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
     block: |
-      {{ dc1 }} dc1-test.samba-test.{{ resolv_domain }}
+      {{ dc1 }} dc1-ad.{{ domain 
+      }}.{{ resolv_domain }} {{ realm }}
+
+- name: Force remove smb.conf file
+  file:
+    path: /etc/samba/smb.conf
+    state: absent
+    force: yes
 
 - name: Disable Samba client services and mask them
   systemd:
@@ -19,31 +82,30 @@
     masked: yes
   loop: "{{ samba_client_services }}"
 
-- name: Check if server is already joined to domain
+- name: Join domain 
   command:
-    cmd: samba-tool domain info localhost
-  register: domain_info
-  failed_when: domain_info.rc != 0 and 'Cannot contact' not in domain_info.stderr
-  changed_when: false
-
-- name: Join domain as DC if not already joined
-  command:
-    cmd: samba-tool domain join samba."{{ resolv_domain }}" DC -U"SAMBA\\administrator" --option='idmap_ldb:use rfc2307 = yes'
-  when: "'Cannot contact' in domain_info.stderr"
+    cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
   register: domain_join
-  changed_when: "'Joined domain' in domain_join.stdout"
 
 - name: Copy Kerberos configuration
   copy:
-    src: krb5.conf
+    src: /var/lib/samba/private/krb5.conf
     dest: /etc/krb5.conf
     remote_src: true
     owner: root
     group: root
     mode: '0644'
+  when: domain_join.changed
 
 - name: Enable and start Samba AD DC service
   systemd:
     name: samba-ad-dc
     state: started
     enabled: yes
+  when: domain_join.changed
+
+# Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS
+# Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es.
+# Bloque de inizialización del dominio
+# Revisar la condicion de domain_join
+# Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool.

From bf4c17dbb6820d78536c6589a30911aea07c0161 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Mon, 13 Jan 2025 14:43:59 +0100
Subject: [PATCH 3/3] Refs #8142: Samba Server Deploy - Add default values,
 domain_join block, and display AD values

---
 roles/services/defaults/main.yaml |   1 +
 roles/services/tasks/adsamba.yml  | 122 ++++++++++++++----------------
 2 files changed, 59 insertions(+), 64 deletions(-)

diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml
index 262279c..efbbcdd 100644
--- a/roles/services/defaults/main.yaml
+++ b/roles/services/defaults/main.yaml
@@ -1,3 +1,4 @@
+realm: "{{domain}}.{{resolv_domain}}"
 samba_client_services:  
   - smbd 
   - nmbd 
diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml
index fcb2419..7852165 100644
--- a/roles/services/tasks/adsamba.yml
+++ b/roles/services/tasks/adsamba.yml
@@ -32,18 +32,6 @@
         (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0)
       }}
 
-- name: Fail if domain already exists and show message
-  fail:
-    msg: >-
-      The domain already exists on this machine. 
-      Detected packages: 
-      - samba-ad-provision: {{ 'samba-ad-provision' in ansible_facts.packages }}.
-      - samba-ad-dc: {{ 'samba-ad-dc' in ansible_facts.packages }}.
-      Metadata file exists: {{ metadata_tdb.stat.exists }}.
-      Metadata file size: {{ metadata_tdb.stat.size }}.
-      We can not continue.
-  when: domain_exists
-
 # If we want to go 4.21
 #- name: Add Debian backports repository
 #  apt_repository:
@@ -54,58 +42,64 @@
 #  apt:
 #    update_cache: yes
 
-- name: Install adSamba packages
-  package:
-    name: "{{ dcsamba_base_packages }}"
-    # default_release: bookworm-backports # If we want to go 4.21
-    state: latest
+- when: "not domain_exists"
+  block:
+  - name: Install adSamba packages
+    package:
+      name: "{{ dcsamba_base_packages }}"
+      # default_release: bookworm-backports # If we want to go 4.21
+      state: latest
+  
+  - name: Add adsamba host to hosts file
+    blockinfile:
+      path: /etc/hosts
+      marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
+      block: |
+        {{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }}
+  
+  - name: Force remove smb.conf file
+    file:
+      path: /etc/samba/smb.conf
+      state: absent
+      force: yes
+  
+  - name: Disable Samba client services and mask them
+    systemd:
+      name: "{{ item }}"
+      state: stopped
+      enabled: no
+      masked: yes
+    loop: "{{ samba_client_services }}"
+  
+  - name: Join domain 
+    command:
+      cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
+    register: domain_join
 
-- name: Add adsamba host to hosts file
-  blockinfile:
-    path: /etc/hosts
-    marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
-    block: |
-      {{ dc1 }} dc1-ad.{{ domain 
-      }}.{{ resolv_domain }} {{ realm }}
+  - name: Show the domain join output with Administrator password
+    debug:
+      msg: "{{ domain_join.stderr_lines[-6:] }}"
 
-- name: Force remove smb.conf file
-  file:
-    path: /etc/samba/smb.conf
-    state: absent
-    force: yes
+  - name: Copy Kerberos configuration
+    copy:
+      src: /var/lib/samba/private/krb5.conf
+      dest: /etc/krb5.conf
+      remote_src: true
+      owner: root
+      group: root
+      mode: '0644'
+    when: domain_join.changed
 
-- name: Disable Samba client services and mask them
-  systemd:
-    name: "{{ item }}"
-    state: stopped
-    enabled: no
-    masked: yes
-  loop: "{{ samba_client_services }}"
-
-- name: Join domain 
-  command:
-    cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
-  register: domain_join
-
-- name: Copy Kerberos configuration
-  copy:
-    src: /var/lib/samba/private/krb5.conf
-    dest: /etc/krb5.conf
-    remote_src: true
-    owner: root
-    group: root
-    mode: '0644'
-  when: domain_join.changed
-
-- name: Enable and start Samba AD DC service
-  systemd:
-    name: samba-ad-dc
-    state: started
-    enabled: yes
-  when: domain_join.changed
-
-# Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS
-# Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es.
-# Bloque de inizialización del dominio
-# Revisar la condicion de domain_join
-# Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool.
+  - name: Enable and start Samba AD DC service
+    systemd:
+      name: samba-ad-dc
+      state: started
+      enabled: yes
+    when: domain_join.changed
+  
+  # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS
+  # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es.
+  # Bloque de inizialización del dominio ## Hecho
+  # Revisar la condicion de domain_join ## Hecho.
+  # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho.
+  
\ No newline at end of file