8142-samba_server_final #49
|
|
@ -1,3 +1,4 @@
|
|||
realm: "{{domain}}.{{resolv_domain}}"
|
||||
samba_client_services:
|
||||
- smbd
|
||||
- nmbd
|
||||
|
|
@ -7,6 +8,13 @@ dcsamba_base_packages:
|
|||
- krb5-user
|
||||
- winbind
|
||||
- acl
|
||||
- libnss-winbind
|
||||
- libpam-winbind
|
||||
- samba-ad-provision
|
||||
- smbclient
|
||||
- ldb-tools
|
||||
- samba-dsdb-modules
|
||||
- samba-vfs-modules
|
||||
mariadb_base_packages:
|
||||
- mariadb-server
|
||||
- mariadb-backup
|
||||
|
|
|
|||
|
|
@ -1,17 +1,69 @@
|
|||
- name: Install adSamba packages
|
||||
# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC).
|
||||
# The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows:
|
||||
# 1. Installation of Samba and associated packages
|
||||
# 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files
|
||||
# 3. Provisioning of Samba using the automatic provisioning tool
|
||||
# 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information
|
||||
# 5. Any environmental configuration based on Unix/Linux Distribution
|
||||
#
|
||||
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance
|
||||
# https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename
|
||||
#
|
||||
# Check local login with
|
||||
# smbclient -L //localhost -U Administrator
|
||||
# apt install ldb-tools
|
||||
#
|
||||
# samba-tool domain provision --use-rfc2307 --interactive
|
||||
|
||||
- name: Gather installed packages
|
||||
package_facts:
|
||||
|
||||
- name: Check if metadata.tdb exists and is not empty
|
||||
stat:
|
||||
path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
|
||||
register: metadata_tdb
|
||||
|
||||
- name: Register domain existence
|
||||
set_fact:
|
||||
domain_exists: >-
|
||||
{{
|
||||
('samba-ad-provision' in ansible_facts.packages or
|
||||
'samba-ad-dc' in ansible_facts.packages) and
|
||||
(metadata_tdb.stat.exists and metadata_tdb.stat.size > 0)
|
||||
}}
|
||||
|
||||
# If we want to go 4.21
|
||||
#- name: Add Debian backports repository
|
||||
# apt_repository:
|
||||
# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
|
||||
# state: present
|
||||
|
||||
#- name: Update apt cache
|
||||
# apt:
|
||||
# update_cache: yes
|
||||
|
||||
- when: "not domain_exists"
|
||||
block:
|
||||
- name: Install adSamba packages
|
||||
package:
|
||||
name: "{{ dcsamba_base_packages }}"
|
||||
state: present
|
||||
install_recommends: no
|
||||
# default_release: bookworm-backports # If we want to go 4.21
|
||||
state: latest
|
||||
|
||||
- name: Add adsamba host to hosts file
|
||||
- name: Add adsamba host to hosts file
|
||||
blockinfile:
|
||||
path: /etc/hosts
|
||||
marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
|
||||
block: |
|
||||
{{ dc1 }} dc1-test.samba-test.{{ resolv_domain }}
|
||||
{{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }}
|
||||
|
||||
- name: Disable Samba client services and mask them
|
||||
- name: Force remove smb.conf file
|
||||
file:
|
||||
path: /etc/samba/smb.conf
|
||||
state: absent
|
||||
force: yes
|
||||
|
||||
- name: Disable Samba client services and mask them
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
state: stopped
|
||||
|
|
@ -19,31 +71,35 @@
|
|||
masked: yes
|
||||
loop: "{{ samba_client_services }}"
|
||||
|
||||
- name: Check if server is already joined to domain
|
||||
- name: Join domain
|
||||
command:
|
||||
cmd: samba-tool domain info localhost
|
||||
register: domain_info
|
||||
failed_when: domain_info.rc != 0 and 'Cannot contact' not in domain_info.stderr
|
||||
changed_when: false
|
||||
|
||||
- name: Join domain as DC if not already joined
|
||||
command:
|
||||
cmd: samba-tool domain join samba."{{ resolv_domain }}" DC -U"SAMBA\\administrator" --option='idmap_ldb:use rfc2307 = yes'
|
||||
when: "'Cannot contact' in domain_info.stderr"
|
||||
cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
|
||||
register: domain_join
|
||||
changed_when: "'Joined domain' in domain_join.stdout"
|
||||
|
||||
- name: Copy Kerberos configuration
|
||||
- name: Show the domain join output with Administrator password
|
||||
debug:
|
||||
msg: "{{ domain_join.stderr_lines[-6:] }}"
|
||||
|
||||
- name: Copy Kerberos configuration
|
||||
copy:
|
||||
src: krb5.conf
|
||||
src: /var/lib/samba/private/krb5.conf
|
||||
dest: /etc/krb5.conf
|
||||
remote_src: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
when: domain_join.changed
|
||||
|
||||
- name: Enable and start Samba AD DC service
|
||||
- name: Enable and start Samba AD DC service
|
||||
systemd:
|
||||
name: samba-ad-dc
|
||||
state: started
|
||||
enabled: yes
|
||||
when: domain_join.changed
|
||||
|
||||
# Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS
|
||||
# Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es.
|
||||
# Bloque de inizialización del dominio ## Hecho
|
||||
# Revisar la condicion de domain_join ## Hecho.
|
||||
# Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho.
|
||||
|
||||
Loading…
Reference in New Issue