# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC).
# The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows:
# 1. Installation of Samba and associated packages
# 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files
# 3. Provisioning of Samba using the automatic provisioning tool
# 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information
# 5. Any environmental configuration based on Unix/Linux Distribution
#
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance
# https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename
#
# Check local login with
# smbclient -L //localhost -U Administrator
# apt install ldb-tools
#
# samba-tool domain provision --use-rfc2307 --interactive
#
# If we want to go 4.21
# - name: Add Debian backports repository
# apt_repository:
# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
# state: present
#
# - name: Update apt cache
# apt:
# update_cache: yes
- name: Install adSamba packages
package:
name: "{{ dcsamba_base_packages }}"
# default_release: bookworm-backports # If we want to go 4.21
state: latest
- name: Add adsamba host to hosts file
blockinfile:
path: /etc/hosts
marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
block: |
{{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ host_domain }} {{ realm }}
- name: Check if metadata.tdb exists
stat:
path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
register: metadata_tdb
- when: metadata_tdb.stat.exists is false
block:
- name: Force remove smb.conf file
file:
path: /etc/samba/smb.conf
state: absent
force: yes
- when: main_ad is true
block:
- name: Provision domain
command:
cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
register: domain_join
- name: Show the domain join output with Administrator password
debug:
msg: "{{ domain_join.stderr_lines[-6:] }}"
- when: main_ad is false
block:
- name: Join domain
shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator"
environment:
PASSWD: "{{ lookup(passbolt, 'ad_admin_password', folder_parent_id=passbolt_folder).password }}"
- name: Copy Kerberos configuration
copy:
src: /var/lib/samba/private/krb5.conf
dest: /etc/krb5.conf
remote_src: true
owner: root
group: root
mode: '0644'
- name: Enable and start Samba AD DC service
systemd:
name: samba-ad-dc
state: started
enabled: yes
- name: Disable Samba client services and mask them
systemd:
name: "{{ item }}"
state: stopped
enabled: no
masked: yes
loop: "{{ samba_client_services }}"
- name: Add A record to DNS
nsupdate:
key_name: 'rndc-key'
key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}"
key_algorithm: '{{ key_algorithm }}'
server: "{{ main_dns_server }}"
zone: '{{ host_domain }}'
ttl: '{{ ttl }}'
type: 'A'
record: '{{ inventory_hostname_short }}.{{ realm }}.'
value: '{{ ip_serverad }}'
state: present
- name: Add NS record to DNS
nsupdate:
key_name: 'rndc-key'
key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}"
key_algorithm: '{{ key_algorithm }}'
server: '{{ main_dns_server }}'
zone: '{{ host_domain }}'
ttl: '{{ ttl }}'
type: 'NS'
record: '{{ realm }}.'
value: '{{ inventory_hostname_short }}.{{ realm }}.'
state: present