# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC). # The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows: # 1. Installation of Samba and associated packages # 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files # 3. Provisioning of Samba using the automatic provisioning tool # 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information # 5. Any environmental configuration based on Unix/Linux Distribution # # https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance # https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename # # Check local login with # smbclient -L //localhost -U Administrator # apt install ldb-tools # # samba-tool domain provision --use-rfc2307 --interactive - name: Gather installed packages package_facts: - name: Check if metadata.tdb exists and is not empty stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb register: metadata_tdb - name: Register domain existence set_fact: domain_exists: >- {{ ('samba-ad-provision' in ansible_facts.packages or 'samba-ad-dc' in ansible_facts.packages) and (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0) }} # If we want to go 4.21 #- name: Add Debian backports repository # apt_repository: # repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" # state: present #- name: Update apt cache # apt: # update_cache: yes - when: "not domain_exists" block: - name: Install adSamba packages package: name: "{{ dcsamba_base_packages }}" # default_release: bookworm-backports # If we want to go 4.21 state: latest - name: Add adsamba host to hosts file blockinfile: path: /etc/hosts marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" block: | {{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }} - name: Force remove smb.conf file file: path: /etc/samba/smb.conf state: absent force: yes - name: Disable Samba client services and mask them systemd: name: "{{ item }}" state: stopped enabled: no masked: yes loop: "{{ samba_client_services }}" - name: Join domain command: cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 register: domain_join - name: Show the domain join output with Administrator password debug: msg: "{{ domain_join.stderr_lines[-6:] }}" - name: Copy Kerberos configuration copy: src: /var/lib/samba/private/krb5.conf dest: /etc/krb5.conf remote_src: true owner: root group: root mode: '0644' when: domain_join.changed - name: Enable and start Samba AD DC service systemd: name: samba-ad-dc state: started enabled: yes when: domain_join.changed # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS # Luego hay que crear la delegaciĆ³n # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. # Bloque de inizializaciĆ³n del dominio ## Hecho # Revisar la condicion de domain_join ## Hecho. # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho.