# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC). # The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows: # 1. Installation of Samba and associated packages # 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files # 3. Provisioning of Samba using the automatic provisioning tool # 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information # 5. Any environmental configuration based on Unix/Linux Distribution # # https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance # https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename # # Check local login with # smbclient -L //localhost -U Administrator # apt install ldb-tools # # samba-tool domain provision --use-rfc2307 --interactive # # If we want to go 4.21 # - name: Add Debian backports repository # apt_repository: # repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" # state: present # - name: Update apt cache # apt: # update_cache: yes - name: Install adSamba packages package: name: "{{ dcsamba_base_packages }}" # default_release: bookworm-backports # If we want to go 4.21 state: latest - name: Add adsamba host to hosts file blockinfile: path: /etc/hosts marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" block: | {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} - name: Check if metadata.tdb exists stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb register: metadata_tdb - when: metadata_tdb.stat.exists is false block: - name: Force remove smb.conf file file: path: /etc/samba/smb.conf state: absent force: yes - when: main_ad is true block: - name: Provision domain command: cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 register: domain_join - name: Show the domain join output with Administrator password debug: msg: "{{ domain_join.stderr_lines[-6:] }}" - name: Extracting variables no_log: true set_fact: passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - name: Add A record to DNS nsupdate: key_name: '{{ key_name }}' key_secret: '{{ passwords }}' key_algorithm: '{{ key_algorithm }}' server: "{{ main_dns_server }}" zone: '{{ resolv_domain }}' ttl: '{{ ttl }}' type: 'A' record: '{{ name_ad }}.{{ realm }}.' value: '{{ ip_serverad }}' state: present - name: Add NS record to DNS nsupdate: key_name: '{{ key_name }}' key_secret: '{{ passwords }}' key_algorithm: '{{ key_algorithm }}' server: '{{ main_dns_server }}' zone: '{{ resolv_domain }}' ttl: '{{ ttl }}' type: 'NS' record: '{{ realm }}.' value: '{{ name_ad }}.{{ realm }}.' state: present - when: main_ad is false block: - name: Join domain debug: msg: - "metadata_tdb: {{ metadata_tdb }}" - "main_ad: {{ main_ad }}" # Hay que recoger la password de passbolt, meterla en un fichero y leerla con --password-file para por Ășltimo borrarla - name: Copy Kerberos configuration copy: src: /var/lib/samba/private/krb5.conf dest: /etc/krb5.conf remote_src: true owner: root group: root mode: '0644' - name: Enable and start Samba AD DC service systemd: name: samba-ad-dc state: started enabled: yes - name: Disable Samba client services and mask them systemd: name: "{{ item }}" state: stopped enabled: no masked: yes loop: "{{ samba_client_services }}"