refactor ♻️: Update ntp.conf to use AD DCs, configure winbind, and enable SMB service with appropriate ID mapping.

Refactored the ntp configuration to include AD domain controllers, updated winbind settings for local BUILTIN accounts, and enabled SMB service with proper ID mapping.
2025-10-09 17:25:12 +02:00
parent c0e2f38fdc
commit 2a5e29ce42
2 changed files with 42 additions and 2 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -93,6 +93,13 @@
  ignore_errors: yes

 # Configure ntp.conf to use AD DCs
+- name: Ensure 'tinker panic 0' is present
+  lineinfile:
+    path: /etc/ntp.conf
+    line: "tinker panic 0"
+    insertafter: BOF
+    state: present
+
 - name: Configure ntp.conf with AD domain controllers
  blockinfile:
    path: /etc/ntp.conf
@@ -134,6 +141,26 @@
  register: join_result
  changed_when: "'Joined domain' in join_result.stdout"

+# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf
+- name: Ensure winbind is appended to passwd and group NSS databases
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^{{ item }}:'
+    line: "{{ item }}: files winbind"
+    backrefs: yes
+  loop:
+    - passwd
+    - group
+
+# Append [success=continue] winbind to existing initgroups line
+- name: Ensure [success=continue] winbind is present in initgroups line if it exists
+  replace:
+    path: /etc/nsswitch.conf
+    regexp: '^(initgroups:.*?)(\s*winbind)?$'
+    replace: '\1 [success=continue] winbind'
+  when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')"
+  
+
 - name: Enable and start required services
  service:
    name: "{{ item }}"
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@@ -2,13 +2,26 @@
   workgroup = {{ ad_realm.split('.')[0] }}
   security = ads
   realm = {{ ad_realm }}
+
+   # users will be in the form username instead of DOMAIN\username.
   winbind use default domain = true
+   
   winbind offline logon = false
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
+   
+   # Default ID mapping configuration for local BUILTIN accounts
+   # and groups on a domain member. The default (*) domain:
+   # - must not overlap with any domain ID mapping configuration!
+   # - must use a read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
-   idmap config * : range = 10000-20000
+   idmap config * : range = 3000-7999
+
+   # - You must set a DOMAIN backend configuration
+   # idmap config for the {{ ad_realm.split('.')[0] }} domain
   idmap config {{ ad_realm.split('.')[0] }} : backend = rid
-   idmap config {{ ad_realm.split('.')[0] }} : range = 20001-999999
+   idmap config {{ ad_realm.split('.')[0] }} : range = 10000-999999
+
+   # Template settings for login shell and home directory
   template shell = /bin/bash
   template homedir = /home/%U