From 2a5e29ce424ef37332aaaa4668dd77d6361c1f2c Mon Sep 17 00:00:00 2001 From: Jose Date: Thu, 9 Oct 2025 17:25:12 +0200 Subject: [PATCH] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Update=20ntp.c?= =?UTF-8?q?onf=20to=20use=20AD=20DCs,=20configure=20winbind,=20and=20enabl?= =?UTF-8?q?e=20SMB=20service=20with=20appropriate=20ID=20mapping.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refactored the ntp configuration to include AD domain controllers, updated winbind settings for local BUILTIN accounts, and enabled SMB service with proper ID mapping. --- tasks/main.yml | 27 +++++++++++++++++++++++++++ templates/smb.conf.j2 | 17 +++++++++++++++-- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index db2f214..2d6b6ab 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -93,6 +93,13 @@ ignore_errors: yes # Configure ntp.conf to use AD DCs +- name: Ensure 'tinker panic 0' is present + lineinfile: + path: /etc/ntp.conf + line: "tinker panic 0" + insertafter: BOF + state: present + - name: Configure ntp.conf with AD domain controllers blockinfile: path: /etc/ntp.conf @@ -134,6 +141,26 @@ register: join_result changed_when: "'Joined domain' in join_result.stdout" +# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf +- name: Ensure winbind is appended to passwd and group NSS databases + lineinfile: + path: /etc/nsswitch.conf + regexp: '^{{ item }}:' + line: "{{ item }}: files winbind" + backrefs: yes + loop: + - passwd + - group + +# Append [success=continue] winbind to existing initgroups line +- name: Ensure [success=continue] winbind is present in initgroups line if it exists + replace: + path: /etc/nsswitch.conf + regexp: '^(initgroups:.*?)(\s*winbind)?$' + replace: '\1 [success=continue] winbind' + when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')" + + - name: Enable and start required services service: name: "{{ item }}" diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2 index a42a8c0..7bdd857 100644 --- a/templates/smb.conf.j2 +++ b/templates/smb.conf.j2 @@ -2,13 +2,26 @@ workgroup = {{ ad_realm.split('.')[0] }} security = ads realm = {{ ad_realm }} + + # users will be in the form username instead of DOMAIN\username. winbind use default domain = true + winbind offline logon = false dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab + + # Default ID mapping configuration for local BUILTIN accounts + # and groups on a domain member. The default (*) domain: + # - must not overlap with any domain ID mapping configuration! + # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb - idmap config * : range = 10000-20000 + idmap config * : range = 3000-7999 + + # - You must set a DOMAIN backend configuration + # idmap config for the {{ ad_realm.split('.')[0] }} domain idmap config {{ ad_realm.split('.')[0] }} : backend = rid - idmap config {{ ad_realm.split('.')[0] }} : range = 20001-999999 + idmap config {{ ad_realm.split('.')[0] }} : range = 10000-999999 + + # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U