refactor ♻️: Update ntp.conf to use AD DCs, configure winbind, and enable SMB service with appropriate ID mapping.

Refactored the ntp configuration to include AD domain controllers, updated winbind settings for local BUILTIN accounts, and enabled SMB service with proper ID mapping.
refactor ♻️: Refactoring the main.yml files to include NTP server configuration and backup of original ntp.conf.
2025-10-09 17:25:12 +02:00 · 2025-10-08 22:03:21 +02:00 · 2025-10-08 21:55:06 +02:00
7 changed files with 183 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -1,3 +1,12 @@
 # ansible_samba_domain_member

-Install and configure Samba + Kerberos to join AD
+Install and configure Samba + Kerberos to join AD
+
+
+🧪 Optional Tests
+
+After running the role:
+
+# DNS should resolve domain controllers:
+dig _ldap._tcp.{{ dns_search }} SRV
+host dc1.{{ dns_search }}
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,3 +3,10 @@ ad_realm: EXAMPLE.COM
 ad_dc: dc1.example.com
 ad_admin_user: administrator
 ad_admin_password: YourPassword
+dns_servers:
+  - 192.168.1.10
+  - 192.168.1.11
+dns_search: example.com
+nm_connection_name: "Wired connection 1"  # Change this based on your setup
+ntp_servers:
+  - "{{ ad_dc }}"  # Your AD DC as time source
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -0,0 +1,16 @@
+# handlers/main.yml
+- name: Restart networking if required
+  service:
+    name: networking
+    state: restarted
+  when: ansible_service_mgr == "systemd"
+
+- name: Restart systemd-resolved
+  service:
+    name: systemd-resolved
+    state: restarted
+
+- name: Restart ntp
+  service:
+    name: ntp
+    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,67 @@
 ---
+- name: Gather service facts
+  service_facts:
+  
+- name: Determine DNS manager
+  set_fact:
+    dns_manager: >-
+      {% if 'systemd-resolved.service' in ansible_facts.services and ansible_facts.services['systemd-resolved.service'].state == 'running' %}
+        systemd-resolved
+      {% elif 'NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state == 'running' %}
+        NetworkManager
+      {% else %}
+        manual
+      {% endif %}
+
+- name: Configure DNS for systemd-resolved
+  when: dns_manager == 'systemd-resolved'
+  template:
+    src: resolved.conf.j2
+    dest: /etc/systemd/resolved.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart systemd-resolved
+
+- name: Ensure /etc/resolv.conf points to systemd stub
+  when: dns_manager == 'systemd-resolved'
+  file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+    force: true
+
+- name: Configure DNS via NetworkManager (nmcli)
+  when: dns_manager == 'NetworkManager'
+  block:
+    - name: Set DNS servers with nmcli
+      shell: >
+        nmcli con mod "{{ nm_connection_name }}"
+        ipv4.dns "{{ dns_servers | join(' ') }}"
+        ipv4.ignore-auto-dns yes
+      args:
+        warn: false
+
+    - name: Set search domain with nmcli
+      shell: >
+        nmcli con mod "{{ nm_connection_name }}"
+        ipv4.dns-search "{{ dns_search }}"
+      args:
+        warn: false
+
+    - name: Bring connection down and up to apply changes
+      shell: >
+        nmcli con down "{{ nm_connection_name }}" && nmcli con up "{{ nm_connection_name }}"
+      ignore_errors: true
+
+  when: dns_manager == 'manual'
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: Install required packages
  apt:
    name:
@@ -7,9 +70,53 @@
      - winbind
      - libpam-winbind
      - libnss-winbind
+      - ntp
    state: present
  become: yes

+- name: Configure /etc/resolv.conf for AD DNS resolution
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart networking if required
+
+# Backup original ntp.conf (optional safety)
+- name: Backup original ntp.conf
+  copy:
+    src: /etc/ntp.conf
+    dest: /etc/ntp.conf.bak
+    remote_src: yes
+    force: no
+  ignore_errors: yes
+
+# Configure ntp.conf to use AD DCs
+- name: Ensure 'tinker panic 0' is present
+  lineinfile:
+    path: /etc/ntp.conf
+    line: "tinker panic 0"
+    insertafter: BOF
+    state: present
+
+- name: Configure ntp.conf with AD domain controllers
+  blockinfile:
+    path: /etc/ntp.conf
+    marker: "# {mark} ANSIBLE_MANAGED_AD_NTP"
+    block: |
+      {% for server in ntp_servers %}
+      server {{ server }} iburst
+      {% endfor %}
+  notify: Restart ntp
+
+# Enable and start ntp service
+- name: Ensure ntp is running and enabled
+  service:
+    name: ntp
+    state: started
+    enabled: yes
+
 - name: Configure Kerberos
  template:
    src: krb5.conf.j2
@@ -34,6 +141,26 @@
  register: join_result
  changed_when: "'Joined domain' in join_result.stdout"

+# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf
+- name: Ensure winbind is appended to passwd and group NSS databases
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^{{ item }}:'
+    line: "{{ item }}: files winbind"
+    backrefs: yes
+  loop:
+    - passwd
+    - group
+
+# Append [success=continue] winbind to existing initgroups line
+- name: Ensure [success=continue] winbind is present in initgroups line if it exists
+  replace:
+    path: /etc/nsswitch.conf
+    regexp: '^(initgroups:.*?)(\s*winbind)?$'
+    replace: '\1 [success=continue] winbind'
+  when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')"
+  
+
 - name: Enable and start required services
  service:
    name: "{{ item }}"
--- a/templates/resolv.conf.j2
+++ b/templates/resolv.conf.j2
@@ -0,0 +1,4 @@
+search {{ dns_search }}
+{% for server in dns_servers %}
+nameserver {{ server }}
+{% endfor %}
--- a/templates/resolved.conf.j2
+++ b/templates/resolved.conf.j2
@@ -0,0 +1,4 @@
+[Resolve]
+DNS={{ dns_servers | join(' ') }}
+Domains={{ dns_search }}
+FallbackDNS=
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@@ -2,13 +2,26 @@
   workgroup = {{ ad_realm.split('.')[0] }}
   security = ads
   realm = {{ ad_realm }}
+
+   # users will be in the form username instead of DOMAIN\username.
   winbind use default domain = true
+   
   winbind offline logon = false
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
+   
+   # Default ID mapping configuration for local BUILTIN accounts
+   # and groups on a domain member. The default (*) domain:
+   # - must not overlap with any domain ID mapping configuration!
+   # - must use a read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
-   idmap config * : range = 10000-20000
+   idmap config * : range = 3000-7999
+
+   # - You must set a DOMAIN backend configuration
+   # idmap config for the {{ ad_realm.split('.')[0] }} domain
   idmap config {{ ad_realm.split('.')[0] }} : backend = rid
-   idmap config {{ ad_realm.split('.')[0] }} : range = 20001-999999
+   idmap config {{ ad_realm.split('.')[0] }} : range = 10000-999999
+
+   # Template settings for login shell and home directory
   template shell = /bin/bash
   template homedir = /home/%U