Jose/ansible_samba_domain_member
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Jose:180a1f8639f5bdecd1053c6fbbb362b77f07dc24
Branches Tags
Jose:main
...
compare: Jose:main
Branches Tags
Jose:main

3 Commits
180a1f8639 ... main

Author SHA1 Message Date
Jose
2a5e29ce42 refactor ♻️: Update ntp.conf to use AD DCs, configure winbind, and enable SMB service with appropriate ID mapping. 
Refactored the ntp configuration to include AD domain controllers, updated winbind settings for local BUILTIN accounts, and enabled SMB service with proper ID mapping.
 2025-10-09 17:25:12 +02:00
Jose
c0e2f38fdc refactor ♻️: Refactoring the main.yml files to include NTP server configuration and backup of original ntp.conf. 
Updated the `defaults/main.yml`, `handlers/main.yml`, and `tasks/main.yml` files to add NTP server configuration and a backup of the original `ntp.conf` file. This ensures that the system uses AD DCs as time sources and maintains a backup for future reference.
 2025-10-08 22:03:21 +02:00
Jose
fd4da57a3c refactor ♻️: Refactored the code to use a more structured approach for DNS configuration and added optional tests. 
Updated the role to include optional tests after running it, ensuring that DNS resolution is correctly configured. The code has been refactored to improve readability and maintainability.
 2025-10-08 21:55:06 +02:00
7 changed files with 183 additions and 3 deletions
Expand all files Collapse all files

11
README.md
View File

@@ -1,3 +1,12 @@
# ansible_samba_domain_member # ansible_samba_domain_member
Install and configure Samba + Kerberos to join AD Install and configure Samba + Kerberos to join AD
🧪 Optional Tests
After running the role:
# DNS should resolve domain controllers:
dig _ldap._tcp.{{ dns_search }} SRV
host dc1.{{ dns_search }}

7
defaults/main.yml
View File

@@ -3,3 +3,10 @@ ad_realm: EXAMPLE.COM
ad_dc: dc1.example.com ad_dc: dc1.example.com
ad_admin_user: administrator ad_admin_user: administrator
ad_admin_password: YourPassword ad_admin_password: YourPassword
dns_servers:
- 192.168.1.10
- 192.168.1.11
dns_search: example.com
nm_connection_name: "Wired connection 1" # Change this based on your setup
ntp_servers:
- "{{ ad_dc }}" # Your AD DC as time source

16
handlers/main.yml Normal file
View File

@@ -0,0 +1,16 @@
# handlers/main.yml
- name: Restart networking if required
service:
name: networking
state: restarted
when: ansible_service_mgr == "systemd"
- name: Restart systemd-resolved
service:
name: systemd-resolved
state: restarted
- name: Restart ntp
service:
name: ntp
state: restarted

127
tasks/main.yml
View File

@@ -1,4 +1,67 @@
--- ---
- name: Gather service facts
service_facts:
- name: Determine DNS manager
set_fact:
dns_manager: >-
{% if 'systemd-resolved.service' in ansible_facts.services and ansible_facts.services['systemd-resolved.service'].state == 'running' %}
systemd-resolved
{% elif 'NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state == 'running' %}
NetworkManager
{% else %}
manual
{% endif %}
- name: Configure DNS for systemd-resolved
when: dns_manager == 'systemd-resolved'
template:
src: resolved.conf.j2
dest: /etc/systemd/resolved.conf
owner: root
group: root
mode: '0644'
notify: Restart systemd-resolved
- name: Ensure /etc/resolv.conf points to systemd stub
when: dns_manager == 'systemd-resolved'
file:
src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf
state: link
force: true
- name: Configure DNS via NetworkManager (nmcli)
when: dns_manager == 'NetworkManager'
block:
- name: Set DNS servers with nmcli
shell: >
nmcli con mod "{{ nm_connection_name }}"
ipv4.dns "{{ dns_servers | join(' ') }}"
ipv4.ignore-auto-dns yes
args:
warn: false
- name: Set search domain with nmcli
shell: >
nmcli con mod "{{ nm_connection_name }}"
ipv4.dns-search "{{ dns_search }}"
args:
warn: false
- name: Bring connection down and up to apply changes
shell: >
nmcli con down "{{ nm_connection_name }}" && nmcli con up "{{ nm_connection_name }}"
ignore_errors: true
when: dns_manager == 'manual'
template:
src: resolv.conf.j2
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
- name: Install required packages - name: Install required packages
apt: apt:
name: name:
@@ -7,9 +70,53 @@
- winbind - winbind
- libpam-winbind - libpam-winbind
- libnss-winbind - libnss-winbind
- ntp
state: present state: present
become: yes become: yes
- name: Configure /etc/resolv.conf for AD DNS resolution
template:
src: resolv.conf.j2
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
notify: Restart networking if required
# Backup original ntp.conf (optional safety)
- name: Backup original ntp.conf
copy:
src: /etc/ntp.conf
dest: /etc/ntp.conf.bak
remote_src: yes
force: no
ignore_errors: yes
# Configure ntp.conf to use AD DCs
- name: Ensure 'tinker panic 0' is present
lineinfile:
path: /etc/ntp.conf
line: "tinker panic 0"
insertafter: BOF
state: present
- name: Configure ntp.conf with AD domain controllers
blockinfile:
path: /etc/ntp.conf
marker: "# {mark} ANSIBLE_MANAGED_AD_NTP"
block: |
{% for server in ntp_servers %}
server {{ server }} iburst
{% endfor %}
notify: Restart ntp
# Enable and start ntp service
- name: Ensure ntp is running and enabled
service:
name: ntp
state: started
enabled: yes
- name: Configure Kerberos - name: Configure Kerberos
template: template:
src: krb5.conf.j2 src: krb5.conf.j2
@@ -34,6 +141,26 @@
register: join_result register: join_result
changed_when: "'Joined domain' in join_result.stdout" changed_when: "'Joined domain' in join_result.stdout"
# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf
- name: Ensure winbind is appended to passwd and group NSS databases
lineinfile:
path: /etc/nsswitch.conf
regexp: '^{{ item }}:'
line: "{{ item }}: files winbind"
backrefs: yes
loop:
- passwd
- group
# Append [success=continue] winbind to existing initgroups line
- name: Ensure [success=continue] winbind is present in initgroups line if it exists
replace:
path: /etc/nsswitch.conf
regexp: '^(initgroups:.*?)(\s*winbind)?$'
replace: '\1 [success=continue] winbind'
when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')"
- name: Enable and start required services - name: Enable and start required services
service: service:
name: "{{ item }}" name: "{{ item }}"

4
templates/resolv.conf.j2 Normal file
View File

@@ -0,0 +1,4 @@
search {{ dns_search }}
{% for server in dns_servers %}
nameserver {{ server }}
{% endfor %}

4
templates/resolved.conf.j2 Normal file
View File

@@ -0,0 +1,4 @@
[Resolve]
DNS={{ dns_servers | join(' ') }}
Domains={{ dns_search }}
FallbackDNS=

17
templates/smb.conf.j2
View File

@@ -2,13 +2,26 @@
workgroup = {{ ad_realm.split('.')[0] }} workgroup = {{ ad_realm.split('.')[0] }}
security = ads security = ads
realm = {{ ad_realm }} realm = {{ ad_realm }}
# users will be in the form username instead of DOMAIN\username.
winbind use default domain = true winbind use default domain = true
winbind offline logon = false winbind offline logon = false
dedicated keytab file = /etc/krb5.keytab dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab kerberos method = secrets and keytab
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb idmap config * : backend = tdb
idmap config * : range = 10000-20000 idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the {{ ad_realm.split('.')[0] }} domain
idmap config {{ ad_realm.split('.')[0] }} : backend = rid idmap config {{ ad_realm.split('.')[0] }} : backend = rid
idmap config {{ ad_realm.split('.')[0] }} : range = 20001-999999 idmap config {{ ad_realm.split('.')[0] }} : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash template shell = /bin/bash
template homedir = /home/%U template homedir = /home/%U