Jose/ansible_samba_domain_member
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Jose:c0e2f38fdc6d6c105b2fcadffc8310606bceb359
Branches Tags
Jose:main
...
compare: Jose:main
Branches Tags
Jose:main

1 Commits
c0e2f38fdc ... main

Author SHA1 Message Date
Jose
2a5e29ce42 refactor ♻️: Update ntp.conf to use AD DCs, configure winbind, and enable SMB service with appropriate ID mapping. 
Refactored the ntp configuration to include AD domain controllers, updated winbind settings for local BUILTIN accounts, and enabled SMB service with proper ID mapping.
 2025-10-09 17:25:12 +02:00
2 changed files with 42 additions and 2 deletions
Expand all files Collapse all files

27
tasks/main.yml
View File

@@ -93,6 +93,13 @@
ignore_errors: yes
# Configure ntp.conf to use AD DCs
- name: Ensure 'tinker panic 0' is present
lineinfile:
path: /etc/ntp.conf
line: "tinker panic 0"
insertafter: BOF
state: present
- name: Configure ntp.conf with AD domain controllers
blockinfile:
path: /etc/ntp.conf
@@ -134,6 +141,26 @@
register: join_result
changed_when: "'Joined domain' in join_result.stdout"
# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf
- name: Ensure winbind is appended to passwd and group NSS databases
lineinfile:
path: /etc/nsswitch.conf
regexp: '^{{ item }}:'
line: "{{ item }}: files winbind"
backrefs: yes
loop:
- passwd
- group
# Append [success=continue] winbind to existing initgroups line
- name: Ensure [success=continue] winbind is present in initgroups line if it exists
replace:
path: /etc/nsswitch.conf
regexp: '^(initgroups:.*?)(\s*winbind)?$'
replace: '\1 [success=continue] winbind'
when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')"
- name: Enable and start required services
service:
name: "{{ item }}"

17
templates/smb.conf.j2
View File

@@ -2,13 +2,26 @@
workgroup = {{ ad_realm.split('.')[0] }}
security = ads
realm = {{ ad_realm }}
# users will be in the form username instead of DOMAIN\username.
winbind use default domain = true
winbind offline logon = false
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the {{ ad_realm.split('.')[0] }} domain
idmap config {{ ad_realm.split('.')[0] }} : backend = rid
idmap config {{ ad_realm.split('.')[0] }} : range = 20001-999999
idmap config {{ ad_realm.split('.')[0] }} : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U