Jose
2a5e29ce42
Refactored the ntp configuration to include AD domain controllers, updated winbind settings for local BUILTIN accounts, and enabled SMB service with proper ID mapping.
173 lines
4.2 KiB
YAML
173 lines
4.2 KiB
YAML
---
|
|
- name: Gather service facts
|
|
service_facts:
|
|
|
|
- name: Determine DNS manager
|
|
set_fact:
|
|
dns_manager: >-
|
|
{% if 'systemd-resolved.service' in ansible_facts.services and ansible_facts.services['systemd-resolved.service'].state == 'running' %}
|
|
systemd-resolved
|
|
{% elif 'NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state == 'running' %}
|
|
NetworkManager
|
|
{% else %}
|
|
manual
|
|
{% endif %}
|
|
|
|
- name: Configure DNS for systemd-resolved
|
|
when: dns_manager == 'systemd-resolved'
|
|
template:
|
|
src: resolved.conf.j2
|
|
dest: /etc/systemd/resolved.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: Restart systemd-resolved
|
|
|
|
- name: Ensure /etc/resolv.conf points to systemd stub
|
|
when: dns_manager == 'systemd-resolved'
|
|
file:
|
|
src: /run/systemd/resolve/stub-resolv.conf
|
|
dest: /etc/resolv.conf
|
|
state: link
|
|
force: true
|
|
|
|
- name: Configure DNS via NetworkManager (nmcli)
|
|
when: dns_manager == 'NetworkManager'
|
|
block:
|
|
- name: Set DNS servers with nmcli
|
|
shell: >
|
|
nmcli con mod "{{ nm_connection_name }}"
|
|
ipv4.dns "{{ dns_servers | join(' ') }}"
|
|
ipv4.ignore-auto-dns yes
|
|
args:
|
|
warn: false
|
|
|
|
- name: Set search domain with nmcli
|
|
shell: >
|
|
nmcli con mod "{{ nm_connection_name }}"
|
|
ipv4.dns-search "{{ dns_search }}"
|
|
args:
|
|
warn: false
|
|
|
|
- name: Bring connection down and up to apply changes
|
|
shell: >
|
|
nmcli con down "{{ nm_connection_name }}" && nmcli con up "{{ nm_connection_name }}"
|
|
ignore_errors: true
|
|
|
|
when: dns_manager == 'manual'
|
|
template:
|
|
src: resolv.conf.j2
|
|
dest: /etc/resolv.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Install required packages
|
|
apt:
|
|
name:
|
|
- samba
|
|
- krb5-user
|
|
- winbind
|
|
- libpam-winbind
|
|
- libnss-winbind
|
|
- ntp
|
|
state: present
|
|
become: yes
|
|
|
|
- name: Configure /etc/resolv.conf for AD DNS resolution
|
|
template:
|
|
src: resolv.conf.j2
|
|
dest: /etc/resolv.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: Restart networking if required
|
|
|
|
# Backup original ntp.conf (optional safety)
|
|
- name: Backup original ntp.conf
|
|
copy:
|
|
src: /etc/ntp.conf
|
|
dest: /etc/ntp.conf.bak
|
|
remote_src: yes
|
|
force: no
|
|
ignore_errors: yes
|
|
|
|
# Configure ntp.conf to use AD DCs
|
|
- name: Ensure 'tinker panic 0' is present
|
|
lineinfile:
|
|
path: /etc/ntp.conf
|
|
line: "tinker panic 0"
|
|
insertafter: BOF
|
|
state: present
|
|
|
|
- name: Configure ntp.conf with AD domain controllers
|
|
blockinfile:
|
|
path: /etc/ntp.conf
|
|
marker: "# {mark} ANSIBLE_MANAGED_AD_NTP"
|
|
block: |
|
|
{% for server in ntp_servers %}
|
|
server {{ server }} iburst
|
|
{% endfor %}
|
|
notify: Restart ntp
|
|
|
|
# Enable and start ntp service
|
|
- name: Ensure ntp is running and enabled
|
|
service:
|
|
name: ntp
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure Kerberos
|
|
template:
|
|
src: krb5.conf.j2
|
|
dest: /etc/krb5.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Configure Samba
|
|
template:
|
|
src: smb.conf.j2
|
|
dest: /etc/samba/smb.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Join the domain
|
|
shell: |
|
|
echo "{{ ad_admin_password }}" | net ads join -U {{ ad_admin_user }}%{{ ad_admin_password }}
|
|
args:
|
|
warn: false
|
|
register: join_result
|
|
changed_when: "'Joined domain' in join_result.stdout"
|
|
|
|
# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf
|
|
- name: Ensure winbind is appended to passwd and group NSS databases
|
|
lineinfile:
|
|
path: /etc/nsswitch.conf
|
|
regexp: '^{{ item }}:'
|
|
line: "{{ item }}: files winbind"
|
|
backrefs: yes
|
|
loop:
|
|
- passwd
|
|
- group
|
|
|
|
# Append [success=continue] winbind to existing initgroups line
|
|
- name: Ensure [success=continue] winbind is present in initgroups line if it exists
|
|
replace:
|
|
path: /etc/nsswitch.conf
|
|
regexp: '^(initgroups:.*?)(\s*winbind)?$'
|
|
replace: '\1 [success=continue] winbind'
|
|
when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')"
|
|
|
|
|
|
- name: Enable and start required services
|
|
service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: yes
|
|
loop:
|
|
- smbd
|
|
- nmbd
|
|
- winbind
|