Draft implementation of sambox-client.

roles/ldap/tasks/setup.yml

@@ -67,12 +67,6 @@
 - name: configure LDAP TLS
   command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif
 
-- name: "make 'ldap' an alias hostname resolvable from the LAN"
-  replace:
-    path: /etc/hosts
-    regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
-    replace: '\1	ldap'
-
 - name: add URI to ldap.conf
   lineinfile:
     dest: /etc/ldap/ldap.conf

roles/prepare4clients/tasks/main.yml

@@ -135,8 +135,41 @@
   notify: "rebuild di-netboot-assistant menu"
   when: krb5kdc.stat.exists
 
+########  sambox-client #######
+
+- name: check if we operate on sambox
+  stat: path=/etc/samba/smb.conf
+  register: samba
+
+- name: add sambox-client auto pxe boot entry to di-netboot-assistant
+  blockinfile:
+    dest: /etc/di-netboot-assistant/pxelinux.HEAD
+    insertbefore: EOF
+    block: |
+      LABEL autoinstall
+         MENU LABEL Debian {{ di_version }} (amd64) + preseed + sambox-client.yml
+         kernel ::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux
+         append initrd=::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz auto=true priority=critical domain={{ ansible_domain }} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml ---
+    marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client"
+  notify: "rebuild di-netboot-assistant menu"
+  when: samba.stat.exists
+
+- name: add sambox-client auto efi boot entry to di-netboot-assistant
+  blockinfile:
+    dest: /etc/di-netboot-assistant/grub.cfg.HEAD
+    insertbefore: EOF
+    block: |
+      menuentry 'Debian {{ di_version }} (amd64) + preseed + sambox-client.yml' {
+         linux   /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical domain={{ ansible_domain }} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml ---
+         initrd  /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
+      }
+    marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client"
+  notify: "rebuild di-netboot-assistant menu"
+  when: samba.stat.exists
+
 ######################
 
+
 - name: provide git repo if not available already
   git:
     repo: 'https://salsa.debian.org/andi/debian-lan-ansible.git'

roles/samba-ldap/defaults/main.yml

@@ -1,4 +1,4 @@
 basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
-ldap_server: ldap
+ldap_server: sambox
 min_id_sssd: 5000
 max_id_sssd: 20000

roles/samba-ldap/templates/sssd.conf.j2

@@ -18,3 +18,6 @@ cache_credentials = true
 
 min_id = {{ min_id_sssd }}
 max_id = {{ max_id_sssd }}
+
+## remove this after providing propper certificates: 
+ldap_tls_reqcert = allow

roles/smb-sshfs-client/defaults/main.yml

@@ -0,0 +1,5 @@
+basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+ldap_server: sambox
+home_server: sambox
+min_id_sssd: 5000
+max_id_sssd: 20000

roles/smb-sshfs-client/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+  listen: "reload systemd"
+

roles/smb-sshfs-client/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+- fail: msg="The machine's domain must not be empty."
+  when: ansible_domain | length == 0
+
+- name: install needed packages
+  apt:
+    name:
+      - sssd-ldap
+      - libpam-mount  
+      - cifs-utils
+      - sshfs  
+    state: latest
+
+- name: add URI to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "URI ldap://ldap/"
+    insertafter: "#URI.*"
+
+- name: add BASE to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "BASE {{ basedn }}"
+    insertafter: "#BASE.*"
+
+- name: enable pam_umask
+  lineinfile:
+    dest: /etc/pam.d/common-session
+    line: "session optional	pam_umask.so usergroups"
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+- name: configure pam_mount
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    block: |
+      <!-- volume
+        fstype="cifs"
+        server="{{ home_server }}"
+        path="%(USER)"
+        mountpoint="/home/lan/%(USER)"
+        options="dir_mode=0750,file_mode=0640"
+      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume -->
+      <volume
+        fstype="fuse"
+        path="sshfs#%(USER)@{{ home_server }}:"
+        mountpoint="/home/lan/%(USER)"
+        options="allow_other,default_permissions,reconnect,password_stdin"
+        ssh="0" noroot="0"
+      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume>
+    insertafter: "<!-- Volume definitions -->"
+
+

roles/smb-sshfs-client/templates/sssd.conf.j2

@@ -0,0 +1,22 @@
+[sssd]
+domains = LDAP
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ldap_server }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = ldap
+cache_credentials = true
+
+min_id = {{ min_id_sssd }}
+max_id = {{ max_id_sssd }}
+
+ldap_tls_reqcert = allow

sambox-client.yml

@@ -0,0 +1,20 @@
+---
+# This playbook deploys a client for the kerberox LAN.
+
+- name: apply configuration to the machines
+  hosts: all
+  remote_user: ansible
+  become: yes
+  vars:
+    extra_pkgs:
+      - webext-privacy-badger
+      - webext-ublock-origin
+    extra_pkgs_bpo: []  # [ libreoffice ]
+    ansible_python_interpreter: "/usr/bin/python3"
+
+  roles:
+    - up2date-debian
+    - smb-sshfs-client
+    ## Choose either gnome or KDE:
+    #- gnome
+    #- kde

sambox.yml

@@ -53,3 +53,4 @@
     - tftp-netboot-installer
     - apt-cacher
     - samba-ldap
+    - prepare4clients