## Install and configure samba-ldap.
---
- name: check if samba is already there
  stat: path=/etc/ldap/schema/samba.ldif
  register: samba_ldap

- name: install samba and provide samba schema
  apt:
    name:
      - samba
      - sssd-ldap
    state: latest


- name: provide identities from LDAP
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    mode: 0600
  notify: restart sssd

- meta: flush_handlers


- name: prepare samba schema
  command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/
  args:
    creates: /etc/ldap/schema/samba.ldif

- name: activate samba.ldif schema
  command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
  when: not samba_ldap.stat.exists

- name: add indexes to LDAP
  ldap_attr:
    dn: "olcDatabase={1}mdb,cn=config"
    name: olcDbIndex
    values:
      - sambaSID eq
      - sambaPrimaryGroupSID eq
      - sambaGroupType eq
      - sambaSIDList eq
      - sambaDomainName eq
    state: present

- name: modify ACLs to account for Samba
  ldap_attr:
    dn: "olcDatabase={1}mdb,cn=config"
    name: olcAccess
    values:
      - >-
        to attrs=userPassword
        by self write
        by anonymous auth
        by * none
      - >-
        to attrs=shadowLastChange
        by self write
        by * read
      - >-
        to attrs=sambaNTPassword
        by dn.exact=cn=admin,{{ basedn }} write
        by self write
        by * none
      - >-
        to * by * read
    state: exact

- name: customize smb.conf
  blockinfile:
    dest: /etc/samba/smb.conf
    insertafter: '^\s*server role ='
    block: |
      ####### LDAP Settings #######
      passdb backend = ldapsam:ldapi:///
      ldap suffix = {{ basedn }}
      ldap user suffix = ou=people
      ldap group suffix = ou=groups
      ldap machine suffix = ou=computers
      ldap idmap suffix = ou=idmap
      ldap admin dn = cn=admin,{{ basedn }}
      ldap ssl = no
      ldap passwd sync = yes
  notify: restart smbd


- name: slurp admin password for samba setup
  slurp:
    src: "{{ ldap_admin_pwd_file }}"
  register: ldap_admin_pwd 
  no_log: true  
  when: not samba_ldap.stat.exists

- name: make samba admin password available to smbd
  command: smbpasswd -w "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
  no_log: true
  notify: restart smbd
  when: not samba_ldap.stat.exists

- meta: flush_handlers

- name: add samba attributes to dummy user foo 
  command:
    cmd: smbpasswd -s -a foo
    stdin: "{{ foo_pwd }}\n{{ foo_pwd }}"
  when: foo_pwd is defined and foo_pwd | length > 0

########################

- name: allow services in firewalld
  firewalld:
    zone: internal
    service: "{{ item }}"
    permanent: yes
    immediate: yes
    state: enabled
  with_items:
    - samba