124 lines
3 KiB
YAML
124 lines
3 KiB
YAML
## Install and configure samba-ldap.
|
|
---
|
|
- name: check if samba is already there
|
|
stat: path=/etc/ldap/schema/samba.ldif
|
|
register: samba_ldap
|
|
|
|
- name: install samba and provide samba schema
|
|
apt:
|
|
name:
|
|
- samba
|
|
- sssd-ldap
|
|
state: latest # noqa package-latest
|
|
|
|
- name: provide identities from LDAP
|
|
template:
|
|
src: sssd.conf.j2
|
|
dest: /etc/sssd/sssd.conf
|
|
mode: 0600
|
|
notify: restart sssd
|
|
|
|
- name: prepare samba schema
|
|
command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/
|
|
args:
|
|
creates: /etc/ldap/schema/samba.ldif
|
|
|
|
- name: activate samba.ldif schema
|
|
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
|
|
when: not samba_ldap.stat.exists
|
|
|
|
- name: add indexes to LDAP
|
|
ldap_attrs:
|
|
dn: "olcDatabase={1}mdb,cn=config"
|
|
attributes:
|
|
olcDbIndex:
|
|
- sambaSID eq
|
|
- sambaPrimaryGroupSID eq
|
|
- sambaGroupType eq
|
|
- sambaSIDList eq
|
|
- sambaDomainName eq
|
|
state: present
|
|
|
|
- name: modify ACLs to account for Samba
|
|
ldap_attrs:
|
|
dn: "olcDatabase={1}mdb,cn=config"
|
|
attributes:
|
|
olcAccess:
|
|
- >-
|
|
to attrs=userPassword
|
|
by self write
|
|
by anonymous auth
|
|
by * none
|
|
- >-
|
|
to attrs=shadowLastChange
|
|
by self write
|
|
by * read
|
|
- >-
|
|
to attrs=sambaNTPassword
|
|
by dn.exact=cn=admin,{{ basedn }} write
|
|
by self write
|
|
by * none
|
|
- >-
|
|
to * by * read
|
|
ordered: true
|
|
state: exact
|
|
|
|
- name: configure smb ldap backend
|
|
blockinfile:
|
|
dest: /etc/samba/smb.conf
|
|
insertafter: '^\s*server role ='
|
|
block: |
|
|
####### LDAP Settings #######
|
|
passdb backend = ldapsam:ldapi:///
|
|
ldap suffix = {{ basedn }}
|
|
ldap user suffix = ou=people
|
|
ldap group suffix = ou=groups
|
|
ldap machine suffix = ou=computers
|
|
ldap idmap suffix = ou=idmap
|
|
ldap admin dn = cn=admin,{{ basedn }}
|
|
ldap ssl = no
|
|
ldap passwd sync = yes
|
|
notify: restart smbd
|
|
|
|
- name: make smb homes writable
|
|
replace:
|
|
path: /etc/samba/smb.conf
|
|
regexp: '^(\s*read only =) yes$'
|
|
replace: '\1 no'
|
|
after: '\[homes\]'
|
|
before: '\[.+\]'
|
|
notify: restart smbd
|
|
|
|
- name: slurp admin password for samba setup
|
|
slurp:
|
|
src: "{{ ldap_admin_pwd_file }}"
|
|
register: ldap_admin_pwd
|
|
no_log: true
|
|
when: not samba_ldap.stat.exists
|
|
|
|
- name: make samba admin password available to smbd
|
|
command: smbpasswd -w "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
|
no_log: true
|
|
notify: restart smbd
|
|
when: not samba_ldap.stat.exists
|
|
|
|
- name: flush all handlers
|
|
meta: flush_handlers
|
|
|
|
- name: add samba attributes to dummy user foo
|
|
command:
|
|
cmd: smbpasswd -s -a foo
|
|
stdin: "{{ foo_pwd }}\n{{ foo_pwd }}"
|
|
when: foo_pwd is defined and foo_pwd | length > 0
|
|
|
|
########################
|
|
|
|
- name: allow services in firewalld
|
|
firewalld:
|
|
zone: internal
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
with_items:
|
|
- samba
|