domain-controller: Configure local AD authentication

Samba AD DCs are now configured to use Active Directory for local
authentication as well, using the Winbind implementation in the Samba
daemon.

domain-controller.yml

@@ -4,3 +4,17 @@
     include_vars: '{{ item }}'
     with_fileglob: vault/samba-dc/{{ krb5_realm }}
 - import_playbook: samba-dc.yml
+- hosts: samba-dc
+  roles:
+  - nsswitch
+  - system-auth
+  - sudo
+  tasks:
+  - name: ensure domain admins can use sudo
+    copy:
+      content: |
+        %domain\ admins ALL=(ALL) ALL
+        %{{ workgroup }}\\domain\ admins ALL=(ALL) ALL
+      dest: /etc/sudoers.d/10_domain-admins
+      mode: '0440'
+      validate: visudo -cf %s