roles/winbind: Configure Samba AD membership

The *winbind* role builds upon the *samba* role to configure the machine as an Active Directory domain member.
2018-03-11 18:13:07 -05:00
parent 4546cffeba
commit 5570a94be3
9 changed files with 137 additions and 0 deletions
--- a/roles/winbind/templates/default-realm.krb5.conf.j2
+++ b/roles/winbind/templates/default-realm.krb5.conf.j2
@@ -0,0 +1,2 @@
+[libdefaults]
+default_realm = {{ krb5_realm }}
--- a/roles/winbind/templates/pam_winbind.conf.j2
+++ b/roles/winbind/templates/pam_winbind.conf.j2
@@ -0,0 +1,43 @@
+{#- vim: set ft=jinja : -#}
+#
+# pam_winbind configuration file
+#
+# /etc/security/pam_winbind.conf
+#
+
+[global]
+
+# turn on debugging
+;debug = no
+
+# turn on extended PAM state debugging
+;debug_state = no
+
+# request a cached login if possible
+# (needs "winbind offline logon = yes" in smb.conf)
+cached_login = yes
+
+# authenticate using kerberos
+krb5_auth = {{ 'yes' if winbind_krb5_auth else 'no' }}
+
+# when using kerberos, request a "FILE" krb5 credential cache type
+# (leave empty to just do krb5 authentication but not have a ticket
+# afterwards)
+{% if winbind_krb5_auth %}
+krb5_ccache_type = FILE
+{% else %}
+;krb5_ccache_type = FILE
+{% endif %}
+
+# make successful authentication dependend on membership of one SID
+# (can also take a name)
+;require_membership_of =
+
+# password expiry warning period in days
+;warn_pwd_expire = 14
+
+# omit pam conversations
+silent = yes
+
+# create homedirectory on the fly
+;mkhomedir = no
--- a/roles/winbind/templates/winbind.conf.j2
+++ b/roles/winbind/templates/winbind.conf.j2
@@ -0,0 +1,26 @@
+template homedir = /home/%U
+template shell = /bin/bash
+
+{% if winbind_idmap_backend is defined %}
+idmap backend = {{ winbind_idmap_backend }}
+idmap config * : backend = {{ winbind_idmap_backend }}
+{% endif %}
+idmap config * : range = {{ winbind_idmap_range }}
+
+kerberos method = {{ winbind_kerberos_method }}
+
+winbind nss info = {{ winbind_nss_info }}
+winbind use default domain = {{ 'yes' if winbind_use_default_domain else 'no' }}
+winbind offline logon = {{ 'yes' if winbind_offline_login else 'no' }}
+winbind refresh tickets = {{ 'yes' if winbind_refresh_tickets else 'no' }}
+{% if winbind_ignore_domains|d %}
+winbind:ignore domains = {{ winbind_ignore_domains|join(' ') }}
+{% endif %}
+
+client ldap sasl wrapping = seal
+
+dns proxy = no
+domain master = no
+local master = no
+preferred master = no
+os level = 0