samba-dc: Configure samba4 winbind

The *samba-dc* role now configures `winbindd` on domain controllers to
support identity mapping on the local machine. This will allow domain
users to log into the domain controller itself, e.g. via SSH.

The Fedora packaging of *samba4* still has some warts. Specifically, it
does not have a proper SELinux policy, so some work-arounds need to be
put into place in order for confined processes to communicate with
winbind.

roles/samba-dc/tasks/main.yml

@@ -36,6 +36,27 @@
   - restore samba file contexts
   - display generated admin password
 
+- name: ensure smb.conf is configured
+  template:
+    src=smb.conf.j2
+    dest=/etc/samba/smb.conf
+    mode=0644
+  notify: restart samba
+
+- name: ensure samba systemd unit extension directory exists
+  file:
+    path=/etc/systemd/system/samba.service.d
+    mode=0755
+    state=directory
+- name: ensure samba4/winbind selinux work-around is in place
+  copy:
+    src=relabel-winbindd.conf
+    dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf
+    mode=0644
+  notify:
+  - reload systemd
+  - restart samba
+
 - name: ensure samba starts at boot
   service:
     name=samba
@@ -57,3 +78,16 @@
   when: host_users_firewalld|d(true)|bool
   tags:
   - firewalld
+
+# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab,
+# however it uses HOST/<fqdn> instead of host/<fqdn> SPNs. mit-krb5 seems to
+# treat SPNs case-sensitively, breaking SSH GSSAPI authentication.
+#
+# It is likely that this keytab will become state, as domain controller account
+# keys may rotate. Hopefully, I will find a better way to manage this at some
+# point.
+- name: ensure host keytab exists
+  command: >-
+    samba-tool domain exportkeytab /etc/krb5.keytab
+    --principal=host/{{ ansible_fqdn }}}
+    creates=/etc/krb5.keytab