From 93598145b64a2e89079ef7f6f493f5c356bc50dd Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 28 May 2018 15:18:56 -0500
Subject: [PATCH] roles/samba-dc: Support configuring TLS

In order to enable LDAPS/STARTTLS support in Samba, the `tls enabled`
option must be set to `yes` and the `tls keyfile` and `tls certfile`
options must be set to the path of the private key and certificate
files, respectively, that Samba will use. The `samba_tls_enabled`,
`samba_tls_keyfile`, and `samb_tls_certfile` Ansible variables can be
used to control these values.
---
 roles/samba-dc/templates/smb.conf.j2 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/samba-dc/templates/smb.conf.j2 b/roles/samba-dc/templates/smb.conf.j2
index b66941e..6feb5d8 100644
--- a/roles/samba-dc/templates/smb.conf.j2
+++ b/roles/samba-dc/templates/smb.conf.j2
@@ -11,6 +11,15 @@
 	template homedir = {{ winbind_template_homedir }}
 	template shell = /bin/bash
 
+{% if samba_tls_enabled|bool %}
+	tls enabled = yes
+	tls keyfile = {{ samba_tls_keyfile }}
+	tls certfile = {{ samba_tls_certfile }}
+{% if samba_tls_cafile is defined %}
+	tls cafile = {{ samba_tls_cafile }}
+{% endif %}
+{% endif %}
+
 [netlogon]
 	path = /var/lib/samba/sysvol/{{ krb5_realm|lower }}/scripts
 	read only = No