samba-dc: Omit tls cafile setting

The `tls cafile` setting in `smb.conf` is not necessary.  It is used for
verifying peer certificates for mutual TLS authentication, not to
specify the intermediate certificate authority chain like I thought.

The setting cannot simply be left out, though.  If it is not specified,
Samba will attempt to load a file from a built-in default path, which
will fail, causing the server to crash.  This is avoided by setting the
value to the empty string.

group_vars/samba-dc.yml

@@ -16,7 +16,6 @@ samba_shares:
 samba_tls_enabled: true
 samba_tls_keyfile: /etc/pki/tls/private/samba.key
 samba_tls_certfile: /etc/pki/tls/certs/samba.cer
-samba_tls_cafile: /etc/pki/tls/certs/samba-ca.crt
 
 collectd_processes:
 - name: samba

roles/samba-dc/templates/smb.conf.j2

@@ -20,9 +20,7 @@
 	tls enabled = yes
 	tls keyfile = {{ samba_tls_keyfile }}
 	tls certfile = {{ samba_tls_certfile }}
-{% if samba_tls_cafile is defined %}
-	tls cafile = {{ samba_tls_cafile }}
-{% endif %}
+	tls cafile = {{ samba_tls_cafile|d('') }}
 {% endif %}
 
 [netlogon]