roles/samba-dc: Support joining existing domain

The *samba-dc* role now supports joining an existing Active Directory
domain as an additional domain controller. The `samba_is_first_dc` variable
controls whether the machine will be provisioned with a new domain (when
true) or added to an existing domain (when false).

Joining an existing domain naturally requires credentials of a user with
permission to add a new DC, the `samba_dc_join_username` and
`samba_dc_join_password` variables can be used to specify them.
Alternatively, if these variables are not defined, then the process will
attempt to use Kerberos credentials. This would require playbooks to
make a ticket-granting-ticket available somehow, such as by executing
`kinit` prior to applying the *samba-dc* role.

roles/samba-dc/defaults/main.yml

@@ -1 +1,2 @@
 samba_dc_use_rfc2307: true
+samba_is_first_dc: false

roles/samba-dc/library/samba_domain

@@ -55,6 +55,20 @@ def main():
                     'SAMBA_INTERNAL',
                 ],
             ),
+            username=dict(
+                required=False,
+            ),
+            password=dict(
+                required=False,
+                no_log=True,
+            ),
+            state=dict(
+                required=True,
+                choices=[
+                    'provisioned',
+                    'joined',
+                ],
+            ),
         ),
         supports_check_mode=True,
     )
@@ -63,6 +77,9 @@ def main():
     domain = module.params['domain'] or realm.split('.')[0]
     use_rfc2307 = module.params['use_rfc2307']
     dns_backend = module.params['dns_backend']
+    state = module.params['state']
+    username = module.params['username']
+    password = module.params['password']
 
     samba_tool = module.get_bin_path('samba-tool', required=True)
     samba = module.get_bin_path('samba', required=True)
@@ -93,12 +110,30 @@ def main():
         cmd = [
             samba_tool,
             'domain',
-            'provision',
-            '--realm={}'.format(realm),
-            '--domain={}'.format(domain),
         ]
-        if use_rfc2307:
+        if state == 'provisioned':
-            cmd.append('--use-rfc2307')
+            cmd += [
+                'provision',
+                '--realm={}'.format(realm),
+                '--domain={}'.format(domain),
+            ]
+            if use_rfc2307:
+                cmd.append('--use-rfc2307')
+        else:
+            cmd += [
+                'join',
+                realm,
+                'DC',
+            ]
+            if username and password:
+                cmd += [
+                    '--username', username,
+                    '--password', password,
+                ]
+            else:
+                cmd += [
+                    '--kerberos', 'true',
+                ]
         if dns_backend:
             cmd += ('--dns-backend', dns_backend)
         rc, out, err = module.run_command(cmd, check_rc=True)

roles/samba-dc/tasks/main.yml

@@ -32,6 +32,9 @@
     domain={{ netbios_domain|d(omit) }}
     use_rfc2307={{ samba_dc_use_rfc2307 }}
     dns_backend={{ samba_dc_dns_backend|d(omit) }}
+    username={{ samba_dc_join_username|d(omit) }}
+    password={{ samba_dc_join_password|d(omit) }}
+    state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
   register: samba_dc_provision
   notify:
   - restore samba file contexts