Dustin C. Hatch
cb7c36d65a
The *samba-dc* role now supports joining an existing Active Directory domain as an additional domain controller. The `samba_is_first_dc` variable controls whether the machine will be provisioned with a new domain (when true) or added to an existing domain (when false). Joining an existing domain naturally requires credentials of a user with permission to add a new DC, the `samba_dc_join_username` and `samba_dc_join_password` variables can be used to specify them. Alternatively, if these variables are not defined, then the process will attempt to use Kerberos credentials. This would require playbooks to make a ticket-granting-ticket available somehow, such as by executing `kinit` prior to applying the *samba-dc* role.
64 lines
1.6 KiB
YAML
64 lines
1.6 KiB
YAML
- name: load distribution-specific values
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- '{{ ansible_distribution }}.yml'
|
|
- defaults.yml
|
|
tags:
|
|
- always
|
|
|
|
- name: ensure packages are installed
|
|
package:
|
|
name={{ samba_dc_packages|join(',') }}
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure selinux file contexts are correct
|
|
sefcontext:
|
|
target={{ item.path }}
|
|
setype={{ item.setype }}
|
|
state=present
|
|
with_items: '{{ samba_selinux_contexts }}'
|
|
notify: restore samba file contexts
|
|
|
|
- name: ensure kerberos is configured
|
|
template:
|
|
src=krb5.conf.j2
|
|
dest=/etc/krb5.conf.d/samba.conf
|
|
|
|
- name: ensure domain is provisioned
|
|
samba_domain:
|
|
realm={{ krb5_realm }}
|
|
domain={{ netbios_domain|d(omit) }}
|
|
use_rfc2307={{ samba_dc_use_rfc2307 }}
|
|
dns_backend={{ samba_dc_dns_backend|d(omit) }}
|
|
username={{ samba_dc_join_username|d(omit) }}
|
|
password={{ samba_dc_join_password|d(omit) }}
|
|
state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
|
|
register: samba_dc_provision
|
|
notify:
|
|
- restore samba file contexts
|
|
- display generated admin password
|
|
|
|
- name: ensure samba starts at boot
|
|
service:
|
|
name=samba
|
|
enabled=yes
|
|
- name: ensure samba is running
|
|
service:
|
|
name=samba
|
|
state=started
|
|
|
|
- name: ensure firewall is configured for samba
|
|
firewalld:
|
|
service={{ item if '/' not in item else omit }}
|
|
port={{ item if '/' in item else omit }}
|
|
state=enabled
|
|
permanent=no
|
|
immediate=yes
|
|
with_items: '{{ samba_firewall }}'
|
|
notify: save firewalld configuration
|
|
when: host_users_firewalld|d(true)|bool
|
|
tags:
|
|
- firewalld
|