dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity
Files
1768678213c24abcc4fed175808c774dbafed504
configpolicy/roles/samba-dc/tasks/main.yml
Dustin C. Hatch ed22f6311c r/samba-dc: Auto restart samba 
Although it's rare, sometimes Samba crashes or fails to start.  When
this happens, restarting it is almost always enough to get it working
again.  Since all sorts of authentication problems can occur if one of
the domain controllers is down, it's probably best to just have systemd
automatically restart _samba.service_ if it ever stops for any reason.
2024-07-03 10:30:20 -05:00

268 lines
6.3 KiB
YAML
Raw Blame History

- name: load distribution-specific values
include_vars: '{{ item }}'
with_first_found:
- '{{ ansible_distribution }}.yml'
- defaults.yml
tags:
- always
- name: ensure packages are installed
package:
name={{ samba_dc_packages|join(',') }}
state=present
tags:
- install
- name: ensure bind9 dlz plugin is configured
include_tasks: bind9-dlz.yml
when: samba_dc_dns_backend|d == 'BIND9_DLZ'
- name: ensure kerberos is configured
template:
src=krb5.conf.j2
dest=/etc/krb5.conf.d/samba.conf
- name: ensure domain is provisioned
samba_domain:
realm={{ krb5_realm }}
domain={{ netbios_domain|d(omit) }}
use_rfc2307={{ samba_dc_use_rfc2307 }}
dns_backend={{ samba_dc_dns_backend|d(omit) }}
username={{ samba_dc_join_username|d(omit) }}
password={{ samba_dc_join_password|d(omit) }}
state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
register: samba_dc_provision
notify:
- restore samba file contexts
- display generated admin password
- sync sysvol
tags:
- provision-domain
- name: ensure samba certificate is installed
copy:
src={{ item }}
dest={{ samba_tls_certfile }}
mode=0644
with_fileglob:
- certs/samba/{{ inventory_hostname }}/samba.cer
notify: restart samba
- name: ensure samba certificate private key is installed
copy:
src={{ item }}
dest={{ samba_tls_keyfile }}
mode=0600
with_fileglob:
- certs/samba/{{ inventory_hostname }}/samba.key
notify: restart samba
- name: ensure samba ca certificate is installed
copy:
src={{ item }}
dest={{ samba_tls_cafile }}
mode=0644
with_fileglob:
- certs/samba/{{ inventory_hostname }}/samba-ca.crt
when: samba_tls_cafile is defined
notify: restart samba
- name: ensure smb.conf is configured
template:
src=smb.conf.j2
dest=/etc/samba/smb.conf
mode=0644
notify: restart samba
- name: ensure samba systemd unit extension directory exists
file:
path=/etc/systemd/system/samba.service.d
mode=0755
state=directory
tags:
- systemd
- name: ensure samba service auto restart is configurd
copy:
src: auto-restart.conf
dest: /etc/systemd/system/samba.service.d
owner: root
group: root
mode: u=rw,go=r
notify:
- reload systemd
- restart samba
tags:
- systemd
- name: ensure samba starts at boot
service:
name=samba
enabled=yes
- name: ensure sysvolsync ssh key exists
openssh_keypair:
type: ed25519
comment: '{{ inventory_hostname }}'
path: /var/lib/samba/private/sysvolsync.key
owner: root
group: root
mode: u=r,go=
state: present
register: sysvolsync_key
tags:
- sysvolsync
- name: ensure sysvolsync key is trusted on other domain controllers
delegate_to: '{{ item }}'
authorized_key:
user: root
path: /root/.ssh/authorized_keys_sysvolsync
key: >-
{{ sysvolsync_key.public_key }}
key_options: command="/usr/local/libexec/sysvolsync-server"
state: present
# openssh_keypair module doesn't return public_key in check mode
when: not ansible_check_mode
loop: '{{ groups["samba-dc"] }}'
tags:
- sysvolsync
- name: ensure sysvolsync cache directory exists
file:
path: /var/cache/sysvolsync
mode: u=rwx,go=rx
state: directory
tags:
- sysvolsync
- name: ensure sysvolsync ssh host key database is populated
template:
src: sysvolsync.ssh_known_hosts.j2
dest: /var/cache/sysvolsync/ssh_known_hosts
mode: u=rw,go=r
tags:
- sysvolsync
- ssh_known_hosts
- name: ensure sysvolsync script is installed
copy:
src: sysvolsync.sh
dest: /usr/local/sbin/sysvolsync
mode: u=rwx,go=rx
notify:
- restart sysvolsync.timer
tags:
- sysvolsync
- name: ensure sysvolsync systemd units are installed
copy:
src: '{{ item }}'
dest: /etc/systemd/system
mode: u=rw,go=r
loop:
- sysvolsync.service
- sysvolsync.timer
notify:
- reload systemd
- restart sysvolsync.timer
tags:
- sysvolsync
- systemd
- name: ensure sysvolsync timer unit is enabled
systemd:
name: sysvolsync.timer
enabled: true
tags:
- sysvolsync
- service
- name: ensure sysvolsync timer unit is running
systemd:
name: sysvolsync.timer
state: started
tags:
- sysvolsync
- service
- name: ensure sysvolsync-server script is installed
copy:
src: sysvolsync-server.sh
dest: /usr/local/libexec/sysvolsync-server
mode: u=rwx,go=rx
tags:
- sysvolsync
- name: ensure sshd is configured for sysvolsync
copy:
src: sysvolsync.sshd.conf
dest: /etc/ssh/sshd_config.d/80-sysvolsync.conf
mode: u=rw,go=r
notify:
- reload sshd
tags:
- sysvolsync
- name: ensure idmap-backup systemd units are installed
copy:
src: '{{ item }}'
dest: /etc/systemd/system/
mode: u=rw,go=r
loop:
- idmap-backup.service
- idmap-backup.timer
notify:
- reload systemd
- restart idmap-backup.timer
tags:
- idmap-backup
- systemd
- name: ensure idmap-backup timer unit is enabled
systemd:
name: idmap-backup.timer
enabled: true
tags:
- idmap-backup
- service
- name: ensure idmap-backup timer unit is running
systemd:
name: idmap-backup.timer
state: started
tags:
- idmap-backup
- service
- name: flush_handlers
meta: flush_handlers
- name: ensure samba is running
service:
name=samba
state=started
- name: ensure firewall is configured for samba
firewalld:
service={{ item if '/' not in item else omit }}
port={{ item if '/' in item else omit }}
state=enabled
permanent=no
immediate=yes
with_items: '{{ samba_firewall }}'
notify: save firewalld configuration
when: host_users_firewalld|d(true)|bool
tags:
- firewalld
# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab,
# however it uses HOST/<fqdn> instead of host/<fqdn> SPNs. mit-krb5 seems to
# treat SPNs case-sensitively, breaking SSH GSSAPI authentication.
#
# It is likely that this keytab will become state, as domain controller account
# keys may rotate. Hopefully, I will find a better way to manage this at some
# point.
- name: ensure host keytab exists
command: >-
samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/{{ ansible_fqdn }}
creates=/etc/krb5.keytab
- name: ensure logroate is configured for samba kdc
copy:
src: krb5kdc.logrotate.conf
dest: /etc/logrotate.d/krb5kdc
mode: u=rw,go=r
tags:
- logrotate
Reference in New Issue View Git Blame Copy Permalink