configpolicy/roles/samba-dc/tasks/main.yml

- name: load distribution-specific values
  include_vars: '{{ item }}'
  with_first_found:
  - '{{ ansible_distribution }}.yml'
  - defaults.yml
  tags:
  - always

- name: ensure packages are installed
  package:
    name={{ samba_dc_packages|join(',') }}
    state=present
  tags:
  - install

- name: ensure bind9 dlz plugin is configured
  include_tasks: bind9-dlz.yml
  when: samba_dc_dns_backend|d == 'BIND9_DLZ'

- name: ensure kerberos is configured
  template:
    src=krb5.conf.j2
    dest=/etc/krb5.conf.d/samba.conf

- name: ensure domain is provisioned
  samba_domain:
    realm={{ krb5_realm }}
    domain={{ netbios_domain|d(omit) }}
    use_rfc2307={{ samba_dc_use_rfc2307 }}
    dns_backend={{ samba_dc_dns_backend|d(omit) }}
    username={{ samba_dc_join_username|d(omit) }}
    password={{ samba_dc_join_password|d(omit) }}
    state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
  register: samba_dc_provision
  notify:
  - restore samba file contexts
  - display generated admin password

- name: ensure samba certificate is installed
  copy:
    src={{ item }}
    dest={{ samba_tls_certfile }}
    mode=0644
  with_fileglob:
  - certs/samba/{{ inventory_hostname }}/samba.cer
  notify: restart samba
- name: ensure samba certificate private key is installed
  copy:
    src={{ item }}
    dest={{ samba_tls_keyfile }}
    mode=0600
  with_fileglob:
  - certs/samba/{{ inventory_hostname }}/samba.key
  notify: restart samba
- name: ensure samba ca certificate is installed
  copy:
    src={{ item }}
    dest={{ samba_tls_cafile }}
    mode=0644
  with_fileglob:
  - certs/samba/{{ inventory_hostname }}/samba-ca.crt
  when: samba_tls_cafile is defined
  notify: restart samba

- name: ensure smb.conf is configured
  template:
    src=smb.conf.j2
    dest=/etc/samba/smb.conf
    mode=0644
  notify: restart samba

- name: ensure samba systemd unit extension directory exists
  file:
    path=/etc/systemd/system/samba.service.d
    mode=0755
    state=directory
- name: ensure samba4/winbind selinux work-around is in place
  copy:
    src=relabel-winbindd.conf
    dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf
    mode=0644
  notify:
  - reload systemd
  - restart samba

- name: ensure samba starts at boot
  service:
    name=samba
    enabled=yes
- name: ensure samba is running
  service:
    name=samba
    state=started

- name: ensure firewall is configured for samba
  firewalld:
    service={{ item if '/' not in item else omit }}
    port={{ item if '/' in item else omit }}
    state=enabled
    permanent=no
    immediate=yes
  with_items: '{{ samba_firewall }}'
  notify: save firewalld configuration
  when: host_users_firewalld|d(true)|bool
  tags:
  - firewalld

# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab,
# however it uses HOST/<fqdn> instead of host/<fqdn> SPNs. mit-krb5 seems to
# treat SPNs case-sensitively, breaking SSH GSSAPI authentication.
#
# It is likely that this keytab will become state, as domain controller account
# keys may rotate. Hopefully, I will find a better way to manage this at some
# point.
- name: ensure host keytab exists
  command: >-
    samba-tool domain exportkeytab /etc/krb5.keytab
    --principal=host/{{ ansible_fqdn }}
    creates=/etc/krb5.keytab

- name: ensure logroate is configured for samba kdc
  copy:
    src: krb5kdc.logrotate.conf
    dest: /etc/logrotate.d/krb5kdc
    mode: u=rw,go=r
  tags:
  - logrotate