dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity
Files
ea1f52814dd5bfe7307f36e347d2906494ba8376
configpolicy/roles/samba-dc/tasks/main.yml
Dustin C. Hatch 984628cbbc roles/samba-dc: Fix typo in host principal name 
The service principal name added to `/etc/krb5.keytab` had a trailing
`}` character because of a typo in the Ansible task. This resulted in
GSSAPI authentication failing because server processes could not find
the host key in the key table.
2018-04-08 10:50:51 -05:00

94 lines
2.5 KiB
YAML
Raw Blame History

- name: load distribution-specific values
include_vars: '{{ item }}'
with_first_found:
- '{{ ansible_distribution }}.yml'
- defaults.yml
tags:
- always
- name: ensure packages are installed
package:
name={{ samba_dc_packages|join(',') }}
state=present
tags:
- install
- name: ensure bind9 dlz plugin is configured
include_tasks: bind9-dlz.yml
when: samba_dc_dns_backend|d == 'BIND9_DLZ'
- name: ensure kerberos is configured
template:
src=krb5.conf.j2
dest=/etc/krb5.conf.d/samba.conf
- name: ensure domain is provisioned
samba_domain:
realm={{ krb5_realm }}
domain={{ netbios_domain|d(omit) }}
use_rfc2307={{ samba_dc_use_rfc2307 }}
dns_backend={{ samba_dc_dns_backend|d(omit) }}
username={{ samba_dc_join_username|d(omit) }}
password={{ samba_dc_join_password|d(omit) }}
state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
register: samba_dc_provision
notify:
- restore samba file contexts
- display generated admin password
- name: ensure smb.conf is configured
template:
src=smb.conf.j2
dest=/etc/samba/smb.conf
mode=0644
notify: restart samba
- name: ensure samba systemd unit extension directory exists
file:
path=/etc/systemd/system/samba.service.d
mode=0755
state=directory
- name: ensure samba4/winbind selinux work-around is in place
copy:
src=relabel-winbindd.conf
dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf
mode=0644
notify:
- reload systemd
- restart samba
- name: ensure samba starts at boot
service:
name=samba
enabled=yes
- name: ensure samba is running
service:
name=samba
state=started
- name: ensure firewall is configured for samba
firewalld:
service={{ item if '/' not in item else omit }}
port={{ item if '/' in item else omit }}
state=enabled
permanent=no
immediate=yes
with_items: '{{ samba_firewall }}'
notify: save firewalld configuration
when: host_users_firewalld|d(true)|bool
tags:
- firewalld
# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab,
# however it uses HOST/<fqdn> instead of host/<fqdn> SPNs. mit-krb5 seems to
# treat SPNs case-sensitively, breaking SSH GSSAPI authentication.
#
# It is likely that this keytab will become state, as domain controller account
# keys may rotate. Hopefully, I will find a better way to manage this at some
# point.
- name: ensure host keytab exists
command: >-
samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/{{ ansible_fqdn }}
creates=/etc/krb5.keytab
Reference in New Issue View Git Blame Copy Permalink