Initialisation depot

Migration/Ansible/roles/samba4-dc/tasks/configure_samba.yml

@@ -0,0 +1,7 @@
+- name: Configure DNS forwarders
+  lineinfile:
+    path: /etc/samba/smb.conf
+    regexp: '^(\s*)dns forwarder\s*='
+    line: '        dns forwarder = 8.8.8.8 1.1.1.1'
+    insertafter: '^\[global\]'
+

Migration/Ansible/roles/samba4-dc/tasks/dns_config.yml

@@ -0,0 +1,69 @@
+---
+# DNS Configuration and Reverse DNS Setup
+- name: Wait for Samba DNS to be ready
+  wait_for:
+    port: 53
+    host: 127.0.0.1
+    delay: 5
+    timeout: 30
+
+- name: Check if reverse DNS zone already exists
+  command: >
+    samba-tool dns zonelist 127.0.0.1
+    --username=Administrator --password={{ samba_admin_password }}
+  register: existing_zones
+  changed_when: false
+  failed_when: false
+
+- name: Create reverse DNS zone
+  command: >
+    samba-tool dns zonecreate 127.0.0.1 100.168.192.in-addr.arpa
+    --username=Administrator --password={{ samba_admin_password }}
+  register: reverse_zone
+  changed_when: reverse_zone.rc == 0
+  failed_when: reverse_zone.rc != 0 and "already exists" not in reverse_zone.stderr
+  when: "'100.168.192.in-addr.arpa' not in existing_zones.stdout"
+
+- name: Check existing NS records in reverse zone
+  command: >
+    samba-tool dns query 127.0.0.1 100.168.192.in-addr.arpa @ NS
+    --username=Administrator --password={{ samba_admin_password }}
+  register: existing_ns_records
+  changed_when: false
+  failed_when: false
+
+- name: Add NS record for reverse zone
+  command: >
+    samba-tool dns add 127.0.0.1 100.168.192.in-addr.arpa @ NS {{ target_hostname }}.{{ samba_realm }}.
+    --username=Administrator --password={{ samba_admin_password }}
+  register: dns_ns_record
+  changed_when: dns_ns_record.rc == 0
+  failed_when: dns_ns_record.rc != 0 and "already exists" not in dns_ns_record.stderr
+  when: "target_hostname + '.' + samba_realm + '.' not in existing_ns_records.stdout"
+
+- name: Get current server IP address for DNS record
+  shell: |
+    ip route get 8.8.8.8 | grep -oP 'src \K\S+' | head -1
+  register: current_server_ip
+  changed_when: false
+
+- name: Extract host part from IP address
+  set_fact:
+    ip_host_part: "{{ current_server_ip.stdout.split('.')[3] }}"
+
+- name: Check existing PTR records in reverse zone
+  command: >
+    samba-tool dns query 127.0.0.1 100.168.192.in-addr.arpa {{ ip_host_part }} PTR
+    --username=Administrator --password={{ samba_admin_password }}
+  register: existing_ptr_records
+  changed_when: false
+  failed_when: false
+
+- name: Add PTR record for reverse zone
+  command: >
+    samba-tool dns add 127.0.0.1 100.168.192.in-addr.arpa {{ ip_host_part }} PTR {{ target_hostname }}.{{ samba_realm }}.
+    --username=Administrator --password={{ samba_admin_password }}
+  register: dns_ptr_record
+  changed_when: dns_ptr_record.rc == 0
+  failed_when: dns_ptr_record.rc != 0 and "already exists" not in dns_ptr_record.stderr
+  when: "target_hostname + '.' + samba_realm + '.' not in existing_ptr_records.stdout"

Migration/Ansible/roles/samba4-dc/tasks/install_samba.yml

@@ -0,0 +1,36 @@
+---
+# Samba4 installation tasks
+- name: Check if Samba domain is already provisioned
+  stat:
+    path: /var/lib/samba/private/sam.ldb
+  register: samba_provisioned
+
+- name: Provision Samba4 domain
+  command: >
+    samba-tool domain provision
+    --use-rfc2307
+    --realm={{ samba_realm }}
+    --domain={{ samba_domain }}
+    --adminpass={{ samba_admin_password }}
+    --server-role=dc
+    --dns-backend=SAMBA_INTERNAL
+    --domain-sid={{ samba_domain_sid }}
+  when: not samba_provisioned.stat.exists
+
+- name: Copy Kerberos configuration
+  copy:
+    src: /var/lib/samba/private/krb5.conf
+    dest: /etc/krb5.conf
+    remote_src: yes
+    backup: yes
+
+- name: Enable and start samba-ad-dc service
+  systemd:
+    name: samba-ad-dc
+    enabled: yes
+    state: started
+    daemon_reload: yes
+
+- name: Include DNS configuration tasks
+  include_tasks: dns_config.yml
+

Migration/Ansible/roles/samba4-dc/tasks/main.yml

@@ -0,0 +1,15 @@
+
+- name: Include pre-installation tasks
+  include_tasks: pre_install.yml
+
+- name: Include network configuration
+  include_tasks: network.yml
+
+- name: Include Samba4 installation
+  include_tasks: install_samba.yml
+
+- name: Include Samba4 configuration
+  include_tasks: configure_samba.yml
+
+- name: Include post-installation tasks
+  include_tasks: post_install.yml

Migration/Ansible/roles/samba4-dc/tasks/network.yml

@@ -0,0 +1,9 @@
+---
+# Network configuration tasks
+
+- name: Configure DNS resolution
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    backup: yes
+

Migration/Ansible/roles/samba4-dc/tasks/post_install.yml

@@ -0,0 +1,38 @@
+---
+- name: Create backup script
+  template:
+    src: samba-backup.sh.j2
+    dest: /usr/local/bin/samba-backup.sh
+    mode: '0755'
+
+- name: Create restore script
+  template:
+    src: samba-restore.sh.j2
+    dest: /usr/local/bin/samba-restore.sh
+    mode: '0755'
+
+- name: Create ChangeNextRid script
+  template:
+    src: samba-changenextrid.sh.j2
+    dest: /usr/local/bin/samba-changenextrid.sh
+    mode: '0755'
+
+- name: Setup NFS backup storage
+  include_role:
+    name: nfs
+  vars:
+    nfs_mounts:
+      - server: "192.168.100.210"
+        share: "/mnt/zpool20T/data-encrypt/NFS"
+        path: "/backup"
+        options: "rw,sync,hard,intr,rsize=8192,wsize=8192"
+        subdirs:
+          - "samba"
+
+- name: Setup backup cron job
+  cron:
+    name: "Samba4 weekly backup"
+    minute: "0"
+    hour: "2"
+    weekday: "0"
+    job: "/usr/local/bin/samba-backup.sh"

Migration/Ansible/roles/samba4-dc/tasks/pre_install.yml

@@ -0,0 +1,92 @@
+---
+# Pre-installation tasks
+- name: Install required Samba packages
+  apt:
+    name:
+      - samba
+      - samba-dsdb-modules
+      - samba-vfs-modules
+      - winbind
+      - libnss-winbind
+      - libpam-winbind
+      - krb5-config
+      - krb5-user
+      - dnsutils
+      - acl
+      - attr
+      - ldb-tools
+      - smbclient
+    state: present
+
+- name: Stop default Samba services
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  loop:
+    - smbd
+    - nmbd
+    - winbind
+  ignore_errors: yes
+
+- name: Mask default Samba services to prevent conflicts
+  systemd:
+    name: "{{ item }}"
+    masked: yes
+  loop:
+    - smbd
+    - nmbd
+    - winbind
+  ignore_errors: yes
+
+- name: Check if server is already an Active Directory Domain Controller
+  shell: |
+    if [ -f /etc/samba/smb.conf ]; then
+      grep -i "server role.*active directory domain controller" /etc/samba/smb.conf || echo "not_ad_dc"
+    else
+      echo "no_config"
+    fi
+  register: samba_role_check
+  changed_when: false
+  failed_when: false
+
+- name: Display current Samba role status
+  debug:
+    msg: |
+      {% if 'active directory domain controller' in samba_role_check.stdout.lower() %}
+      ✅ Server is already configured as Active Directory Domain Controller
+      ⚠️  Skipping backup and cleanup to preserve existing AD configuration
+      {% else %}
+      ℹ️  Server is not configured as AD DC ({{ samba_role_check.stdout }})
+      🔄 Will backup existing config and clean databases
+      {% endif %}
+
+- name: Backup existing Samba configuration
+  copy:
+    src: /etc/samba/smb.conf
+    dest: /etc/samba/smb.conf.orig
+    remote_src: yes
+    backup: yes
+  ignore_errors: yes
+  when: "'active directory domain controller' not in samba_role_check.stdout.lower()"
+
+- name: Clean existing Samba databases
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /var/lib/samba/private
+    - /var/cache/samba
+    - /etc/samba/smb.conf
+  ignore_errors: yes
+  when: "'active directory domain controller' not in samba_role_check.stdout.lower()"
+
+- name: Recreate Samba directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /var/lib/samba
+    - /var/cache/samba
+  when: "'active directory domain controller' not in samba_role_check.stdout.lower()"

Migration/Ansible/roles/samba4-dc/templates/resolv.conf.j2

@@ -0,0 +1,6 @@
+# DNS resolver configuration
+{% for dns_server in dns_servers %}
+nameserver {{ dns_server }}
+{% endfor %}
+search {{ samba_realm }}
+domain {{ samba_realm }}

Migration/Ansible/roles/samba4-dc/templates/samba-backup.sh.j2

@@ -0,0 +1,83 @@
+#!/bin/bash
+# Samba4 Backup Script
+# Generated by Ansible
+
+TIMESTAMP=$(date '+%Y-%m-%d_%H-%M-%S')
+DATE=$(date +%Y%m%d_%H%M%S)  # Kept for compatibility
+HOSTNAME="{{ target_hostname }}"
+NFS_SERVER="{{ nfs_server | default('192.168.100.210') }}"
+NFS_MOUNT="/backup"
+BACKUP_BASE_DIR="{{ backup_dir | default('/backup/samba') }}"
+RETENTION_DAYS="28"
+
+# End of configuration
+
+BACKUP_FILE="$BACKUP_BASE_DIR/$HOSTNAME-$TIMESTAMP.tgz"
+
+{% raw %}
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+echo -e "${CYAN}🔄 Samba4 Backup Script"
+echo "==============================${NC}"
+
+# Function to check NFS availability
+echo "Checking NFS availability..."
+# Test 1: Check if backup directory is mounted
+if ! mountpoint -q "$NFS_MOUNT"; then
+  echo -e "${RED}❌ ERROR: NFS mount point $NFS_MOUNT is not mounted!${NC}"
+  exit 1
+fi
+
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] Starting backup : $BACKUP_FILE" >> "$BACKUP_BASE_DIR/backup.log"
+
+# Create backup folder
+mkdir -p "$BACKUP_BASE_DIR"
+if [ ! -d "$BACKUP_BASE_DIR" ]; then
+  echo -e "${RED}❌ ERROR: cannot create $BACKUP_BASE_DIR${NC}"
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: cannot create $BACKUP_BASE_DIR" >> "$BACKUP_BASE_DIR/backup.log"
+  exit 2
+fi
+
+# Create backup file
+touch $BACKUP_FILE
+if [ ! -f "$BACKUP_FILE" ]; then
+  echo -e "${RED}❌ ERROR: Cannot create backup file${NC}"
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: Cannot create backup file" >> "$BACKUP_BASE_DIR/backup.log"
+  exit 3
+fi
+
+# Stop samba
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] Stopping Samba service" >> "$BACKUP_BASE_DIR/backup.log"
+systemctl stop samba-ad-dc
+
+tar -czf "$BACKUP_FILE" \
+    /var/lib/samba \
+    /etc/samba \
+    /etc/krb5.conf \
+    /etc/resolv.conf 2>/dev/null
+
+# Restart Samba
+echo -e "${YELLOW}🔄 Restarting Samba service${NC}"
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] Starting Samba service" >> "$BACKUP_BASE_DIR/backup.log"
+systemctl start samba-ad-dc
+
+# Wait for Samba to be fully operational
+sleep 10
+if ! systemctl is-active --quiet samba-ad-dc; then
+    echo -e "${YELLOW}⚠️  WARNING: Samba service may not be fully operational${NC}"
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] WARNING: Samba service may not be fully operational" >> "$BACKUP_BASE_DIR/backup.log"
+fi
+
+
+# Clean old backups
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] Clean old backups" >> "$BACKUP_BASE_DIR/backup.log"
+find "$BACKUP_BASE_DIR" -type f -mtime +$RETENTION_DAYS -delete
+
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] Backup done" >> "$BACKUP_BASE_DIR/backup.log"
+echo -e "${GREEN}Backup done${NC}"
+{% endraw %}

Migration/Ansible/roles/samba4-dc/templates/samba-changenextrid.sh.j2

@@ -0,0 +1,109 @@
+#!/bin/bash
+# Script to modify the next RID
+
+# Configuration variables from Ansible
+TARGET_HOSTNAME="{{ target_hostname }}"
+DOMAIN_DN="{{ samba_realm.split('.') | map('regex_replace', '^(.*)$', 'DC=\\1') | join(',') }}"
+
+{% raw %}
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+
+set_next_rid() {
+    local new_rid=$1
+    local pool_size=500
+
+    if [ -z "$new_rid" ]; then
+        echo -e "${RED}Usage: set_next_rid <new_rid>${NC}"
+        return 1
+    fi
+
+    if [ $new_rid -lt 1000 ]; then
+        echo -e "${RED}❌ Error: RID must be >= 1000 (RIDs < 1000 are reserved for system)${NC}"
+        return 1
+    fi
+
+    echo -e "${CYAN}🎯 Current configuration:${NC}"
+    ldbsearch -H /var/lib/samba/private/sam.ldb \
+      -b "CN=RID Set,CN=${TARGET_HOSTNAME},OU=Domain Controllers,${DOMAIN_DN}" \
+      rIDNextRID rIDAllocationPool | grep -E "(rIDNextRID|rIDAllocationPool)"
+
+    echo ""
+    echo -e "${YELLOW}🔄 New configuration:${NC}"
+    echo -e "  ${CYAN}rIDNextRID:${NC} $new_rid"
+    echo -e "  ${CYAN}rIDAllocationPool:${NC} $new_rid-$((new_rid + pool_size - 1))"
+    echo ""
+
+    echo -n -e "${YELLOW}Continue? (y/N): ${NC}"
+    read confirm
+    if [ "$confirm" != "y" ]; then
+        echo -e "${YELLOW}🚫 Cancelled${NC}"
+        return 1
+    fi
+
+    echo -e "${CYAN}🛑 Stopping Samba...${NC}"
+    systemctl stop samba-ad-dc
+
+    # Create LDIF file
+    cat > /tmp/set-next-rid.ldif << EOF
+dn: CN=RID Set,CN=${TARGET_HOSTNAME},OU=Domain Controllers,${DOMAIN_DN}
+changetype: modify
+replace: rIDNextRID
+rIDNextRID: $new_rid
+-
+replace: rIDAllocationPool
+rIDAllocationPool: $new_rid-$((new_rid + pool_size - 1))
+-
+replace: rIDPreviousAllocationPool
+rIDPreviousAllocationPool: $new_rid-$((new_rid + pool_size - 1))
+EOF
+
+    # Apply changes
+    if ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/set-next-rid.ldif; then
+        echo -e "${GREEN}✅ RID modified successfully${NC}"
+    else
+        echo -e "${RED}❌ Error during modification${NC}"
+        systemctl start samba-ad-dc
+        return 1
+    fi
+
+    echo -e "${CYAN}🚀 Restarting Samba...${NC}"
+    systemctl start samba-ad-dc
+
+    # Verification
+    sleep 3
+    echo ""
+    echo -e "${CYAN}🔍 Verification:${NC}"
+    ldbsearch -H /var/lib/samba/private/sam.ldb \
+      -b "CN=RID Set,CN=${TARGET_HOSTNAME},OU=Domain Controllers,${DOMAIN_DN}" \
+      rIDNextRID rIDAllocationPool | grep -E "(rIDNextRID|rIDAllocationPool)"
+
+    rm -f /tmp/set-next-rid.ldif
+}
+
+# Usage
+case "$1" in
+    "show")
+        echo -e "${CYAN}📊 Current RID status:${NC}"
+        ldbsearch -H /var/lib/samba/private/sam.ldb \
+          -b "CN=RID Set,CN=${TARGET_HOSTNAME},OU=Domain Controllers,${DOMAIN_DN}" \
+          rIDNextRID rIDAllocationPool rIDUsedPool | \
+          grep -E "(rIDNextRID|rIDAllocationPool|rIDUsedPool)"
+        ;;
+    "set")
+        set_next_rid $2
+        ;;
+    *)
+        echo -e "${YELLOW}Usage: $0 {show|set <new_rid>}${NC}"
+        echo ""
+        echo -e "${CYAN}Examples:${NC}"
+        echo -e "  ${GREEN}$0 show${NC}          # Show current status"
+        echo -e "  ${GREEN}$0 set 2000${NC}      # Force next RID to 2000"
+        echo -e "  ${GREEN}$0 set 5000${NC}      # Force next RID to 5000"
+        ;;
+esac
+{% endraw %}

Migration/Ansible/roles/samba4-dc/templates/samba-restore.sh.j2

@@ -0,0 +1,135 @@
+#!/bin/bash
+# Samba4 Simple Restore Script
+# Generated by Ansible
+
+BASE_BACKUP_DIR="{{ backup_dir | default('/backup/samba') }}"
+HOSTNAME="{{ target_hostname }}"
+SAMBA_DIR="/var/lib/samba"
+ETC_DIR="/etc/samba"
+
+{% raw %}
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+
+echo -e "${CYAN}🔄 Samba4 Restore Script"
+echo "==============================${NC}"
+
+# Check if backup directory exists
+if [ ! -d "$BASE_BACKUP_DIR" ]; then
+    echo -e "${RED}❌ Backup directory not found: $BASE_BACKUP_DIR${NC}"
+    exit 1
+fi
+
+# List available backups
+echo -e "${YELLOW}📁 Available backups for ${HOSTNAME}:${NC}"
+echo ""
+
+backup_files=($(ls -1t "$BASE_BACKUP_DIR"/${HOSTNAME}*.tgz 2>/dev/null))
+
+if [ ${#backup_files[@]} -eq 0 ]; then
+    echo -e "${RED}❌ No backup files found for ${HOSTNAME}${NC}"
+    exit 1
+fi
+
+# Display backup files with index and timestamp
+for i in "${!backup_files[@]}"; do
+    file="${backup_files[$i]}"
+    filename=$(basename "$file")
+    filesize=$(du -h "$file" | cut -f1)
+    timestamp=$(stat -c %y "$file" | cut -d'.' -f1)
+    
+    echo -e "${GREEN}[$((i+1))]${NC} $filename"
+    echo "    📅 Created: $timestamp"
+    echo "    📦 Size: $filesize"
+    echo ""
+done
+
+# Ask user which backup to restore
+echo -n -e "${YELLOW}Select backup to restore [1-${#backup_files[@]}]: ${NC}"
+read -r selection
+
+# Validate selection
+if ! [[ "$selection" =~ ^[0-9]+$ ]] || [ "$selection" -lt 1 ] || [ "$selection" -gt ${#backup_files[@]} ]; then
+    echo -e "${RED}❌ Invalid selection${NC}"
+    exit 1
+fi
+
+selected_backup="${backup_files[$((selection-1))]}"
+echo -e "${GREEN}✅ Selected: $(basename "$selected_backup")${NC}"
+echo ""
+
+# Ask for restore location
+echo -e "${YELLOW}Restore options:${NC}"
+echo "1) In place (replace current Samba installation)"
+echo "2) To custom directory"
+echo ""
+echo -n -e "${YELLOW}Choose option [1-2]: ${NC}"
+read -r restore_option
+
+case "$restore_option" in
+    1)
+        # In-place restore
+        echo -e "${YELLOW}⚠️  WARNING: This will replace your current Samba installation!${NC}"
+        echo -n -e "${RED}Are you sure? Type 'YES' to continue: ${NC}"
+        read -r confirmation
+        
+        if [ "$confirmation" != "YES" ]; then
+            echo -e "${YELLOW}🚫 Restore cancelled${NC}"
+            exit 0
+        fi
+        
+        echo -e "${CYAN}🛑 Stopping Samba service...${NC}"
+        systemctl stop samba-ad-dc
+        
+        echo -e "${CYAN}📦 Restoring backup directly to filesystem...${NC}"
+        tar -xzf "$selected_backup" -C /
+        
+        echo -e "${GREEN}✅ Samba directories restored${NC}"
+        
+        echo -e "${CYAN}🚀 Starting Samba service...${NC}"
+        systemctl start samba-ad-dc
+        
+        # Check service status
+        sleep 3
+        if systemctl is-active --quiet samba-ad-dc; then
+            echo -e "${GREEN}✅ Samba restore completed successfully!${NC}"
+            echo -e "${GREEN}✅ Samba service is running${NC}"
+        else
+            echo -e "${RED}❌ Samba service failed to start${NC}"
+            echo "Check logs: journalctl -u samba-ad-dc"
+        fi
+        ;;
+        
+    2)
+        # Custom directory restore
+        echo -n -e "${YELLOW}Enter target directory: ${NC}"
+        read -r target_dir
+        
+        if [ -z "$target_dir" ]; then
+            echo -e "${RED}❌ Target directory cannot be empty${NC}"
+            exit 1
+        fi
+        
+        mkdir -p "$target_dir"
+        
+        echo -e "${CYAN}📦 Extracting backup to $target_dir...${NC}"
+        tar -xzf "$selected_backup" -C "$target_dir"
+        
+        echo -e "${GREEN}✅ Backup extracted to: $target_dir${NC}"
+        echo -e "${CYAN}📁 Contents:${NC}"
+        ls -la "$target_dir"
+        ;;
+        
+    *)
+        echo -e "${RED}❌ Invalid option${NC}"
+        exit 1
+        ;;
+esac
+
+echo ""
+echo -e "${GREEN}🎉 Restore operation completed!${NC}"
+{% endraw %}