Initialisation depot

Migration/Ansible/roles/samba4-dc/tasks/configure_samba.yml

@@ -0,0 +1,7 @@
+- name: Configure DNS forwarders
+  lineinfile:
+    path: /etc/samba/smb.conf
+    regexp: '^(\s*)dns forwarder\s*='
+    line: '        dns forwarder = 8.8.8.8 1.1.1.1'
+    insertafter: '^\[global\]'
+

Migration/Ansible/roles/samba4-dc/tasks/dns_config.yml

@@ -0,0 +1,69 @@
+---
+# DNS Configuration and Reverse DNS Setup
+- name: Wait for Samba DNS to be ready
+  wait_for:
+    port: 53
+    host: 127.0.0.1
+    delay: 5
+    timeout: 30
+
+- name: Check if reverse DNS zone already exists
+  command: >
+    samba-tool dns zonelist 127.0.0.1
+    --username=Administrator --password={{ samba_admin_password }}
+  register: existing_zones
+  changed_when: false
+  failed_when: false
+
+- name: Create reverse DNS zone
+  command: >
+    samba-tool dns zonecreate 127.0.0.1 100.168.192.in-addr.arpa
+    --username=Administrator --password={{ samba_admin_password }}
+  register: reverse_zone
+  changed_when: reverse_zone.rc == 0
+  failed_when: reverse_zone.rc != 0 and "already exists" not in reverse_zone.stderr
+  when: "'100.168.192.in-addr.arpa' not in existing_zones.stdout"
+
+- name: Check existing NS records in reverse zone
+  command: >
+    samba-tool dns query 127.0.0.1 100.168.192.in-addr.arpa @ NS
+    --username=Administrator --password={{ samba_admin_password }}
+  register: existing_ns_records
+  changed_when: false
+  failed_when: false
+
+- name: Add NS record for reverse zone
+  command: >
+    samba-tool dns add 127.0.0.1 100.168.192.in-addr.arpa @ NS {{ target_hostname }}.{{ samba_realm }}.
+    --username=Administrator --password={{ samba_admin_password }}
+  register: dns_ns_record
+  changed_when: dns_ns_record.rc == 0
+  failed_when: dns_ns_record.rc != 0 and "already exists" not in dns_ns_record.stderr
+  when: "target_hostname + '.' + samba_realm + '.' not in existing_ns_records.stdout"
+
+- name: Get current server IP address for DNS record
+  shell: |
+    ip route get 8.8.8.8 | grep -oP 'src \K\S+' | head -1
+  register: current_server_ip
+  changed_when: false
+
+- name: Extract host part from IP address
+  set_fact:
+    ip_host_part: "{{ current_server_ip.stdout.split('.')[3] }}"
+
+- name: Check existing PTR records in reverse zone
+  command: >
+    samba-tool dns query 127.0.0.1 100.168.192.in-addr.arpa {{ ip_host_part }} PTR
+    --username=Administrator --password={{ samba_admin_password }}
+  register: existing_ptr_records
+  changed_when: false
+  failed_when: false
+
+- name: Add PTR record for reverse zone
+  command: >
+    samba-tool dns add 127.0.0.1 100.168.192.in-addr.arpa {{ ip_host_part }} PTR {{ target_hostname }}.{{ samba_realm }}.
+    --username=Administrator --password={{ samba_admin_password }}
+  register: dns_ptr_record
+  changed_when: dns_ptr_record.rc == 0
+  failed_when: dns_ptr_record.rc != 0 and "already exists" not in dns_ptr_record.stderr
+  when: "target_hostname + '.' + samba_realm + '.' not in existing_ptr_records.stdout"

Migration/Ansible/roles/samba4-dc/tasks/install_samba.yml

@@ -0,0 +1,36 @@
+---
+# Samba4 installation tasks
+- name: Check if Samba domain is already provisioned
+  stat:
+    path: /var/lib/samba/private/sam.ldb
+  register: samba_provisioned
+
+- name: Provision Samba4 domain
+  command: >
+    samba-tool domain provision
+    --use-rfc2307
+    --realm={{ samba_realm }}
+    --domain={{ samba_domain }}
+    --adminpass={{ samba_admin_password }}
+    --server-role=dc
+    --dns-backend=SAMBA_INTERNAL
+    --domain-sid={{ samba_domain_sid }}
+  when: not samba_provisioned.stat.exists
+
+- name: Copy Kerberos configuration
+  copy:
+    src: /var/lib/samba/private/krb5.conf
+    dest: /etc/krb5.conf
+    remote_src: yes
+    backup: yes
+
+- name: Enable and start samba-ad-dc service
+  systemd:
+    name: samba-ad-dc
+    enabled: yes
+    state: started
+    daemon_reload: yes
+
+- name: Include DNS configuration tasks
+  include_tasks: dns_config.yml
+

Migration/Ansible/roles/samba4-dc/tasks/main.yml

@@ -0,0 +1,15 @@
+
+- name: Include pre-installation tasks
+  include_tasks: pre_install.yml
+
+- name: Include network configuration
+  include_tasks: network.yml
+
+- name: Include Samba4 installation
+  include_tasks: install_samba.yml
+
+- name: Include Samba4 configuration
+  include_tasks: configure_samba.yml
+
+- name: Include post-installation tasks
+  include_tasks: post_install.yml

Migration/Ansible/roles/samba4-dc/tasks/network.yml

@@ -0,0 +1,9 @@
+---
+# Network configuration tasks
+
+- name: Configure DNS resolution
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    backup: yes
+

Migration/Ansible/roles/samba4-dc/tasks/post_install.yml

@@ -0,0 +1,38 @@
+---
+- name: Create backup script
+  template:
+    src: samba-backup.sh.j2
+    dest: /usr/local/bin/samba-backup.sh
+    mode: '0755'
+
+- name: Create restore script
+  template:
+    src: samba-restore.sh.j2
+    dest: /usr/local/bin/samba-restore.sh
+    mode: '0755'
+
+- name: Create ChangeNextRid script
+  template:
+    src: samba-changenextrid.sh.j2
+    dest: /usr/local/bin/samba-changenextrid.sh
+    mode: '0755'
+
+- name: Setup NFS backup storage
+  include_role:
+    name: nfs
+  vars:
+    nfs_mounts:
+      - server: "192.168.100.210"
+        share: "/mnt/zpool20T/data-encrypt/NFS"
+        path: "/backup"
+        options: "rw,sync,hard,intr,rsize=8192,wsize=8192"
+        subdirs:
+          - "samba"
+
+- name: Setup backup cron job
+  cron:
+    name: "Samba4 weekly backup"
+    minute: "0"
+    hour: "2"
+    weekday: "0"
+    job: "/usr/local/bin/samba-backup.sh"

Migration/Ansible/roles/samba4-dc/tasks/pre_install.yml

@@ -0,0 +1,92 @@
+---
+# Pre-installation tasks
+- name: Install required Samba packages
+  apt:
+    name:
+      - samba
+      - samba-dsdb-modules
+      - samba-vfs-modules
+      - winbind
+      - libnss-winbind
+      - libpam-winbind
+      - krb5-config
+      - krb5-user
+      - dnsutils
+      - acl
+      - attr
+      - ldb-tools
+      - smbclient
+    state: present
+
+- name: Stop default Samba services
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  loop:
+    - smbd
+    - nmbd
+    - winbind
+  ignore_errors: yes
+
+- name: Mask default Samba services to prevent conflicts
+  systemd:
+    name: "{{ item }}"
+    masked: yes
+  loop:
+    - smbd
+    - nmbd
+    - winbind
+  ignore_errors: yes
+
+- name: Check if server is already an Active Directory Domain Controller
+  shell: |
+    if [ -f /etc/samba/smb.conf ]; then
+      grep -i "server role.*active directory domain controller" /etc/samba/smb.conf || echo "not_ad_dc"
+    else
+      echo "no_config"
+    fi
+  register: samba_role_check
+  changed_when: false
+  failed_when: false
+
+- name: Display current Samba role status
+  debug:
+    msg: |
+      {% if 'active directory domain controller' in samba_role_check.stdout.lower() %}
+      ✅ Server is already configured as Active Directory Domain Controller
+      ⚠️  Skipping backup and cleanup to preserve existing AD configuration
+      {% else %}
+      ℹ️  Server is not configured as AD DC ({{ samba_role_check.stdout }})
+      🔄 Will backup existing config and clean databases
+      {% endif %}
+
+- name: Backup existing Samba configuration
+  copy:
+    src: /etc/samba/smb.conf
+    dest: /etc/samba/smb.conf.orig
+    remote_src: yes
+    backup: yes
+  ignore_errors: yes
+  when: "'active directory domain controller' not in samba_role_check.stdout.lower()"
+
+- name: Clean existing Samba databases
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /var/lib/samba/private
+    - /var/cache/samba
+    - /etc/samba/smb.conf
+  ignore_errors: yes
+  when: "'active directory domain controller' not in samba_role_check.stdout.lower()"
+
+- name: Recreate Samba directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /var/lib/samba
+    - /var/cache/samba
+  when: "'active directory domain controller' not in samba_role_check.stdout.lower()"