Samba domain member #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With "samba_role: member" a Samba Domain Member Server can be set up. We only install the needed packages to make the server work. Especially we do not install 'libpam-winbind', 'libnss-winbind' and 'libpam-krb5'. They are only needed if Linux user login directly to the machine (a so called Domain Member Client). If "samba_role: member" is set, 'security' and 'realm' in smb.conf are set automatically. 'default_realm' is set in /etc/krb5.conf. Also added a few examples in `defaults/main.yml` to make it easier for the user to find the correct domain member settings (we actually only used these settings).
It turned out that if we want to use chown, chmod or setfacl with domain usernames and groups, libnss-winbind needs to be installed and `/etc/nsswitch.conf` needs to be updated (winbind needs to be added to 'passwd' and 'group'): passwd: files winbind group: files winbind `/etc/nsswitch.conf` is usually not modified, so we just update the Debian + CentOS defaults. While at it fixed the indenting in member.yml (because ansible lint complained) and changed the wording in `defaults/main.yml`
The Samba Domain Member packages are named differently in Debian and RedHat-based-distributions. I tried to find the correct package names for CentOS8, but we need to test, if that really work as expected.
This way we avoid duplicating code. Only distribution specific tasks should go in "member-$OSFAMLIY.yml".
Split up the long line as markdownlint complains with: README.md:5:401 MD013/line-length Line length [Expected: 400; Actual: 551] Also added the yaml language for the fenced code block: README.md:27 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
53d7bc8
to
6278d72
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With "samba_role: member" a Samba Domain Member Server can be set up.
We only install the needed packages to make the server work.
Especially, we do not install 'libpam-winbind' and 'libpam-krb5'.
They are only needed if Linux user login directly to the machine (a so called Domain Member Client).
If "samba_role: member" is set, 'security' and 'realm' in smb.conf are set automatically.
'default_realm' is set in /etc/krb5.conf.
Also added a few examples in
defaults/main.ymlto make it easier for the user to find the correct domain member settings (we actually only used these settings).If we want to use chown, chmod or setfacl with domain usernames and groups,
libnss-winbind needs to be installed and
/etc/nsswitch.confneeds to be updated(winbind needs to be added to 'passwd' and 'group'):
/etc/nsswitch.confis usually not modified, so we just update the Debian + CentOS defaults.@luisico As discussed, I removed Molecule and GitHub Actions from the PR. They will be included in a separate PR.
This PR supersedes #1. It is best practice to create a new branch before creating a PR, but I made a mistake and pushed my changes into the main branch and created the PR from there. Changing the source branch of an existing PR does not seem possible. Therefore, I closed #1, created a new branch with my changes and had to create this PR.