diff options
-rw-r--r-- | manifests/server.pp | 36 | ||||
-rw-r--r-- | manifests/server/ads.pp | 25 | ||||
-rw-r--r-- | manifests/server/service.pp | 11 | ||||
-rw-r--r-- | manifests/server/share.pp | 197 | ||||
-rw-r--r-- | manifests/server/user.pp | 13 | ||||
-rw-r--r-- | templates/add_samba_user | 16 | ||||
-rw-r--r-- | templates/check_samba_user | 16 | ||||
-rw-r--r-- | templates/configure_active_directory.erb | 15 | ||||
-rw-r--r-- | templates/verify_active_directory.erb | 5 |
9 files changed, 181 insertions, 153 deletions
diff --git a/manifests/server.pp b/manifests/server.pp index bc1e3d7..2e4c2d9 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -2,16 +2,20 @@ class samba::server($interfaces = '', $security = '', $server_string = '', $unix_password_sync = '', - $workgroup = '') { + $workgroup = '', + $bind_interfaces_only = 'yes',) { include samba::server::install include samba::server::config include samba::server::service - $context = '/files/etc/samba/smb.conf' - $target = "target[. = 'global']" + $incl = '/etc/samba/smb.conf' + $context = "/files/etc/samba/smb.conf" + $target = "target[. = 'global']" augeas { 'global-section': + incl => $incl, + lens => 'Samba.lns', context => $context, changes => "set ${target} global", require => Class['samba::server::config'], @@ -21,23 +25,45 @@ class samba::server($interfaces = '', set_samba_option { 'interfaces': value => $interfaces; - 'bind interfaces only': value => 'yes'; + 'bind interfaces only': value => $bind_interfaces_only; 'security': value => $security; 'server string': value => $server_string; 'unix password sync': value => $unix_password_sync; 'workgroup': value => $workgroup; } + + file {'check_samba_user': + # script checks to see if a samba account exists for a given user + path => '/sbin/check_samba_user', + owner => root, + group => root, + mode => "0755", + content => template("${module_name}/check_samba_user"), + } + + file {'add_samba_user': + # script creates a new samba account for a given user and password + path => '/sbin/add_samba_user', + owner => root, + group => root, + mode => "0755", + content => template("${module_name}/add_samba_user"), + } } define set_samba_option ( $value = '', $signal = 'samba::server::service' ) { + $incl = $samba::server::incl $context = $samba::server::context - $target = $samba::server::target + $target = $samba::server::target + $changes = $value ? { default => "set \"${target}/$name\" \"$value\"", '' => "rm ${target}/$name", } augeas { "samba-$name": + incl => $incl, + lens => 'Samba.lns', context => $context, changes => $changes, require => Augeas['global-section'], diff --git a/manifests/server/ads.pp b/manifests/server/ads.pp index 1f8e602..16be9ad 100644 --- a/manifests/server/ads.pp +++ b/manifests/server/ads.pp @@ -25,10 +25,25 @@ class samba::server::ads($ensure = present, $map_readonly = 'no', $target_ou = 'Nix_Mashine') { + $krb5_user_package = $osfamily ? { + 'RedHat' => 'krb5-workstation', + default => 'krb5-user', + } + + if $osfamily == "RedHat" { + if $operatingsystemrelease =~ /^6\./ { + $winbind_package = 'samba-winbind' + } else { + $winbind_package = 'samba-common' + } + } else { + $winbind_package = 'winbind' + } + package{ - 'krb5-user': ensure => installed; - 'winbind': ensure => installed; - 'expect': ensure => installed; + $krb5_user_package: ensure => installed; + $winbind_package: ensure => installed; + 'expect': ensure => installed; } include samba::server::config @@ -88,7 +103,7 @@ class samba::server::ads($ensure = present, group => root, mode => "0755", content => template("${module_name}/verify_active_directory.erb"), - require => [ Package['krb5-user', 'winbind', 'expect'], + require => [ Package[$krb5_user_package, $winbind_package, 'expect'], Augeas['samba-realm', 'samba-security', 'samba-winbind enum users', 'samba-winbind enum groups', 'samba-winbind uid', 'samba-winbind gid', 'samba-winbind use default domain'] ], @@ -101,7 +116,7 @@ class samba::server::ads($ensure = present, group => root, mode => "0755", content => template("${module_name}/configure_active_directory.erb"), - require => [ Package['krb5-user', 'winbind', 'expect'], + require => [ Package[$krb5_user_package, $winbind_package, 'expect'], Augeas['samba-realm', 'samba-security', 'samba-winbind enum users', 'samba-winbind enum groups', 'samba-winbind uid', 'samba-winbind gid', 'samba-winbind use default domain'] ], diff --git a/manifests/server/service.pp b/manifests/server/service.pp index 55ccb06..6f26a6d 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,7 +1,16 @@ class samba::server::service ($ensure = running, $enable = true) { case $::osfamily { Redhat: { $service_name = 'smb' } - Debian: { $service_name = 'smbd' } + + #On Debian family: Debian 7 => samba , Ubuntu => smbd + #Others, I don't know, hope 'samba' will works + Debian: { + case $::operatingsystem{ + Debian: { $service_name = 'samba' } + Ubuntu: { $service_name = 'smbd'} + default: { $service_name='samba'} + } + } Gentoo: { $service_name = 'samba' } Archlinux: { $service_name = 'smbd' } diff --git a/manifests/server/share.pp b/manifests/server/share.pp index b4eb02f..b7274f9 100644 --- a/manifests/server/share.pp +++ b/manifests/server/share.pp @@ -15,12 +15,17 @@ define samba::server::share($ensure = present, $read_only = '', $public = '', $writable = '', - $printable = '') { - + $printable = '', + $valid_users = '', + ) { + + $incl = $samba::server::incl $context = $samba::server::context - $target = "target[. = '${name}']" + $target = "target[. = '${name}']" augeas { "${name}-section": + incl => $incl, + lens => 'Samba.lns', context => $context, changes => $ensure ? { present => "set ${target} '${name}'", @@ -31,178 +36,98 @@ define samba::server::share($ensure = present, } if $ensure == 'present' { - augeas { "${name}-browsable": - context => $context, - changes => $browsable ? { - true => "set ${target}/browsable yes", - false => "set ${target}/browsable no", - default => "rm ${target}/browsable", + $changes = [ + $browsable ? { + true => "set \"${target}/browsable\" yes", + false => "set \"${target}/browsable\" no", + default => "rm \"${target}/browsable\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-comment": - context => $context, - changes => $comment ? { - default => "set ${target}/comment '${comment}'", - '' => "rm ${target}/comment", + $comment ? { + default => "set \"${target}/comment\" '${comment}'", + '' => "rm \"${target}/comment\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-copy": - context => $context, - changes => $copy ? { - default => "set ${target}/copy '${copy}'", - '' => "rm ${target}/copy", + $copy ? { + default => "set \"${target}/copy\" '${copy}'", + '' => "rm \"${target}/copy\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-create_mask": - context => $context, - changes => $create_mask ? { + $create_mask ? { default => "set \"${target}/create mask\" '${create_mask}'", - '' => "rm \"${target}/create mask\"", + '' => "rm \"${target}/create mask\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-directory_mask": - context => $context, - changes => $directory_mask ? { + $directory_mask ? { default => "set \"${target}/directory mask\" '${directory_mask}'", - '' => "rm \"${target}/directory mask\"", + '' => "rm \"${target}/directory mask\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_create_mask": - context => $context, - changes => $force_create_mask ? { + $force_create_mask ? { default => "set \"${target}/force create mask\" '${force_create_mask}'", - '' => "rm \"${target}/force create mask\"", + '' => "rm \"${target}/force create mask\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_directory_mask": - context => $context, - changes => $force_directory_mask ? { + $force_directory_mask ? { default => "set \"${target}/force directory mask\" '${force_directory_mask}'", - '' => "rm \"${target}/force directory mask\"", + '' => "rm \"${target}/force directory mask\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_group": - context => $context, - changes => $force_group ? { + $force_group ? { default => "set \"${target}/force group\" '${force_group}'", - '' => "rm \"${target}/force group\"", + '' => "rm \"${target}/force group\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_user": - context => $context, - changes => $force_user ? { + $force_user ? { default => "set \"${target}/force user\" '${force_user}'", - '' => "rm \"${target}/force user\"", + '' => "rm \"${target}/force user\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-guest_account": - context => $context, - changes => $guest_account ? { + $guest_account ? { default => "set \"${target}/guest account\" '${guest_account}'", - '' => "rm \"${target}/guest account\"", + '' => "rm \"${target}/guest account\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-guest_ok": - context => $context, - changes => $guest_ok ? { + $guest_ok ? { true => "set \"${target}/guest ok\" yes", false => "set \"${target}/guest ok\" no", - default => "rm \"${target}/guest ok\"", + default => "rm \"${target}/guest ok\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-guest_only": - context => $context, - changes => $guest_only ? { + $guest_only ? { true => "set \"${target}/guest only\" yes", false => "set \"${target}/guest only\" no", - default => "rm \"${target}/guest only\"", + default => "rm \"${target}/guest only\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-path": - context => $context, - changes => $path ? { + $path ? { default => "set ${target}/path '${path}'", - '' => "rm ${target}/path", + '' => "rm ${target}/path", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-read_only": - context => $context, - changes => $read_only ? { + $read_only ? { true => "set \"${target}/read only\" yes", false => "set \"${target}/read only\" no", - default => "rm \"${target}/read_only\"", + default => "rm \"${target}/read only\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-public": - context => $context, - changes => $public ? { + $public ? { true => "set \"${target}/public\" yes", false => "set \"${target}/public\" no", - default => "rm \"${target}/public\"", + default => "rm \"${target}/public\"", }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-writable": - context => $context, - changes => $writable ? { + $writable ? { true => "set \"${target}/writable\" yes", false => "set \"${target}/writable\" no", - default => "rm \"${target}/writable\"", + default => "rm \"${target}/writable\"", + }, + $printable ? { + true => "set \"${target}/printable\" yes", + false => "set \"${target}/printable\" no", + default => "rm \"${target}/printable\"", }, + ] + + augeas { "${name}-changes": + incl => $incl, + lens => 'Samba.lns', + context => $context, + changes => $changes, require => Augeas["${name}-section"], notify => Class['samba::server::service'] } - augeas { "${name}-printable": + augeas { "${name}-valid_users": context => $context, - changes => $printable ? { - true => "set \"${target}/printable\" yes", - false => "set \"${target}/printable\" no", - default => "rm \"${target}/printable\"", + changes => $valid_users ? { + default => "set \"${target}/valid users\" '${valid_users}'", + '' => "rm \"${target}/valid users\"", }, require => Augeas["${name}-section"], notify => Class['samba::server::service'] diff --git a/manifests/server/user.pp b/manifests/server/user.pp new file mode 100644 index 0000000..2cffe3b --- /dev/null +++ b/manifests/server/user.pp @@ -0,0 +1,13 @@ +define samba::server::user( + $user_name = $name , + $password , + ) { + exec { "add smb account for ${user_name}": + command => "/sbin/add_samba_user '${user_name}' '${password}'" , + unless => "/sbin/check_samba_user '${user_name}'" , + require => [ + User["${user_name}"] + ] , + notify => Class['samba::server::service'] + } +} diff --git a/templates/add_samba_user b/templates/add_samba_user new file mode 100644 index 0000000..1385d4e --- /dev/null +++ b/templates/add_samba_user @@ -0,0 +1,16 @@ +#!/bin/bash + +# This script adds a samba account for a given user and password +# call as: +# > add_samba_user "USERNAME" "PASSWORD" + +/bin/echo -e "$2\n$2\n" | sudo /usr/bin/pdbedit -a "$1" -t 1>/dev/null +results=$? + +if [ $results = 0 ]; then + echo "added samba account for '$1'" +else + echo "could not add samba account for '$1'" +fi + +exit $results diff --git a/templates/check_samba_user b/templates/check_samba_user new file mode 100644 index 0000000..75cb4b5 --- /dev/null +++ b/templates/check_samba_user @@ -0,0 +1,16 @@ +#!/bin/bash + +# This script checks to see if a given user account exists on samba +# if so, it returns 0 +# otherwise it returns 1 + +sudo /usr/bin/pdbedit -L | egrep -q "^$1:" +exists=$? + +if [ $exists = 0 ]; then + echo "'$1' is a samba user" +else + echo "no samba account matching '$1'" +fi + +exit $exists diff --git a/templates/configure_active_directory.erb b/templates/configure_active_directory.erb index 35ba86f..4f9b6e0 100644 --- a/templates/configure_active_directory.erb +++ b/templates/configure_active_directory.erb @@ -54,7 +54,7 @@ do esac done -password="<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>" +password='<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>' # short hostname from facter my_hostname="<%= hostname -%>" @@ -80,7 +80,7 @@ echo "Please do not kill me; I may be slow" >&2 if [ "$action" = "leave" ]; then logger -st $PROG "Leaving AD domain" - $NET ads $action -U ${winbind_acct}%${password} | grep Deleted && success=true || success=false + $NET ads $action -U "${winbind_acct}%${password}" | grep Deleted && success=true || success=false kdestroy rm -f /etc/krb5.keytab if [ $success = "true" ]; then @@ -105,8 +105,14 @@ ad_settle() { export KRB5CCNAME=$(umask 0077; mktemp -q winbind_cache.XXXXXXXX) if [ "$action" = "join" ]; then + if [ "${target_ou}" != "" ]; then + ou_parameter="createcomputer=\"${target_ou}\"" + else + ou_parameter="" + fi + logger -st $PROG "Joining AD domain" >&2 - $NET ads $action -U ${winbind_acct}%${password} createcomputer="${target_ou}"\ + $NET ads $action -U "${winbind_acct}%${password}" ${ou_parameter} \ | grep Joined && success=true || success=false if [ $success = "false" ]; then @@ -121,7 +127,8 @@ for attempt in $(seq 1 $max_attempts); do echo "Getting TGT for ${winbind_acct}@${my_realm}" >&2 $EXPECT -c "spawn -noecho kinit -c $KRB5CCNAME ${winbind_acct}@${my_realm}; expect :; - send ${password}\n; + send {${password}}; + send \n; expect eof" klist -c $KRB5CCNAME &> /dev/null && break done diff --git a/templates/verify_active_directory.erb b/templates/verify_active_directory.erb index 5a2a506..0917c49 100644 --- a/templates/verify_active_directory.erb +++ b/templates/verify_active_directory.erb @@ -21,7 +21,7 @@ fi # } >&2 #fi -password="<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>" +password='<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>' # short hostname from facter my_hostname="<%= hostname -%>" @@ -62,7 +62,8 @@ get_tgt() { ( $EXPECT -c "spawn -noecho kinit -c $KRB5CCNAME ${winbind_acct}@${default_realm}; expect :; - send ${password}\n; + send {${password}}; + send \n; expect eof" ) &> /dev/null klist -c $KRB5CCNAME &> /dev/null |