manifests/server/ads.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

# == Class samba::server::ads
# This module join samba server to Active Dirctory
#
class samba::server::ads($ensure = present,
  $winbind_acct               = 'admin',
  $winbind_pass               = 'SecretPass',
  $realm                      = 'domain.com',
  $winbind_uid                = '10000-20000',
  $winbind_gid                = '10000-20000',
  $winbind_enum_groups        = 'yes',
  $winbind_enum_users         = 'yes',
  $winbind_use_default_domain = 'yes',
  $nsswitch                   = false,
  $acl_group_control          = 'yes',
  $map_acl_inherit            = 'yes',
  $inherit_acls               = 'yes',
  $store_dos_attributes       = 'yes',
  $ea_support                 = 'yes',
  $dos_filemode               = 'yes',
  $acl_check_permissions      = false,
  $map_system                 = 'no',
  $map_archive                = 'no',
  $map_readonly               = 'no',
  $target_ou                  = 'Nix_Mashine',
  $perform_join               = true) {

  $krb5_user_package = $::osfamily ? {
    'RedHat' => 'krb5-workstation',
    default  => 'krb5-user',
  }

  if $::osfamily == 'RedHat' {
    if $::operatingsystemrelease =~ /^6\./ {
      $winbind_package = 'samba-winbind'
    } else {
      $winbind_package = 'samba-common'
    }
  } else {
    $winbind_package = 'winbind'
  }

  package{
    $krb5_user_package: ensure => installed;
    $winbind_package:   ensure => installed;
    'expect':           ensure => installed;
  }

  include samba::server::config
  include samba::server::winbind

  # notify winbind
  samba::server::option {
    'realm':                        value => $realm,
    notify                                => Class['Samba::Server::Winbind'];
    'winbind uid':                  value => $winbind_uid,
    notify                                => Class['Samba::Server::Winbind'];
    'winbind gid':                  value => $winbind_gid,
    notify                                => Class['Samba::Server::Winbind'];
    'winbind enum groups':          value => $winbind_enum_groups,
    notify                                => Class['Samba::Server::Winbind'];
    'winbind enum users':           value => $winbind_enum_users,
    notify                                => Class['Samba::Server::Winbind'];
    'winbind use default domain':   value => $winbind_use_default_domain,
    notify                                => Class['Samba::Server::Winbind'];
  }

  samba::server::option {
    'acl group control':            value => $acl_group_control;
    'map acl inherit':              value => $map_acl_inherit;
    'inherit acls':                 value => $inherit_acls;
    'store dos attributes':         value => $store_dos_attributes;
    'ea support':                   value => $ea_support;
    'dos filemode':                 value => $dos_filemode;
    'acl check permissions':        value => $acl_check_permissions;
    'map system':                   value => $map_system;
    'map archive':                  value => $map_archive;
    'map readonly':                 value => $map_readonly;
  }

  $nss_file = 'etc/nsswitch.conf'

  $changes = $nsswitch ? {
      true => [
        'set database[. = "passwd"]/service[1] compat',
        'set database[. = "passwd"]/service[2] winbind',
        'set database[. = "group"]/service[1] compat',
        'set database[. = "group"]/service[2] winbind',
      ],
      false => [
        "rm /files/${nss_file}/database[. = 'passwd']/service[. = 'winbind']",
        "rm /files/${nss_file}/database[. = 'group']/service[. = 'winbind']",
      ]
    }

  augeas { 'nsswitch':
    context => "/files/${nss_file}",
    changes => $changes
  }

  file {'verify_active_directory':
    # this script returns 0 if join is intact
    path    => '/sbin/verify_active_directory',
    owner   => root,
    group   => root,
    mode    => '0755',
    content => template("${module_name}/verify_active_directory.erb"),
    require => [ Package[$krb5_user_package, $winbind_package, 'expect'],
      Augeas['samba-realm', 'samba-security', 'samba-winbind enum users',
        'samba-winbind enum groups', 'samba-winbind uid', 'samba-winbind gid',
        'samba-winbind use default domain'], Service['winbind'] ],
  }

  file {'configure_active_directory':
    # this script joins or leaves a domain
    path    => '/sbin/configure_active_directory',
    owner   => root,
    group   => root,
    mode    => '0755',
    content => template("${module_name}/configure_active_directory.erb"),
    require => [ Package[$krb5_user_package, $winbind_package, 'expect'],
      Augeas['samba-realm', 'samba-security', 'samba-winbind enum users',
        'samba-winbind enum groups', 'samba-winbind uid', 'samba-winbind gid',
        'samba-winbind use default domain'], Service['winbind'] ],
  }

  if ($perform_join) {
    exec {'join-active-directory':
      # join the domain configured in samba.conf
      command => '/sbin/configure_active_directory -j',
      unless  => '/sbin/verify_active_directory',
      require => [ File['configure_active_directory', 'verify_active_directory'], Service['winbind'] ],
    }
  }
}