├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── .travis.yml ├── LICENSE ├── README.md ├── defaults └── main.yml ├── files ├── sshd └── system-auth ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── Debian.yml ├── RedHat-6.yml ├── RedHat.yml └── main.yml ├── templates ├── krb5.conf.j2 └── smb.conf.j2 ├── tests ├── inventory └── test.yml └── vars ├── Debian-22.yml ├── Debian-24.yml ├── Debian.yml ├── RedHat-6.yml ├── RedHat-7.yml ├── RedHat-8.yml └── main.yml /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | 5 | # Use the new container infrastructure 6 | sudo: false 7 | 8 | # Install ansible 9 | addons: 10 | apt: 11 | packages: 12 | - python-pip 13 | 14 | install: 15 | # Install ansible 16 | - pip install ansible 17 | 18 | # Check ansible version 19 | - ansible --version 20 | 21 | # Create ansible.cfg with correct roles_path 22 | - printf '[defaults]\nroles_path=../' >ansible.cfg 23 | 24 | script: 25 | # Basic role syntax check 26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check 27 | 28 | notifications: 29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

linux_joindomain

2 | This is an ansible role to automaticaly join Linux Machine CentOS and Redhat using sssd, realm, samba and winbind. This role is tested on RedHat/CentOS 7.x, 8.x 6.6 and Ubuntu 24 22 20 18 16 and Debian 10 9 3 | 4 | # Requirements 5 | 6 | - source.list configured and updated for debian servers 7 | - Ansible >= 2.7 8 | 9 | # Installation 10 | 11 | ansible-galaxy install mahdi22.linux_joindomain 12 | 13 | # Role Configuration 14 | 15 | file: defaults/main.yml 16 | ```yaml 17 | #set this variable to True if the managed hosts are bihind a web proxy... default False 18 | use_proxy: False 19 | ``` 20 | ```yaml 21 | proxy_env: [] 22 | #Set environmenet variable for web proxy sexample: 23 | # proxy_env: 24 | # http_proxy: http://proxy.local:8080/ 25 | # https_proxy: http://proxy.local:8080/ 26 | ``` 27 | 28 | # Role Variables 29 | 30 | file: vars/main.yml 31 | ```yaml 32 | Join_User: ADMDOMAIN # Replace ADMDOMAIN with the username domain admin 33 | DomainName: linuxlab.local # Replace linuxlab.local with the domainname 34 | Join_User_Pass: admdomainpassword # Replace admdomainpassword with the username domain admin password 35 | realm: LINUXLAB.LOCAL # replace this value with by Domaine Name 36 | server: linuxlab.local # replace this value with by active directory server 37 | ``` 38 | file: vars/RedHat-6.yml 39 | ```yaml 40 | workgroup: LAB # replace this value with by WORKGROUP 41 | kdc: 42 | - kerberos-1.linuxlab.local:88 # replace this value with by firt Kerberos server name 43 | - kerberos-2.linuxlab.local:88 # replace this value with by second Kerberos server name 44 | - kerberos-3.linuxlab.local:88 # replace this value with by third Kerberos server name 45 | domain_realms: 46 | - .linuxlab.local # replace this value with by domaine name 47 | - linuxlab.local # replace this value with by domaine name 48 | fallback_homedir: '/home/%u' 49 | use_fully_qualified_names: False 50 | ``` 51 | 52 | # Example Playbook 53 | ```yaml 54 | - hosts: servers 55 | roles: 56 | - role: mahdi22.linux_joindomain 57 | become: yes 58 | ``` 59 | 60 | ## Testing 61 | 62 | This role is tested on Linux distributions: 63 | 64 | - RHEL/CentOS 8 65 | - RHEL/CentOS 7 66 | - RHEL/CentOS 6 67 | - Debian 10 68 | - Debian 9 69 | - Debian 8 70 | - Ubuntu 24.04 71 | - Ubuntu 22.04 72 | - Ubuntu 20.04 73 | - Ubuntu 19.10 74 | - Ubuntu 18.04 75 | - Ubuntu 16.04 76 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for CentOS7JoinDomain 3 | join_domain: true 4 | use_proxy: False 5 | proxy_env: [] 6 | #example: 7 | # proxy_env: 8 | # http_proxy: http://proxy.local:8080/ 9 | # https_proxy: http://proxy.local:8080/ 10 | Join_User: ADMDOMAIN 11 | DomainName: linuxlab.local 12 | Join_User_Pass: admdomainpassword 13 | realm: LINUXLAB.LOCAL 14 | server: linuxlab.local 15 | #### CentOS/RHel 6 VARS ####### 16 | workgroup: LAB 17 | winbind_krb5: 18 | realms: 19 | kdc: 20 | - kerberos-1.linuxlab.local:88 21 | - kerberos-1.linuxlab.local:88 22 | - kerberos-1.linuxlab.local:88 23 | domain_realms: 24 | - .linuxlab.local 25 | - linuxlab.local 26 | fallback_homedir: '/home/%u' 27 | use_fully_qualified_names: False 28 | -------------------------------------------------------------------------------- /files/sshd: -------------------------------------------------------------------------------- 1 | auth required pam_env.so 2 | auth sufficient pam_unix.so nullok try_first_pass 3 | auth requisite pam_succeed_if.so uid >= 500 quiet 4 | auth sufficient pam_winbind.so use_first_pass 5 | auth required pam_deny.so 6 | 7 | account required pam_unix.so broken_shadow 8 | account sufficient pam_succeed_if.so uid < 500 quiet 9 | account [default=bad success=ok user_unknown=ignore] pam_winbind.so 10 | account required pam_permit.so 11 | account sufficient pam_localuser.so 12 | 13 | 14 | password requisite pam_cracklib.so try_first_pass retry=3 type= 15 | password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 16 | password sufficient pam_winbind.so use_authtok 17 | password required pam_deny.so 18 | 19 | session optional pam_keyinit.so revoke 20 | session required pam_limits.so 21 | session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0022 22 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 23 | session required pam_unix.so 24 | -------------------------------------------------------------------------------- /files/system-auth: -------------------------------------------------------------------------------- 1 | auth required pam_env.so 2 | auth sufficient pam_unix.so nullok try_first_pass 3 | auth requisite pam_succeed_if.so uid >= 500 quiet 4 | auth sufficient pam_winbind.so use_first_pass 5 | auth required pam_deny.so 6 | 7 | account required pam_unix.so broken_shadow 8 | account sufficient pam_succeed_if.so uid < 500 quiet 9 | account [default=bad success=ok user_unknown=ignore] pam_winbind.so 10 | account required pam_permit.so 11 | account sufficient pam_localuser.so 12 | 13 | 14 | password requisite pam_cracklib.so try_first_pass retry=3 type= 15 | password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 16 | password sufficient pam_winbind.so use_authtok 17 | password required pam_deny.so 18 | 19 | session optional pam_keyinit.so revoke 20 | session required pam_limits.so 21 | session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0022 22 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 23 | session required pam_unix.so 24 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for CentOSJoinDomain 3 | - name: Install pexpect 3.3 4 | command: python setup.py install chdir=/root/pexpect-3.3 5 | 6 | - name: restart sssd 7 | systemd: 8 | name: sssd 9 | state: restarted 10 | enabled: yes 11 | 12 | - name: restart samba related services 13 | service: 14 | name: "{{ item }}" 15 | state: restarted 16 | enabled: yes 17 | with_items: 18 | - smb 19 | - winbind 20 | - messagebus 21 | - oddjobd -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Mahdi BOURBITA 3 | role_name: linux_joindomain 4 | description: Join Domain Active Directory using sssd for RedHat, CentOS, Debian, Ubuntu distributions and using samba winbind for Redhat/CentOS 6 5 | 6 | license: Apache 7 | 8 | min_ansible_version: 2.9 9 | 10 | platforms: 11 | - name: EL 12 | versions: 13 | - 6 14 | - 7 15 | - 8 16 | - name: Debian 17 | versions: 18 | - buster 19 | - stretch 20 | - name: Ubuntu 21 | versions: 22 | - focal 23 | - bionic 24 | - xenial 25 | galaxy_tags: 26 | - system 27 | - linux 28 | - sssd 29 | - realm 30 | - samba 31 | - winbind 32 | - krb5 33 | - redhat 34 | - centos 35 | - ansible 36 | - debian 37 | - ubuntu 38 | 39 | dependencies: [] 40 | -------------------------------------------------------------------------------- /tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | - name: Install required packages 2 | apt: 3 | name: "{{ package }}" 4 | state: present 5 | environment: "{{ proxy_env }}" 6 | when: 7 | - use_proxy is defined 8 | - use_proxy 9 | 10 | - name: Install required packages 11 | apt: 12 | name: "{{ package }}" 13 | state: present 14 | when: (use_proxy is not defined) or (not use_proxy) 15 | 16 | - name: Checking Domain Join status 17 | command: id "{{ Join_User }}" 18 | register: ad_status 19 | changed_when: false 20 | ignore_errors: true 21 | 22 | - name: Domain configs and Join {{ DomainName }} 23 | block: 24 | - name: Join {{ ansible_distribution }} {{ ansible_distribution_major_version }} into Domain {{ DomainName }} 25 | expect: 26 | command: /bin/bash -c "/usr/sbin/realm join -U {{ Join_User }} {{ DomainName }}" 27 | responses: 28 | Password for *: "{{ Join_User_Pass }}" 29 | 30 | - name: Allow user Login without FQDN 31 | lineinfile: 32 | backup: yes 33 | state: present 34 | dest: /etc/sssd/sssd.conf 35 | regexp: '^{{ item.search }}' 36 | line: '{{ item.replace }}' 37 | with_items: 38 | - { search: 'use_fully_qualified_names', replace: 'use_fully_qualified_names = {{ use_fully_qualified_names }}' } 39 | - { search: 'fallback_homedir', replace: 'fallback_homedir = {{ fallback_homedir }}'} 40 | - { search: 'access_provider', replace: 'access_provider = simple'} 41 | notify: restart sssd 42 | 43 | - name: Add pam authentification to common-session 44 | lineinfile: 45 | path: "/etc/pam.d/common-session" 46 | line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077" 47 | when: ad_status.rc !=0 -------------------------------------------------------------------------------- /tasks/RedHat-6.yml: -------------------------------------------------------------------------------- 1 | # Join domaine CentOS 6 With Samba and Winbind 2 | - name: Install Samba and winbind software 3 | yum: 4 | name: "{{ package }}" 5 | state: present 6 | environment: "{{ proxy_env }}" 7 | when: 8 | - use_proxy is defined 9 | - use_proxy 10 | 11 | - name: Install Samba and winbind software 12 | yum: 13 | name: "{{ package }}" 14 | state: present 15 | when: (use_proxy is not defined) or (not use_proxy) 16 | 17 | - name: Test if is joined to {{ DomainName }} 18 | command: wbinfo -t 19 | changed_when: no 20 | register: wbinfo_test 21 | failed_when: "wbinfo_test.rc == 3" 22 | 23 | - name: Set fact for join domain 24 | set_fact: 25 | join_domain: false 26 | when: wbinfo_test.stdout_lines[0] is search("succeeded") 27 | 28 | - name: Installa and configure samba and winbind 29 | block: 30 | - name: Extract pexpect3.3.tar.gz 31 | unarchive: 32 | src: https://github.com/pexpect/pexpect/archive/3.3.tar.gz 33 | dest: /root/ 34 | remote_src: on 35 | environment: "{{ proxy_env }}" 36 | notify: Install pexpect 3.3 37 | when: 38 | - use_proxy is defined 39 | - use_proxy 40 | 41 | - name: Extract pexpect3.3.tar.gz 42 | unarchive: 43 | src: https://github.com/pexpect/pexpect/archive/3.3.tar.gz 44 | dest: /root/ 45 | remote_src: on 46 | notify: Install pexpect 3.3 47 | when: (use_proxy is not defined) or (not use_proxy) 48 | 49 | - meta: flush_handlers 50 | 51 | - name: Configuration Samba 52 | template: 53 | src: smb.conf.j2 54 | dest: /etc/samba/smb.conf 55 | owner: root 56 | notify: restart samba related services 57 | 58 | - name: Configuration Krb5 59 | template: 60 | src: krb5.conf.j2 61 | dest: /etc/krb5.conf 62 | notify: restart samba related services 63 | 64 | - name: Configuration nsswitch 65 | lineinfile: 66 | backup: yes 67 | state: present 68 | dest: /etc/nsswitch.conf 69 | regexp: '^{{ item.search }}' 70 | line: '{{ item.replace }}' 71 | with_items: 72 | - { search: 'passwd', replace: 'passwd: files winbind' } 73 | - { search: 'shadow', replace: 'shadow: files winbind' } 74 | - { search: 'group', replace: 'group: files winbind' } 75 | notify: restart samba related services 76 | 77 | - name: Copy PAM configuration for winbind authentification 78 | copy: 79 | src: "{{ item.src }}" 80 | dest: "{{ item.dest }}" 81 | owner: root 82 | loop: 83 | - { src: system-auth, dest: /etc/pam.d/system-auth } 84 | - { src: sshd, dest: /etc/pam.d/sshd } 85 | 86 | - name: Join Domain {{ DomainName }} 87 | expect: 88 | command: /bin/bash -c "/usr/bin/net ads join -U {{ Join_User }}" 89 | responses: 90 | Enter *: "{{ Join_User_Pass }}" 91 | notify: restart samba related services 92 | 93 | - name: Restart samba service 94 | service: 95 | name: "{{ item }}" 96 | state: restarted 97 | with_items: 98 | - smb 99 | - winbind 100 | - messagebus 101 | - oddjobd 102 | 103 | - name: Test If is Joined domaine to {{ DomainName }} 104 | command: wbinfo -t 105 | changed_when: no 106 | register: wbinfo_final_test 107 | ignore_errors: yes 108 | 109 | - debug: 110 | msg: "wbinfo status is {{ wbinfo_final_test.stdout }}" 111 | 112 | when: join_domain is defined and join_domain 113 | 114 | - name: Print join status if host is already joined 115 | debug: 116 | msg: "Host already joined" 117 | when: join_domain is defined and not join_domain -------------------------------------------------------------------------------- /tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | - name: Install Required Packages 2 | yum: 3 | name: "{{ package }}" 4 | state: present 5 | environment: "{{ proxy_env }}" 6 | when: 7 | - use_proxy is defined 8 | - use_proxy 9 | 10 | - name: Install Required Packages 11 | yum: 12 | name: "{{ package }}" 13 | state: present 14 | when: (use_proxy is not defined) or (not use_proxy) 15 | 16 | - name: Install PEXPECT With PIP For CentOS 7 17 | pip: 18 | name: pexpect 19 | executable: pip 20 | environment: "{{ proxy_env }}" 21 | when: 22 | - (ansible_distribution == "CentOS") or (ansible_distribution == "RedHat") 23 | - ansible_distribution_major_version == "7" 24 | - use_proxy is defined 25 | - use_proxy 26 | 27 | - name: Install PEXPECT With PIP For CentOS 7 28 | pip: 29 | name: pexpect 30 | executable: pip 31 | when: 32 | - (ansible_distribution == "CentOS") or (ansible_distribution == "RedHat") 33 | - ansible_distribution_major_version == "7" 34 | - (use_proxy is not defined) or (not use_proxy) 35 | 36 | - name: Install PEXPECT with PIP3.6 For CentOS 8 37 | pip: 38 | name: pexpect 39 | executable: pip3.6 40 | environment: "{{ proxy_env }}" 41 | when: 42 | - (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") 43 | - ansible_distribution_major_version == "8" 44 | - use_proxy is defined 45 | - use_proxy 46 | 47 | - name: Install PEXPECT with PIP3.6 For CentOS 8 48 | pip: 49 | name: pexpect 50 | executable: pip3.6 51 | when: 52 | - (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") 53 | - ansible_distribution_major_version == "8" 54 | - (use_proxy is not defined) or (not use_proxy) 55 | 56 | - name: Checking Domain Join status 57 | command: id "{{ Join_User }}" 58 | register: ad_status 59 | changed_when: false 60 | ignore_errors: true 61 | 62 | - name: play ad_status 63 | debug: 64 | msg: "ad_status is {{ ad_status.rc }}" 65 | 66 | - name: Join into Domain {{ DomainName }} 67 | expect: 68 | command: /bin/bash -c "/usr/sbin/realm join --user={{ Join_User }} {{ DomainName }}" 69 | responses: 70 | Password for *: "{{ Join_User_Pass }}" 71 | when: ad_status.rc !=0 72 | 73 | - name: Allow user Login without FQDN 74 | lineinfile: 75 | backup: yes 76 | state: present 77 | dest: /etc/sssd/sssd.conf 78 | regexp: '^{{ item.search }}' 79 | line: '{{ item.replace }}' 80 | with_items: 81 | - { search: 'use_fully_qualified_names', replace: 'use_fully_qualified_names = {{ use_fully_qualified_names }}' } 82 | - { search: 'fallback_homedir', replace: 'fallback_homedir = {{ fallback_homedir }}'} 83 | - { search: 'access_provider', replace: 'access_provider = simple'} 84 | notify: restart sssd 85 | when: ad_status.rc !=0 86 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for CentOSJoinDomain 3 | - name: include distribution dependency variables 4 | include_vars: "{{ item }}" 5 | with_first_found: 6 | - "{{ ansible_distribution_file_variety }}-{{ ansible_distribution_major_version }}.yml" 7 | - "{{ ansible_distribution_file_variety }}.yml" 8 | 9 | - name: Linux Join Active Directory Domaine Tasks 10 | include_tasks: "{{ item }}" 11 | with_first_found: 12 | - "{{ ansible_distribution_file_variety }}-{{ ansible_distribution_major_version }}.yml" 13 | - "{{ ansible_distribution_file_variety }}.yml" -------------------------------------------------------------------------------- /templates/krb5.conf.j2: -------------------------------------------------------------------------------- 1 | [logging] 2 | default = FILE:/var/log/krb5libs.log 3 | kdc = FILE:/var/log/krb5kdc.log 4 | admin_server = FILE:/var/log/kadmind.log 5 | 6 | [libdefaults] 7 | default_keytab_name = FILE:/etc/krb5.keytab 8 | ticket_lifetime = 24h 9 | default_realm = {{ realm }} 10 | dns_lookup_realm = false 11 | dns_lookup_kdc = true 12 | forwardable = true 13 | [realms] 14 | {{ realm }} = { 15 | {% for k in winbind_krb5.realms.kdc %} 16 | kdc = {{ k }} 17 | {% endfor %} 18 | default_domain = {{ realm }} 19 | } 20 | [domain_realm] 21 | {% for R in winbind_krb5.domain_realms %} 22 | {{ R }} = {{ realm }} 23 | {% endfor %} 24 | [dbmodules] 25 | {{ realm }} = { 26 | db_library = ipadb.so 27 | } 28 | -------------------------------------------------------------------------------- /templates/smb.conf.j2: -------------------------------------------------------------------------------- 1 | [global] 2 | log file = /var/log/samba/log.%m 3 | max log size = 50 4 | workgroup = {{ workgroup }} 5 | password server = {{ server }} 6 | realm = {{ realm }} 7 | security = ads 8 | idmap config * : range = 16777216-33554431 9 | template homedir = /home/%U 10 | template shell = /bin/bash 11 | kerberos method = secrets only 12 | winbind use default domain = true 13 | winbind offline logon = false 14 | server string = Samba Server Version %v 15 | passdb backend = tdbsam 16 | load printers = yes 17 | cups options = raw 18 | 19 | [homes] 20 | comment = Home Directories 21 | browseable = no 22 | writable = yes -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - CentOS7JoinDomain -------------------------------------------------------------------------------- /vars/Debian-22.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | package: 4 | - sssd 5 | - sssd-tools 6 | - libnss-sss 7 | - libpam-sss 8 | - realmd 9 | - oddjob 10 | - oddjob-mkhomedir 11 | - adcli 12 | - samba-common 13 | - samba-common-bin 14 | - packagekit 15 | - python3-pexpect 16 | -------------------------------------------------------------------------------- /vars/Debian-24.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | package: 4 | - sssd 5 | - sssd-tools 6 | - libnss-sss 7 | - libpam-sss 8 | - realmd 9 | - oddjob 10 | - oddjob-mkhomedir 11 | - adcli 12 | - samba-common 13 | - samba-common-bin 14 | - packagekit 15 | - python3-pexpect 16 | -------------------------------------------------------------------------------- /vars/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | package: 4 | - sssd 5 | - sssd-tools 6 | - libnss-sss 7 | - libpam-sss 8 | - realmd 9 | - oddjob 10 | - oddjob-mkhomedir 11 | - adcli 12 | - samba-common 13 | - samba-common-bin 14 | - packagekit 15 | - python-pexpect 16 | - python3-pexpect -------------------------------------------------------------------------------- /vars/RedHat-6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | package: 4 | - samba 5 | - samba-common 6 | - samba-winbind 7 | - samba-winbind-clients 8 | - krb5-workstation 9 | - pam_krb5 10 | - samba-client 11 | - nss 12 | - oddjob-mkhomedir 13 | - python-setuptools 14 | - libselinux-python 15 | -------------------------------------------------------------------------------- /vars/RedHat-7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | package: 4 | - sssd 5 | - realmd 6 | - oddjob 7 | - oddjob-mkhomedir 8 | - adcli 9 | - samba-common 10 | - samba-common-tools 11 | - krb5-workstation 12 | - openldap-clients 13 | - python-setuptools-devel 14 | - python-pip -------------------------------------------------------------------------------- /vars/RedHat-8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | package: 4 | - sssd 5 | - realmd 6 | - oddjob 7 | - oddjob-mkhomedir 8 | - adcli 9 | - samba-common 10 | - samba-common-tools 11 | - krb5-workstation 12 | - openldap-clients 13 | - python3-pip -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for CentOSJoinDomain 3 | --------------------------------------------------------------------------------