├── LICENSE
├── README.rst
├── pillar.example
└── samba
    ├── clean.sls
    ├── client
        ├── clean.sls
        └── init.sls
    ├── config
        ├── clean.sls
        └── init.sls
    ├── defaults.yaml
    ├── files
        ├── aduser.map
        ├── mkhomedir
        ├── pam_winbind.conf
        └── smb.conf
    ├── init.sls
    ├── map.jinja
    ├── server
        ├── clean.sls
        └── init.sls
    ├── users
        ├── clean.sls
        └── init.sls
    ├── winbind-ad
        ├── clean.sls
        └── init.sls
    └── winbind
        ├── clean.sls
        └── init.sls


/LICENSE:
--------------------------------------------------------------------------------
 1 |    Copyright (c) 2013 Salt Stack Formulas
 2 | 
 3 |    Licensed under the Apache License, Version 2.0 (the "License");
 4 |    you may not use this file except in compliance with the License.
 5 |    You may obtain a copy of the License at
 6 | 
 7 |        http://www.apache.org/licenses/LICENSE-2.0
 8 | 
 9 |    Unless required by applicable law or agreed to in writing, software
10 |    distributed under the License is distributed on an "AS IS" BASIS,
11 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 |    See the License for the specific language governing permissions and
13 |    limitations under the License.
14 | 
15 | 


--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
  1 | samba
  2 | =====
  3 | Install and configure a samba server.
  4 | 
  5 | .. note::
  6 | 
  7 |     See the full `Salt Formulas installation and usage instructions
  8 |     <http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
  9 | 
 10 | Available states
 11 | ================
 12 | 
 13 | .. contents::
 14 |     :local:
 15 |     
 16 | ``samba``
 17 | ---------
 18 | 
 19 | Installs the samba server and client packages and starts the samba service.
 20 | 
 21 | ``samba.client``
 22 | ----------------
 23 | 
 24 | Installs the samba client package.
 25 | 
 26 | ``samba.config``
 27 | ----------------
 28 | 
 29 | Includes the ``samba`` state.
 30 | 
 31 | Creates a ``smb.conf`` based on defaults. Pillars if defined override default values.
 32 | 
 33 | ``samba.users``
 34 | ----------------
 35 | 
 36 | Includes the ``samba`` state.
 37 | 
 38 | Creates samba users (via ``smbpasswd``)  based on pillar data.
 39 | 
 40 | ``samba.winbind``
 41 | ----------------
 42 | 
 43 | Includes the ``samba`` state.
 44 | 
 45 | Installs samba-winbind packages and updates NSS (nsswitch.conf). Run this state after joining the Domain.
 46 | 
 47 | ``samba.winbind-ad``
 48 | ----------------
 49 | 
 50 | Includes the ``winbind`` state.
 51 | 
 52 | By default this state provides full Active Directory (AD) domain membership if ``samba.role`` equals ``ROLE_DOMAIN_MEMBER``.
 53 | 
 54 | ``samba.clean``
 55 | --------------
 56 | 
 57 | Calls `clean` state for all modules to completely remove samba and winbind.
 58 | 
 59 | Configuration
 60 | =============
 61 | The distro samba package includes a default ``smb.conf`` which is overridden by ``samba.config`` state. This formula has good defaults for samba ROLE_STANDALONE and ROLE_DOMAIN_MEMBER roles, but can be extended/overridden in pillars.
 62 | 
 63 | 
 64 | AD integration
 65 | ==================
 66 | 
 67 | Ensure host's assigned (dhcp) ipaddress is reflecting DNS.
 68 | 
 69 | .. code-block:: bash
 70 | 
 71 |      [myhost]$ ip addr
 72 |      [myhost]$ host myhost.example.com
 73 | 
 74 | Ensure system time is NTP synchronized (yes)!!
 75 | 
 76 | .. code-block:: bash
 77 | 
 78 |      $ # timedatectl
 79 |                Local time: Fri 2018-02-09 08:34:10 MST
 80 |            Universal time: Fri 2018-02-09 15:34:10 UTC
 81 |                  RTC time: Fri 2018-02-09 15:34:21
 82 |                 Time zone: America/Denver (MST, -0700)
 83 |           Network time on: yes
 84 |          NTP synchronized: yes
 85 |           RTC in local TZ: no
 86 | 
 87 | Join the domain in three commands-
 88 | 
 89 | .. code-block:: bash
 90 | 
 91 |      $ sudo net ads join EXAMPLE.COM -U 'domainAdminUser'
 92 |      Enter domainAdminUser password:
 93 |      Using short domain name -- EXAMPLE
 94 |      Joined MYHOST to dns domain ‘example.com'
 95 | 
 96 |      $ sudo kinit -k MYHOST\$@EXAMPLE.COM
 97 | 
 98 |      $ sudo systemctl restart winbind
 99 | 
100 | If 'kinit' fails then try rebooting and checking for issues with time and dns.
101 | 
102 | 


--------------------------------------------------------------------------------
/pillar.example:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Definitions to extend and override defaults
 3 | 
 4 | samba:
 5 |   role: ROLE_DOMAIN_MEMBER
 6 |   conf:
 7 |     render:
 8 |       ## list the sections your smb.conf should include
 9 |       section_order: ['global', 'homes', 'printers', 'sharename', 'user1share']
10 |       ## include sections from default.yaml (yes) or ONLY those listed above (no)
11 |       include_unordered_sections: no
12 | 
13 |     sections:
14 |       global:
15 |         workgroup: EXAMPLE
16 |         netbios name: example
17 |         bind interfaces only: yes
18 |         interfaces: lo bond0
19 | 
20 |       user1share:
21 |         ## Optional site specific extension to smb.conf
22 |         comment: "user1 samba share"
23 |         path: /home/user1
24 |         valid users: user1
25 |         create mode: '0660'
26 |         directory mode: '0770'
27 |         public: no
28 |         writable: yes
29 |         printable: no
30 | 
31 |   users:
32 |     ## Optional site specific extension to smb.conf
33 |     ## user.present passwd needs plaintext or hash. Hash is recommended, generate it with the following command -> openssl passwd -1
34 |     ## pdbedit.managed nt needs hash. Plaintext seem to be broken (https://github.com/saltstack-formulas/samba-formula/issues/35). Generate it with the following command -> salt '*' pdbedit.generate_nt_hash PASSWORD
35 |     user1:
36 |       password:
37 |         passwd: $1$vFH3.Plc$7CZnr18jaLx1fMBGm1NMP/ ## Equals "user1sambapassword" in plaintext
38 |         nt: EB11C288046508EBE2AA213DB0860813 ## Equals "user1sambapassword" in plaintext
39 |     user2:
40 |       password: 
41 |         passwd: $1$Kvm5/Q6Y$B19DYyLRCqeUsyacipVet1 ## Equals "user2sambapassword" in Plaintext
42 |         nt: 5AA13065E0B8A81835D48291E5C47236 ## Equals "user2sambapassword" in Plaintext
43 | 
44 |   winbind:
45 |     krb5_default_realm: EXAMPLE.COM
46 | 


--------------------------------------------------------------------------------
/samba/clean.sls:
--------------------------------------------------------------------------------
1 | 
2 | include:
3 |   - samba.winbind-ad.clean      ##because it depends on samba service
4 |   - samba.winbind.clean         ##because it depends on samba service
5 |   - samba.users.clean           ##because it depends on samba service
6 |   - samba.client.clean
7 |   - samba.config.clean
8 |   - samba.server.clean
9 | 


--------------------------------------------------------------------------------
/samba/client/clean.sls:
--------------------------------------------------------------------------------
1 | {% from "samba/map.jinja" import samba with context %}
2 | 
3 | samba_client_clean:
4 |   pkg.removed:
5 |     - name: {{ samba.client }}
6 | 


--------------------------------------------------------------------------------
/samba/client/init.sls:
--------------------------------------------------------------------------------
1 | {% from "samba/map.jinja" import samba with context %}
2 | 
3 | samba_client:
4 |   pkg.installed:
5 |     - name: {{ samba.client }}
6 | 


--------------------------------------------------------------------------------
/samba/config/clean.sls:
--------------------------------------------------------------------------------
1 | {% from "samba/map.jinja" import samba with context %}
2 | 
3 | samba_config_clean:
4 |   file.absent:
5 |     - name: {{ samba.config }}
6 | 


--------------------------------------------------------------------------------
/samba/config/init.sls:
--------------------------------------------------------------------------------
 1 | {% from "samba/map.jinja" import samba with context %}
 2 | 
 3 | include:
 4 |   - samba.server
 5 | 
 6 | samba_config:
 7 |   file.managed:
 8 |     - name: {{ samba.config }}
 9 |     - source: {{ samba.config_src }}
10 |     - template: jinja
11 |     - watch_in:
12 |       - service: samba_service_install
13 | 


--------------------------------------------------------------------------------
/samba/defaults.yaml:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | # vim: ft=jinja
  3 | 
  4 | {% set default_realm=salt['pillar.get']('samba:winbind:krb5_default_realm', 'EXAMPLE.COM')%}
  5 | {% set default_workgroup=salt['pillar.get']('samba:conf:sections:global:workgroup', 'EXAMPLE')%}
  6 | 
  7 | # Default lookup dictionary
  8 | samba:
  9 |   role: ROLE_STANDALONE
 10 |   server: samba
 11 |   config: /etc/samba/smb.conf
 12 |   config_src: salt://samba/files/smb.conf
 13 |   root_group: root
 14 | 
 15 |   conf:
 16 |     render:
 17 |       #### Inherit these as smb.conf defaults.
 18 |       section_order: ['global', 'homes', 'printers', 'sharename',]
 19 |       include_skeleton: yes
 20 |       include_unordered_sections: no    #best default value
 21 |     sections:
 22 |       global:
 23 |         ## samba.role: ROLE_STANDALONE (default)
 24 |         workgroup: {{ default_workgroup }}
 25 |         server string: "Samba Server %v"
 26 |         log file: "/var/log/samba/%m.log"
 27 |         max log size: 50
 28 |         dns proxy: no
 29 |         load printers: yes
 30 |         printing: cups
 31 |         printcap name: cups
 32 |         security: user
 33 |         hosts allow: 127. 10. 192.168.
 34 |         bind interfaces only: no
 35 |         usershare allow guests: no
 36 |       global_role_domain_member:
 37 |         ## samba.role: ROLE_DOMAIN_MEMBER
 38 |         realm: {{ default_realm }}
 39 |         security: ADS
 40 |         client signing: yes
 41 |         client use spnego: yes
 42 |         encrypt passwords: yes
 43 |         # idmap config for this domain
 44 |         "idmap config * : range": 16777216-33554431
 45 |         #"idmap config * : backend": ad
 46 |         "idmap config * : schema_mode": rfc2307
 47 |         kerberos method: secrets and keytab
 48 |         template shell: /bin/bash
 49 |         template homedir: /home/%U
 50 |         os level: 2
 51 |         winbind enum users: yes
 52 |         winbind enum groups: yes
 53 |         winbind expand groups: 0
 54 |         winbind use default domain: yes
 55 |         winbind refresh tickets: no
 56 |         winbind offline logon: no
 57 |         winbind cache time: 10
 58 |         winbind nested groups: True
 59 |         wins support: True
 60 |         socket options: SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
 61 |         domain master: no
 62 |         local master: no
 63 |         preferred master: no
 64 |         username map: /etc/samba/aduser.map
 65 |       homes:
 66 |         comment: "Home Directories"
 67 |         browseable: no
 68 |         read only: No
 69 |         inherit acls: No
 70 |         writeable: yes
 71 |       printers:
 72 |         comment: "All Printers"
 73 |         path: /var/lib/samba/drivers
 74 |         browseable: no
 75 |         guest ok: yes
 76 |         writeable: no
 77 |         printable: yes
 78 |         #printer admin: root, '@ntadmins', '@smbprintadm'
 79 | 
 80 |   users:
 81 | 
 82 |   preinstall:
 83 |     cmd:
 84 |     osreleases: []
 85 | 
 86 |   winbind:
 87 |     krb5_default_realm: {{ default_realm }}
 88 |     pam_mkhomedir_src: salt://samba/files/mkhomedir
 89 |     usermap: /etc/samba/aduser.map
 90 |     usermap_src: salt://samba/files/aduser.map
 91 | 
 92 |     pam_winbind:
 93 |       config: /etc/security/pam_winbind.conf
 94 |       config_src: salt://samba/files/pam_winbind.conf
 95 |       global:
 96 |         debug: no
 97 |         debug_state: no
 98 |         cached_login: no
 99 |         krb5_auth: yes
100 |         krb5_ccache_type: FILE
101 |         require_membership_of:
102 |         warn_pwd_expire: 14
103 |         silent: no
104 |         mkhomedir: yes
105 | 
106 |     nsswitch:
107 |       regex:
108 |        {% raw %}
109 |         - ['hostsMdns', '^(?!#).*(?<!#|\w)(host.*:.*files\s)(mdns4?_minimal.*\]\s*)(dns.*$)', '\1 \3',]
110 |         - ['passwd', '^(?!#).*(?<!#|\w)(passwd.*:.*(files|compat))(?!.*winbind)(.*$)(?<!winbind)', '\1 winbind \3',]
111 |         - ['group', '^(?!#|net).*(?<!#|\w)(group.*:.*(files|compat))(?!.*winbind)(.*$)(?<!winbind)', '\1 winbind \3',]
112 |         - ['hostsWins', '^(?!#).*(?<!#|\w)(host.*:.*files\s)(?!.*wins)(.*$)(?<!wins)', '\1wins \2',]
113 |        {% endraw %}
114 | 


--------------------------------------------------------------------------------
/samba/files/aduser.map:
--------------------------------------------------------------------------------
1 | !root = {{ workgroup }}\Administrator
2 | 


--------------------------------------------------------------------------------
/samba/files/mkhomedir:
--------------------------------------------------------------------------------
1 | Name: Create home directory on login
2 | Default: yes
3 | Priority: 1
4 | Session-Type: Additional
5 | Session-Interactive-Only: yes
6 | Session:
7 |         required pam_mkhomedir.so umask=0077 skel=/etc/skel
8 | 


--------------------------------------------------------------------------------
/samba/files/pam_winbind.conf:
--------------------------------------------------------------------------------
 1 | {% raw %}
 2 | #######################################################################
 3 | # This file is managed by salt. Manual changes risk being overwritten. 
 4 | # The contents of an example skeleton pam_winbind.conf are stored 
 5 | # at the bottom as a quick reference.                                         
 6 | #######################################################################
 7 | {% endraw %}
 8 | 
 9 | {%- macro makeoutput(outdict) -%}
10 |   {%- for key, value in outdict|dictsort -%}
11 |   {{ output(key, value) }}
12 |   {%- endfor %}
13 | {%- endmacro -%}
14 | 
15 | {%- macro output(key, value, spaces=0) -%}
16 |   {%- set shift = spaces * " " %}
17 |   {%- set newline = "\n" -%}
18 |   {%- if value is mapping %}
19 |     {{ shift }}{{ key }} = {
20 |     {%- for key, value in value|dictsort -%}
21 |     {{ output(key, value, spaces=spaces+4) }}
22 |     {%- endfor %}
23 |     {{ shift }}}
24 |   {%- elif key == '#' -%}
25 |     {{ newline }}{{ key }} {{ value }}
26 |   {%- elif value is string or value is number %}
27 |     {{ shift }}{{ key }} = {{ value }}
28 |   {%- elif value -%}
29 |     {%- for value in value -%}
30 |     {{ output(key, value, spaces=spaces) }}
31 |     {%- endfor %}
32 |   {%- endif %}
33 | {%- endmacro -%}
34 | 
35 | {%- macro comment(str) -%}
36 |   {{ output("#", str) }}
37 | {%- endmacro -%}
38 | 
39 | {% from "samba/map.jinja" import samba with context %}
40 | 
41 | [global]
42 |   {%- set pam_wbind_defaults = samba.winbind.pam_winbind.get('global', {}) -%}
43 |   {{ makeoutput(pam_wbind_defaults) if pam_wbind_defaults else comment('Using software defaults') }}
44 | 
45 | #
46 | # skeleton pam_winbind.conf for reference
47 | #
48 | # This pam_winbind.conf can be used to set various options for the
49 | # pam_winbind(8) PAM module. Alternatively setting these Options
50 | # in the PAM configuration is allowed and takes precedence.
51 | # There is only one section (global).
52 | #
53 | # pam_winbind configuration file
54 | #
55 | # /etc/security/pam_winbind.conf
56 | #
57 | 
58 | #====================== global ==============================
59 | ;[global]
60 | ; debug = no
61 | # Debugging output for pam_winbind to syslog. Default "no".
62 | 
63 | # turn on extended PAM state debugging
64 | ;debug_state = no
65 | 
66 | # request a cached login if possible
67 | # (needs "winbind offline logon = yes" in smb.conf)
68 | ;cached_login = no
69 | 
70 | # authenticate using kerberos
71 | ;krb5_auth = no
72 | 
73 | # when using kerberos, request a "FILE" krb5 credential cache type
74 | # (leave empty to just do krb5 authentication but not have a ticket
75 | # afterwards)
76 | ;krb5_ccache_type =
77 | 
78 | # make successful authentication dependend on membership of one SID
79 | # (can also take a name); commas, no spaces.
80 | ;require_membership_of =
81 | 
82 | # password expiry warning period in days
83 | ;warn_pwd_expire = 14
84 | 
85 | # omit pam conversations
86 | ;silent = no
87 | 
88 | # create homedirectory on the fly
89 | ;mkhomedir = no
90 | 
91 | 


--------------------------------------------------------------------------------
/samba/files/smb.conf:
--------------------------------------------------------------------------------
  1 | #######################################################################
  2 | # This file is managed by salt. Manual changes risk being overwritten.
  3 | # The contents of an example skeleton smb.conf are stored at the
  4 | # bottom as a quick reference. See also smb.conf(5).
  5 | #######################################################################
  6 | {% from "samba/map.jinja" import samba with context %}
  7 | 
  8 | {# Samba role handling #}
  9 | {%- if samba.winbind.krb5_default_realm -%}
 10 |    {% import_yaml "samba/defaults.yaml" as defs %}
 11 |    {% if samba.role == 'ROLE_DOMAIN_MEMBER' %}
 12 |       {% do defs.samba.conf.sections.global.update( defs.samba.conf.sections.global_role_domain_member ) %}
 13 |       {% do samba.conf.sections.global.update( salt['pillar.get']('samba:conf:sections:global',
 14 |                                             default=defs.samba.conf.sections.global, merge=True)) %}
 15 |    {% endif %}
 16 | {% endif %}
 17 | 
 18 | {# Build smb.conf #}
 19 | {%- macro config_section(section) %}
 20 | {%- set options = samba.conf.sections.get(section, {}) -%}
 21 |   {% if section not in ('global_role_domain_member', 'some_other_scenario', ) %}
 22 | [{{ section }}]
 23 |     {% if options %}
 24 |       {%- for option, value in options|dictsort %}
 25 |       {{ option }} = {{ value }}
 26 |       {%- endfor %}
 27 |     {% endif %}
 28 |   {% endif %}
 29 | {%- endmacro -%}
 30 | 
 31 | {%- set ordered_sections = samba.conf.render.get('section_order', {}) %}
 32 | {%- for k in ordered_sections or None %}
 33 | {{ config_section(k) }}
 34 | {%- endfor -%}
 35 | {%- if samba.conf.render.get('include_unordered_sections', True) -%}
 36 | {%- for k in samba.conf.sections.keys()|sort %}
 37 |     {%- if k not in ordered_sections %}
 38 | {{ config_section(k) }}
 39 |     {%- endif %}
 40 | {%- endfor -%}
 41 | {%- endif -%}
 42 | 
 43 | {%- if samba.conf.render.get('include_skeleton', True) %}
 44 | # This is the main Samba configuration file. You should read the
 45 | # smb.conf(5) manual page in order to understand the options listed
 46 | # here. Samba has a huge number of configurable options (perhaps too
 47 | # many!) most of which are not shown in this example
 48 | #
 49 | # Any line which starts with a ; (semi-colon) or a # (hash) 
 50 | # is a comment and is ignored. In this example we will use a #
 51 | # for commentry and a ; for parts of the config file that you
 52 | # may wish to enable
 53 | #
 54 | # NOTE: Whenever you modify this file you should run the command "testparm"
 55 | # to check that you have not made any basic syntactic errors. 
 56 | #
 57 | #======================= Global Settings =====================================
 58 | ;[global]
 59 | 
 60 | # workgroup = NT-Domain-Name or Workgroup-Name
 61 | ;   workgroup = MYGROUP
 62 | 
 63 | # server string is the equivalent of the NT Description field
 64 | ;   server string = Samba Server
 65 | 
 66 | # This option is important for security. It allows you to restrict
 67 | # connections to machines which are on your local network. The
 68 | # following example restricts access to two C class networks and
 69 | # the "loopback" interface. For more examples of the syntax see
 70 | # the smb.conf man page
 71 | ;   hosts allow = 192.168.1. 192.168.2. 127.
 72 | 
 73 | # if you want to automatically load your printer list rather
 74 | # than setting them up individually then you'll need this
 75 | ;   printcap name = /etc/printcap
 76 | ;   load printers = yes
 77 | 
 78 | # It should not be necessary to spell out the print system type unless
 79 | # yours is non-standard. Currently supported print systems include:
 80 | # bsd, sysv, plp, lprng, aix, hpux, qnx
 81 | ;   printing = bsd
 82 | 
 83 | # Uncomment this if you want a guest account, you must add this to /etc/passwd
 84 | # otherwise the user "nobody" is used
 85 | ;  guest account = pcguest
 86 | 
 87 | # this tells Samba to use a separate log file for each machine
 88 | # that connects
 89 | ;   log file = /var/log/samba/%m.log
 90 | 
 91 | # Put a capping on the size of the log files (in Kb).
 92 | ;   max log size = 50
 93 | 
 94 | # Security mode. Most people will want user level security. See
 95 | # security_level.txt for details.
 96 | ;   security = user
 97 | # Use password server option only with security = server
 98 | ;   password server = <NT-Server-Name>
 99 | 
100 | # Password Level allows matching of _n_ characters of the password for
101 | # all combinations of upper and lower case.
102 | ;  password level = 8
103 | ;  username level = 8
104 | 
105 | # You may wish to use password encryption. Please read
106 | # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
107 | # Do not enable this option unless you have read those documents
108 | ;  encrypt passwords = yes
109 | ;  smb passwd file = /etc/samba/smbpasswd
110 | 
111 | # The following are needed to allow password changing from Windows to
112 | # update the Linux sytsem password also.
113 | # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
114 | # NOTE2: You do NOT need these to allow workstations to change only
115 | #        the encrypted SMB passwords. They allow the Unix password
116 | #        to be kept in sync with the SMB password.
117 | ;  unix password sync = Yes
118 | ;  passwd program = /usr/bin/passwd %u
119 | ;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
120 | 
121 | # Unix users can map to different SMB User names
122 | ;  username map = /etc/samba/smbusers
123 | 
124 | # Using the following line enables you to customise your configuration
125 | # on a per machine basis. The %m gets replaced with the netbios name
126 | # of the machine that is connecting
127 | ;   include = /etc/samba/smb.conf.%m
128 | 
129 | # Configure Samba to use multiple interfaces
130 | # If you have multiple network interfaces then you must list them
131 | # here. See the man page for details.
132 | ;   interfaces = 192.168.12.2/24 192.168.13.2/24 
133 | 
134 | # Configure remote browse list synchronisation here
135 | #  request announcement to, or browse list sync from:
136 | #	a specific host or from / to a whole subnet (see below)
137 | ;   remote browse sync = 192.168.3.25 192.168.5.255
138 | # Cause this host to announce itself to local subnets here
139 | ;   remote announce = 192.168.1.255 192.168.2.44
140 | 
141 | # Browser Control Options:
142 | # set local master to no if you don't want Samba to become a master
143 | # browser on your network. Otherwise the normal election rules apply
144 | ;   local master = no
145 | 
146 | # OS Level determines the precedence of this server in master browser
147 | # elections. The default value should be reasonable
148 | ;   os level = 33
149 | 
150 | # Domain Master specifies Samba to be the Domain Master Browser. This
151 | # allows Samba to collate browse lists between subnets. Don't use this
152 | # if you already have a Windows NT domain controller doing this job
153 | ;   domain master = yes 
154 | 
155 | # Preferred Master causes Samba to force a local browser election on startup
156 | # and gives it a slightly higher chance of winning the election
157 | ;   preferred master = yes
158 | 
159 | # Use only if you have an NT server on your network that has been
160 | # configured at install time to be a primary domain controller.
161 | ;   domain controller = <NT-Domain-Controller-SMBName>
162 | 
163 | # Enable this if you want Samba to be a domain logon server for 
164 | # Windows95 workstations. 
165 | ;   domain logons = yes
166 | 
167 | # if you enable domain logons then you may want a per-machine or
168 | # per user logon script
169 | # run a specific logon batch file per workstation (machine)
170 | ;   logon script = %m.bat
171 | # run a specific logon batch file per username
172 | ;   logon script = %U.bat
173 | 
174 | # Where to store roving profiles (only for Win95 and WinNT)
175 | #        %L substitutes for this servers netbios name, %U is username
176 | #        You must uncomment the [Profiles] share below
177 | ;   logon path = \\%L\Profiles\%U
178 | 
179 | # All NetBIOS names must be resolved to IP Addresses
180 | # 'Name Resolve Order' allows the named resolution mechanism to be specified
181 | # the default order is "host lmhosts wins bcast". "host" means use the unix
182 | # system gethostbyname() function call that will use either /etc/hosts OR
183 | # DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
184 | # and the /etc/resolv.conf file. "host" therefore is system configuration
185 | # dependant. This parameter is most often of use to prevent DNS lookups
186 | # in order to resolve NetBIOS names to IP Addresses. Use with care!
187 | # The example below excludes use of name resolution for machines that are NOT
188 | # on the local network segment
189 | # - OR - are not deliberately to be known via lmhosts or via WINS.
190 | ; name resolve order = wins lmhosts bcast
191 | 
192 | # Windows Internet Name Serving Support Section:
193 | # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
194 | ;   wins support = yes
195 | 
196 | # WINS Server - Tells the NMBD components of Samba to be a WINS Client
197 | #	Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
198 | ;   wins server = w.x.y.z
199 | 
200 | # WINS Proxy - Tells Samba to answer name resolution queries on
201 | # behalf of a non WINS capable client, for this to work there must be
202 | # at least one	WINS Server on the network. The default is NO.
203 | ;   wins proxy = yes
204 | 
205 | # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
206 | # via DNS nslookups. The built-in default for versions 1.9.17 is yes,
207 | # this has been changed in version 1.9.18 to no.
208 | ;   dns proxy = no 
209 | 
210 | # Case Preservation can be handy - system default is _no_
211 | # NOTE: These can be set on a per share basis
212 | ;  preserve case = no
213 | ;  short preserve case = no
214 | # Default case is normally upper case for all DOS files
215 | ;  default case = lower
216 | # Be very careful with case sensitivity - it can break things!
217 | ;  case sensitive = no
218 | 
219 | #============================ Share Definitions ==============================
220 | ;[homes]
221 | ;   comment = Home Directories
222 | ;   browseable = no
223 | ;   writable = yes
224 | 
225 | # Un-comment the following and create the netlogon directory for Domain Logons
226 | ; [netlogon]
227 | ;   comment = Network Logon Service
228 | ;   path = /home/netlogon
229 | ;   guest ok = yes
230 | ;   writable = no
231 | ;   share modes = no
232 | 
233 | 
234 | # Un-comment the following to provide a specific roving profile share
235 | # the default is to use the user's home directory
236 | ;[Profiles]
237 | ;    path = /home/profiles
238 | ;    browseable = no
239 | ;    guest ok = yes
240 | 
241 | 
242 | # NOTE: If you have a BSD-style print system there is no need to 
243 | # specifically define each individual printer
244 | ;[printers]
245 | ;   comment = All Printers
246 | ;   path = /var/spool/samba
247 | ;   browseable = no
248 | # Set public = yes to allow user 'guest account' to print
249 | ;   guest ok = no
250 | ;   writable = no
251 | ;   printable = yes
252 | 
253 | # This one is useful for people to share files
254 | ;[tmp]
255 | ;   comment = Temporary file space
256 | ;   path = /tmp
257 | ;   read only = no
258 | ;   public = yes
259 | 
260 | # A publicly accessible directory, but read only, except for people in
261 | # the "staff" group
262 | ;[public]
263 | ;   comment = Public Stuff
264 | ;   path = /home/samba
265 | ;   public = yes
266 | ;   read only = yes
267 | ;   write list = @staff
268 | 
269 | # Other examples. 
270 | #
271 | # A private printer, usable only by fred. Spool data will be placed in fred's
272 | # home directory. Note that fred must have write access to the spool directory,
273 | # wherever it is.
274 | ;[fredsprn]
275 | ;   comment = Fred's Printer
276 | ;   valid users = fred
277 | ;   path = /homes/fred
278 | ;   printer = freds_printer
279 | ;   public = no
280 | ;   writable = no
281 | ;   printable = yes
282 | 
283 | # A private directory, usable only by fred. Note that fred requires write
284 | # access to the directory.
285 | ;[fredsdir]
286 | ;   comment = Fred's Service
287 | ;   path = /usr/somewhere/private
288 | ;   valid users = fred
289 | ;   public = no
290 | ;   writable = yes
291 | ;   printable = no
292 | 
293 | # a service which has a different directory for each machine that connects
294 | # this allows you to tailor configurations to incoming machines. You could
295 | # also use the %u option to tailor it by user name.
296 | # The %m gets replaced with the machine name that is connecting.
297 | ;[pchome]
298 | ;  comment = PC Directories
299 | ;  path = /usr/pc/%m
300 | ;  public = no
301 | ;  writable = yes
302 | 
303 | # A publicly accessible directory, read/write to all users. Note that all files
304 | # created in the directory by users will be owned by the default user, so
305 | # any user with access can delete any other user's files. Obviously this
306 | # directory must be writable by the default user. Another user could of course
307 | # be specified, in which case all files would be owned by that user instead.
308 | ;[public]
309 | ;   path = /usr/somewhere/else/public
310 | ;   public = yes
311 | ;   only guest = yes
312 | ;   writable = yes
313 | ;   printable = no
314 | 
315 | # The following two entries demonstrate how to share a directory so that two
316 | # users can place files there that will be owned by the specific users. In this
317 | # setup, the directory should be writable by both users and should have the
318 | # sticky bit set on it to prevent abuse. Obviously this could be extended to
319 | # as many users as required.
320 | ;[myshare]
321 | ;   comment = Mary's and Fred's stuff
322 | ;   path = /usr/somewhere/shared
323 | ;   valid users = mary fred
324 | ;   public = no
325 | ;   writable = yes
326 | ;   printable = no
327 | ;   create mask = 0765
328 | {%- endif %}
329 | 


--------------------------------------------------------------------------------
/samba/init.sls:
--------------------------------------------------------------------------------
1 | 
2 | include:
3 |   - samba.server
4 |   - samba.config
5 |   - samba.client
6 |   # samba.users
7 |   # samba.winbind
8 |   # samba.winbind-ad
9 | 


--------------------------------------------------------------------------------
/samba/map.jinja:
--------------------------------------------------------------------------------
 1 | # -* coding: utf-8 -*-
 2 | # vim: ft=jinja
 3 | # OS family parameters overriding defaults
 4 | 
 5 | {% set samba_osmap = salt['grains.filter_by']({
 6 |     'default':{
 7 |         'client': 'samba-client',
 8 |         'service': 'smb',
 9 |     },
10 |     'Debian': {
11 |         'client': 'smbclient',
12 |         'service': salt['grains.filter_by']({
13 |             'lenny': 'samba',
14 |             'squeeze': 'samba',
15 |             'wheezy': 'samba',
16 |             'jessie': 'smbd',
17 |             'stretch': 'smbd',
18 |             'buster': 'smbd',
19 |             'bullseye': 'smbd'
20 |         }, grain='oscodename', default='lenny'),
21 |     },
22 |     'Suse':{
23 |         'service': 'smb',
24 |         'client' : 'samba-client',
25 |         'preinstall': {
26 |             'cmd': 'zypper --non-interactive dup --no-allow-vendor-change',
27 |             'osreleases': [42],
28 |         },
29 |      },
30 |      'Arch': {
31 |          'service': 'smbd',
32 |          'client': 'smbclient',
33 |      },
34 |      'FreeBSD': {
35 |          'server': 'samba44',
36 |          'client': 'samba44',
37 |          'service': 'samba_server',
38 |          'config': '/usr/local/etc/smb4.conf',
39 |      },
40 |      'Gentoo': {
41 |          'server': 'net-fs/samba',
42 |          'client': 'net-fs/samba',
43 |      },
44 |      'MacOS': {},
45 |  }, grain='os_family', merge=salt['grains.filter_by']({
46 |      'Ubuntu': {
47 |         'client': 'smbclient',
48 |         'service': salt['grains.filter_by']({
49 |             'xenial': 'smbd',
50 |             'trusty': 'samba',
51 |          }, grain='oscodename', default='xenial'),
52 |       },
53 |     }, grain='os')
54 | )%}
55 | 
56 | #Winbind
57 | {% set winbind_osmap = salt['grains.filter_by']({
58 |    'default':{
59 |       'server': 'samba-winbind',
60 |       'services': ['nmb', 'winbind',],
61 |       'utils': ['attr', 'samba-winbind-clients', 'samba-winbind-krb5-locator', 'cifs-utils', 'oddjob-mkhomedir', 'sssd-libwbclient'],
62 |       'libnss': 'samba-winbind-modules',
63 |       'pam_authconfig': '/usr/sbin/authconfig --update --enablewinbind --enablewins --enablemkhomedir --enablewinbindauth',
64 |       'pam_authconfig_cmd': '/usr/sbin/authconfig',
65 |    },
66 |    'Debian': {
67 |       'server': 'winbind',
68 |       'services': ['nmbd', 'winbind',],
69 |       'utils': ['libpam-winbind', 'smbldap-tools', 'cifs-utils',],
70 |       'libnss': 'libnss-winbind',
71 |       'pam_seen': '/var/lib/pam/seen',
72 |       'pam_mkhomedir': '/usr/share/pam-configs/mkhomedir',
73 |       'pam_authconfig': 'DEBIAN_FRONTEND=noninteractive /usr/sbin/pam-auth-update',
74 |       'pam_authconfig_cmd': '/usr/sbin/pam-auth-update',
75 |    },
76 |    'Suse':{
77 |       'server': 'samba-winbind',
78 |       'libnss': '',
79 |       'services': ['nmb', 'winbind',],
80 |       'utils': ['gvfs-backend-samba', 'attr', 'cifs-utils',],
81 |       'pam_authconfig': '/usr/sbin/pam-config -a --winbind --mkhomedir --mkhomedir-umask=0077 --mkhomedir-skel=/etc/skel',
82 |       'pam_authconfig_cmd': '/usr/sbin/pam-config',
83 |    },
84 |  }, grain='os_family', merge=salt['grains.filter_by']({
85 |     'Fedora': {
86 |       'pam_authconfig': '/usr/sbin/authconfig --update --enablewinbind --enablemkhomedir --enablewinbindauth --disablesssd --disablesssdauth',
87 |      },
88 |    }, grain='os')
89 | )%}
90 | 
91 | {# start with defaults, merge osmappings, and finally pillars #}
92 | {% import_yaml "samba/defaults.yaml" as defaults %}
93 | {% do defaults.samba.update( samba_osmap ) %}
94 | {% do defaults.samba.winbind.update( winbind_osmap ) %}
95 | {% set samba = salt['pillar.get']( 'samba', default=defaults.samba, merge=True) %}
96 | 
97 | 


--------------------------------------------------------------------------------
/samba/server/clean.sls:
--------------------------------------------------------------------------------
1 | {% from "samba/map.jinja" import samba with context %}
2 | 
3 | samba_service_clean:
4 |   service.dead:
5 |     - name: {{ samba.service }}
6 |     - enable: False
7 |   pkg.removed:
8 |     - name: {{ samba.server }}
9 | 


--------------------------------------------------------------------------------
/samba/server/init.sls:
--------------------------------------------------------------------------------
 1 | {% from "samba/map.jinja" import samba with context %}
 2 | 
 3 |   {% if samba.preinstall.cmd and grains.osmajorrelease in samba.preinstall.osreleases %}
 4 | samba_preinstall_cmd:
 5 |   cmd.run:
 6 |     - name: {{ samba.preinstall.cmd }}
 7 |     - require_in:
 8 |       - pkg: samba_service_install
 9 |   {% endif %}
10 | 
11 | samba_service_install:
12 |   pkg.installed:
13 |     - name: {{ samba.server }}
14 |   service.running:
15 |     - name: {{ samba.service }}
16 |     - enable: True
17 |     - require:
18 |       - pkg: samba_service_install
19 | 


--------------------------------------------------------------------------------
/samba/users/clean.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | {% if grains['os_family'] in ('RedHat', 'Suse', 'Debian') %}
 3 | include:
 4 |   - samba.client.clean
 5 | {% endif %}
 6 | 
 7 | {% for login,user in salt['pillar.get']('samba:users', {}).items() %}
 8 | samba_{{ login }}_clean:
 9 |   user.absent:
10 |     - name: {{ login }}
11 | {% endfor %}
12 | 


--------------------------------------------------------------------------------
/samba/users/init.sls:
--------------------------------------------------------------------------------
 1 | {% if grains['os_family'] in ('RedHat', 'Suse', 'Debian') %}
 2 | include:
 3 |   - samba.client
 4 | {% endif %}
 5 | 
 6 | {% for login,user in salt['pillar.get']('samba:users', {}).items() %}
 7 | {{ login }}:
 8 |   user.present:
 9 |     - name: {{ login }}
10 |     - fullname: {{ login }}
11 |     - password: {{ user.password.passwd }}
12 |   pdbedit.managed:
13 |     - login: {{ login }}
14 |     - password: {{ user.password.nt }}
15 |     - password_hashed: True
16 | {% endfor %}
17 | 


--------------------------------------------------------------------------------
/samba/winbind-ad/clean.sls:
--------------------------------------------------------------------------------
 1 | {% from "samba/map.jinja" import samba with context %}
 2 | 
 3 |   {% if grains.os_family in ('Debian',) %}
 4 | samba_winbind_pam_mkhomedir_clean:
 5 |   file.absent:
 6 |     - name: {{ samba.winbind.pam_mkhomedir }}
 7 |     
 8 |       {% for pam_config in ['winbind', 'mkhomedir',] %}
 9 | samba_winbind_pamforget_{{ pam_config }}_clean:
10 |   file.line:
11 |     - name: {{ samba.winbind.pam_seen }}
12 |     - match: {{ pam_config }}
13 |     - mode: delete
14 |     - onlyif: test -f {{ samba.winbind.pam_seen }}
15 |       {% endfor %}
16 |   {% endif %}
17 | 
18 | samba_winbind_nsswitch_usermap_clean:
19 |   cmd.run:
20 |     - name: cp /etc/nsswitch.conf.salt.bak /etc/nsswitch.conf
21 |     - onlyif:
22 |       - test -f /etc/nsswitch.conf.salt.bak
23 |       - {{ grains.os_family in ('Debian', 'Suse',) }}
24 |   file.absent:
25 |     - name: {{ samba.winbind.usermap }}
26 |     - onlyif: {{ samba.winbind.usermap }}
27 | 


--------------------------------------------------------------------------------
/samba/winbind-ad/init.sls:
--------------------------------------------------------------------------------
 1 | {% from "samba/map.jinja" import samba with context %}
 2 | 
 3 | include:
 4 |   - samba.winbind
 5 | 
 6 |   {% if grains.os_family in ('Debian',) %}
 7 | 
 8 | samba_winbind_pam_mkhomedir:
 9 |   file.managed:
10 |     - name: {{ samba.winbind.pam_mkhomedir }}
11 |     - source: {{ samba.winbind.pam_mkhomedir_src }}
12 |     - template: jinja
13 |     - create: True
14 |     
15 |     {% for pam_config in ['winbind', 'mkhomedir',] %}
16 | samba_winbind_pamforget_{{ pam_config }}:
17 |   file.line:
18 |     - name: {{ samba.winbind.pam_seen }}
19 |     - match: {{ pam_config }}
20 |     - mode: delete
21 |     - require:
22 |       - file: samba_winbind_pam_mkhomedir
23 |     - require_in:
24 |       - cmd: samba_winbind_ad_authconfig
25 |     {% endfor %}
26 | {% endif %}
27 | 
28 |   {% if grains.os_family in ('Debian', 'Suse',) %}
29 |     {% for config in samba.winbind.nsswitch.regex %}
30 | 
31 | samba_winbind_nsswitch_{{ config[0] }}:
32 |   file.replace:
33 |     - name: /etc/nsswitch.conf
34 |     - pattern: {{ config[1] }}
35 |     - repl: {{ config[2] }}
36 |     - backup: '.salt.bak'
37 |     - require_in:
38 |       - cmd: samba_winbind_ad_authconfig
39 | 
40 |     {% endfor %}
41 |   {% endif %}
42 | 
43 |   {% if samba.winbind.usermap %}
44 | samba_winbind_ad_usermap:
45 |   file.managed:
46 |     - name: {{ samba.winbind.usermap }}
47 |     - source: {{ samba.winbind.usermap_src }}
48 |     - mode: 755
49 |     - create: True
50 |     - template: jinja
51 |     - context:
52 |       workgroup: {{ samba.conf.sections.global.workgroup }}
53 |   {% endif %}    
54 | 
55 |   {% if grains.os_family in ('RedHat', 'Debian', 'Suse',) %}
56 | samba_winbind_ad_authconfig:
57 |   cmd.run:
58 |     - name: {{ samba.winbind.pam_authconfig }}
59 |     - onlyif: test -f {{ samba.winbind.pam_authconfig_cmd }}
60 |     - watch_in:
61 |       - service: samba_winbind_service
62 |   {% endif %}
63 | 


--------------------------------------------------------------------------------
/samba/winbind/clean.sls:
--------------------------------------------------------------------------------
 1 | {% from "samba/map.jinja" import samba with context %}
 2 | 
 3 | samba_winbind_services_clean:
 4 |   service.dead:
 5 |     - names:
 6 |       {% for service in samba.winbind.services %}
 7 |       -  {{ service }}
 8 |       {% endfor %}
 9 |       - {{ samba.service }}
10 |     - enable: False
11 |   file.absent:
12 |     - name: {{ samba.winbind.pam_winbind.config }}
13 |   pkg.purged:
14 |     - names:
15 |       {% if samba.winbind.libnss %}
16 |       - {{ samba.winbind.libnss }}
17 |       {% endif %}
18 |       {% for pkg in samba.winbind.utils %}
19 |       - {{ pkg }}
20 |       {% endfor %}
21 |       - libwbclient0       ###needed (on ubuntu) to purge winbind (avoiding https://github.com/saltstack/salt/issues/42306)
22 |       - {{ samba.winbind.server }}
23 |     - normalize: True
24 |     - require:
25 |       - file: samba_winbind_services_clean
26 | 


--------------------------------------------------------------------------------
/samba/winbind/init.sls:
--------------------------------------------------------------------------------
 1 | {% from "samba/map.jinja" import samba with context %}
 2 | 
 3 | samba_winbind_service:
 4 |   pkg.installed:
 5 |     - names:
 6 |       - {{ samba.winbind.server }}
 7 |         {%- if "utils" in samba.winbind and samba.winbind.utils %}
 8 |             {%- for pkg in samba.winbind.utils %}
 9 |       - {{ pkg }}
10 |             {%- endfor %}
11 |         {%- endif %}
12 |         {% if "libnss" in samba.winbind and samba.winbind.libnss %}
13 |       - {{ samba.winbind.libnss }}
14 |         {%- endif %}
15 |   file.managed:
16 |     - name: {{ samba.winbind.pam_winbind.config }}
17 |     - source: {{ samba.winbind.pam_winbind.config_src }}
18 |     - template: jinja
19 |     - user: root
20 |     - group: {{ samba.get('root_group', 'root') }}
21 |     - mode: '0644'
22 |     - onlyif: test -f {{ samba.winbind.pam_winbind.config }}
23 |   service.running:
24 |     ### This state will fail if we have'nt joined the domain yet. Thats okay!
25 |     - unmask_runtime: true
26 |     - names:
27 |       - {{ samba.service }}
28 |         {% for service in samba.winbind.services %}
29 |       - {{ service }}
30 |         {% endfor %}
31 |     - enable: True
32 | 


--------------------------------------------------------------------------------