- Module Description
- Setup
- Usage
- Packages
- Samba Domain Controller * Domain Controller * Password Policy * Logon Script * User * Group
- Samba Classic
- Idmap * nss, tdb or rid * ad * autorid * hash * ldap * tdb2
- Samba Shares * Shares * Directories
- Limitations
- Development
- Release Notes
This module manages Samba installation, including samba as an Active Directory Domain Controler.
Any parameter in smb.conf can be added/modified/removed, letting you free to customize the installation to your specific needs.
This module is licensed MIT.
The script additionnal-samba-tool is licensed GPLv3 (depends on python-samba which is GPLv3).
This module will install the samba packages and setup smb.conf.
In 'classic':
- By default, it will enable winbind in nsswitch (through augeas, not modifying anything more than necessary).
- By default, it will join the Domain Controler.
- It will configure and enable the winbind service
- It will deploy 'smb-create-home.sh', a small helper script to create user's home automatically
In 'dc':
- It will deploy additionnal-samba-tool, a python script completing samba-tool This script handles users/groups and their attributes (list, add or remove attributes)
This module requires puppetlabs-stdlib module.
This module permits to choose between native distribtion packages or Sernet (samba developpers) packages:
class { 'samba::params':
sernetpkgs => true, # enable sernet packages (default: false)
}
If this class is undeclared, the default behavior is to use native distribution packages. (see Limitations for CentOS/RedHat)
If the Sernet packages are used, please configure a repository containing these packages.
To provision the domain controller use the samba::dc class:
class { ::samba::dc:
# Mandatory parameters
domain => 'ad', # * AD domain name
realm => 'ad.example.org', # * Realm name (must match domain)
# Optionnal parameters
dnsbackend => 'internal', # * DNS backend ('internal',
# 'bindFlat' or 'bindDLZ')
# default: internal
adminpassword => 'P455WordS', # * Administrator password
# (default: undef)
dnsforwarder => '8.8.8.8', # * Dns forwarder IP (default: undef)
ip => '192.168.1.1' # * DC listening IP (default undef)
targetdir => '/var/lib/samba/', # * Deployment directory
# (default: '/var/lib/samba/')
domainlevel => '2003', # * Functionnality level ('2003',
# '2008' or '2008 R2') (default 2003).
# Can be upgraded, but not downgraded
sambaloglevel => 3, # * Log level (from 1 to 10) (default: 1)
logtosyslog => false, # * Log not to file but to syslog
# (default: false)
sambaclassloglevel => { # * Set log level by log classes
'printdrivers' => 1, # (default: undef)
'idmap' => 5,
'winbind' => 3,
},
globaloptions => { # * Custom options in section [global]
# Takes precedence.
# (default: {})
'custom setting 1' => 'custom value 1',
'custom setting 2' => 'custom value 2',
},
netlogonoptions => {}, # * Custom options in section [netlogon]
sysvoloptions => {}, # * Custom options in section [sysvol]
globalabsentoptions => ['idmap_ldb:use'], # * Remove default settings put
# by this class in [global]
# (default: [])
sysvolabsentoptions => [], # * remove default settings in [sysvol]
netlogonabsentoptions => [], # * Remove default settings in [netlogon]
}
Configuring password Policy:
class { ::samba::dc::ppolicy:
ppolicycomplexity => 'on', # * Enable password policy (default: on)
ppolicyplaintext => 'off', # * Store password in plain text
# (default: off)
ppolicyhistorylength => 24, # * Password history length (default: 24)
ppolicyminpwdlength => 7, # * Minimum password length (default: 7)
ppolicyminpwdage => 1, # * Minimum password age (default: 1)
ppolicymaxpwdage => 42, # * Maximum password age (default: 42)
}
If this class is not specified, default from samba-tool provisioning will be kept.
Password Policy parameters can be set individually:
samba::dc::ppolicy_param{'--account-lockout-duration':
option => '--account-lockout-duration', # option name in samba-tool
show_string => 'Account lockout duration (mins):', # string name in show
value => '45', # value
}
Use the following commands to list available options for your samba version
# List available options:
$ samba-tool domain passwordsettings --help
# List available string_show:
$ samba-tool domain passwordsettings show
Adding logon scripts:
::samba::dc::script { 'login1.cmd': # * name of the script
content => 'echo login script 1 # * content of the script
ping -n 11 127.0.0.1 > nul # will automaticaly be converted
', # to CRLF End of Line.
}
Adding users:
smb_user { 'test user': # * user name
ensure => present, # * absent | present
password => 'QwertyP455aaa', # * user password
groups => ['domain users', # * list of groups
'administrators'],
attributes => { # * hash of attributes
uidNumber => '15222', # use list for multivalued attributes
gidNumber => '10001',
msSFU30NisDomain => 'dc',
mail => ['test@toto.fr'],
},
}
Adding groups:
smb_group { 'mygroup':
ensure => present, # * group name
scope => 'Domain', # * group scope
type => 'Security', # * group type
attributes => { # * attributes
gidNumber => '15220', # use list for multivalued attributes
msSFU30NisDomain => 'dc',
},
groups => ['domain users', # * list of groups
'administrators'],
}
class { '::samba::classic':
# Mandatory parameters
domain => 'DC', # * Domain to authentify against
realm => 'dc.kakwa.fr', # * Realm to authentify against
smbname => 'SMB', # * Share name
sambaloglevel => 3, # * Samba log level
logtosyslog => true, # * Log to Syslog
# Optionnal parameters
security => 'ADS', # * security mode.
# in ['ADS', 'AUTO', 'USER', 'DOMAIN']
# default: 'ADS'
krbconf => true, # * Deploy krb5.conf file (default: true)
nsswitch => true, # * Add winbind to nsswitch,
# (default: true)
adminuser => 'custadmin' # * Domain Administrator login
# (default: 'administrator')
adminpassword => 'P455WordS', # * Domain Administrator
# password (for joining)
# (default: undef, no join)
sambaclassloglevel => { # * Set log level by log classes
'printdrivers' => 1, # (default: undef)
'idmap' => 5,
'winbind' => 3,
},
globaloptions => {}, # * Custom options in section [global]
globalabsentoptions => [], # * Remove default settings put
}
Idmap is to map user ids to unix uid/uid numbers, it supports several backends which can be configured with the following resources.
Note that configuring a '*' domain seems necessary for Idmap to properly work.
::samba::idmap { 'Domain *':
domain => '*', # * name of the Domain or '*'
idrangemin => 10000, # * Min uid for Domain users
idrangemax => 19999, # * Max uid for Domain users
backend => 'tdb', # * idmap backend
# in [nss, tdb or rid]
}
::samba::idmap { 'Domain DC':
domain => 'DC', # * name of the Domain or '*'
idrangemin => 10000, # * Min uid for Domain users
idrangemax => 19999, # * Max uid for Domain users
backend => 'ad', # * idmap backend
schema_mode => 'rfc2307', # * Schema mode
# in [rfc2307, sfu, sfu20]
}
::samba::idmap { 'Domain DC':
domain => 'DC', # * name of the Domain or '*'
idrangemin => 10000, # * Min uid for Domain users
idrangemax => 19999, # * Max uid for Domain users
backend => 'autorid', # * idmap backend
# Optionnal parameters
rangesize => 100000, # * number of uid per domain
# default: 100000
read_only => 'yes', # * Read only mappint
# Default no
ignore_builtin => 'yes', # * Ignore any mapping requests
# for the BUILTIN domain
}
::samba::idmap { 'Domain DC':
domain => 'DC', # * name of the Domain or '*'
idrangemin => 10000, # * Min uid for Domain users
idrangemax => 19999, # * Max uid for Domain users
backend => 'hash', # * idmap backend
name_map => '/etc/samba/name_map.cfg' # * mapping file
}
::samba::idmap { 'Domain DC':
domain => 'DC', # * name of the Domain or '*'
idrangemin => 10000, # * Min uid for Domain users
idrangemax => 19999, # * Max uid for Domain users
backend => 'ldap', # * idmap backend
ldap_base_dn => 'ou=users,dc=example,dc=com', # * users mapping ou
ldap_user_dn => 'cn=smb,dc=example,dc=com', # * bind account
ldap_passwd => 'password', # * bind password
ldap_url => 'ldap://ldap.example.com', # * ldap url
}
::samba::idmap { 'Domain DC':
domain => 'DC', # * name of the Domain or '*'
idrangemin => 10000, # * Min uid for Domain users
idrangemax => 19999, # * Max uid for Domain users
backend => 'tdb2', # * idmap backend
script => '/etc/samba/map.sh', # * mapping sid/uid script
}
::samba::share { 'Test Share':
# Mandatory parameters
path => '/srv/test/',
# Optionnal parameters
owner => 'root', # * owner of the share directory
# (default: root)
group => 'root', # * group of the share directory
# (default: root)
mode => '0775', # * mode of the share directory
# (default: 0777)
acl => [], # * list of posix acls (default: undef)
options => { # * Custom options in section [Test Share]
'browsable' => 'Yes',
'root preexec' => 'mkdir -p \'/home/home_%U\'',
},
absentoptions => ['path'], # * Remove default settings put by this resource
# default?: []
}
If you want to create subdirectory in a share whil specific permision/acls:
::samba::share { 'Sub Dir':
# Mandatory parameters
path => '/srv/test/sub',
# Optionnal parameters
owner => 'root', # * owner of the directory
# (default: root)
group => 'root', # * group of the directory
# (default: root)
mode => '0775', # * mode of the directory
# (default: 770)
acl => [], # * list of posix acls (default: undef)
}
class samba::dc (deploy Samba as a Domain Controler) needs Samba 4.
As of march 2015, CentOS/RedHat doesn't support Samba 4 AD DC due to choices in kerberos implementations. If you plan to deploy Samba as a DC on CentOS/RedHat use the Sernet Packages.
To access Sernet Repositories, you must register on Sernet Portal. Once it's done, you should have access to your ACCESSKEY. Use it and your USERNAME to configure the repo:
sernet-samba-4.1.repo:
[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (centos-7)
type=rpm-md
baseurl=https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/centos/7/
gpgcheck=1
gpgkey=https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/centos/7/repodata/repomd.xml.key
enabled=1
sernet-samba-4.1.list:
deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
This module will not configure the repo, you have to do it otherwise.
Any form of contribution (bug reports, feature requests...) is welcomed. Pull requests will be merged after review.
If you have questions regarding how to use this module, don't hesitate to fill a bug.
Contribution must not raise errors from puppet-lint.
0.3.0:
- remove useless --workgroup option in DC provisioning
- add type ppolicy_param to set individual ppolicy parameters
- fix ppolicy class to be more robust to version changes
0.2.0:
- adding parameter adminuser for class samba::classic default value (administrator) maintains the previous behaviour
0.1.2:
- Better summary in metadata.json
0.1.1:
- Better tags in metadata.json
- Better documentation
0.1.0:
- first release
This module includes portions of code derived from:
- puppetlabs/inifile licensed under APL
- python-samba licensed under GPLv3
- puppet-acl licensed under APL