Rename some roles to make ansible-lint happy.

roles/sambaldap/defaults/main.yml

@@ -0,0 +1,4 @@
+basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+ldap_server: sambox
+min_id_sssd: 5000
+max_id_sssd: 20000

roles/sambaldap/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
+
+- name: restart smbd
+  service: name=smbd state=restarted enabled=yes
+  listen: "restart smbd"

roles/sambaldap/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies: # noqa meta-no-info
+  - role: ldap

roles/sambaldap/tasks/main.yml

@@ -0,0 +1,118 @@
+## Install and configure samba-ldap.
+---
+- name: check if samba is already there
+  stat: path=/etc/ldap/schema/samba.ldif
+  register: samba_ldap
+
+- name: install samba and provide samba schema
+  apt:
+    name:
+      - samba
+      - sssd-ldap
+    state: latest # noqa package-latest
+
+- name: provide identities from LDAP
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+- name: flush all handlers
+  meta: flush_handlers
+
+- name: prepare samba schema
+  command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/
+  args:
+    creates: /etc/ldap/schema/samba.ldif
+
+- name: activate samba.ldif schema
+  command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
+  when: not samba_ldap.stat.exists
+
+- name: add indexes to LDAP
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcDbIndex
+    values:
+      - sambaSID eq
+      - sambaPrimaryGroupSID eq
+      - sambaGroupType eq
+      - sambaSIDList eq
+      - sambaDomainName eq
+    state: present
+
+- name: modify ACLs to account for Samba
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcAccess
+    values:
+      - >-
+        to attrs=userPassword
+        by self write
+        by anonymous auth
+        by * none
+      - >-
+        to attrs=shadowLastChange
+        by self write
+        by * read
+      - >-
+        to attrs=sambaNTPassword
+        by dn.exact=cn=admin,{{ basedn }} write
+        by self write
+        by * none
+      - >-
+        to * by * read
+    state: exact
+
+- name: customize smb.conf
+  blockinfile:
+    dest: /etc/samba/smb.conf
+    insertafter: '^\s*server role ='
+    block: |
+      ####### LDAP Settings #######
+      passdb backend = ldapsam:ldapi:///
+      ldap suffix = {{ basedn }}
+      ldap user suffix = ou=people
+      ldap group suffix = ou=groups
+      ldap machine suffix = ou=computers
+      ldap idmap suffix = ou=idmap
+      ldap admin dn = cn=admin,{{ basedn }}
+      ldap ssl = no
+      ldap passwd sync = yes
+  notify: restart smbd
+
+
+- name: slurp admin password for samba setup
+  slurp:
+    src: "{{ ldap_admin_pwd_file }}"
+  register: ldap_admin_pwd
+  no_log: true
+  when: not samba_ldap.stat.exists
+
+- name: make samba admin password available to smbd
+  command: smbpasswd -w "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
+  no_log: true
+  notify: restart smbd
+  when: not samba_ldap.stat.exists
+
+- name: flush all handlers
+  meta: flush_handlers
+
+- name: add samba attributes to dummy user foo
+  command:
+    cmd: smbpasswd -s -a foo
+    stdin: "{{ foo_pwd }}\n{{ foo_pwd }}"
+  when: foo_pwd is defined and foo_pwd | length > 0
+
+########################
+
+- name: allow services in firewalld
+  firewalld:
+    zone: internal
+    service: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  with_items:
+    - samba

roles/sambaldap/templates/sssd.conf.j2

@@ -0,0 +1,23 @@
+[sssd]
+domains = LDAP
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ldap_server }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = ldap
+cache_credentials = true
+
+min_id = {{ min_id_sssd }}
+max_id = {{ max_id_sssd }}
+
+## remove this after providing propper certificates:
+ldap_tls_reqcert = allow