bertvv / ansible-role-samba Goto Github PK

I'm currently storing my samba passwords in an ansible-vault file. It was annoying to see them printed when ansible runs.

While it's not perfect, I believe that 'no_log' is the current ansible state of the art for hiding passwords.

This works for me:

@@ -100,6 +100,7 @@
     || (echo {{ item.password }}; echo {{ item.password }}) \
     | smbpasswd -s -a {{ item.name }}
   with_items: "{{ samba_users }}"
+  no_log: true
   register: create_user_output
   changed_when: "'Added user' in create_user_output.stdout"
   tags: samba

g.

Howdy

I've forked and added support for the IBM AIX Operating System, and have pulled it into my master branch here: https://github.com/d-little/ansible-role-samba

I'm still doing some testing to ensure that it works as expected, but if it does work, any thoughts or concerns with me submitting a PR to get this into the root project?

It's a different architecture, and outside the scope of the original 'RedHat- and Debian-based linux distros'; I'd just wanted a single role I can use on my Linux and AIX servers :) If there's a preference to keep AIX out of this role I can split it out and maintain it separately, probably remove the Linux support entirely and just have two separate roles per-environment.

Also NB: I'm very new to putting this together in Ansible, only a few weeks in, so I might have done thing's very wrong! Please let me know.

Thanks

Hi,
It would be good to see support for arbitrary configuration options added, OR, the ability to include other files.

As it stands there are lots of samba configuration options which might need a tweak which can't be used because the template overwrites them on every ansible run.

Hey, thanks so much for this ansible role!

I am trying to get this up and running, to share data from an EXFAT drive. However, it fails at TASK [bertvv.samba : Create share directories]. This because the EXFAT filesystem does not support chown/etc, and so chrgrp is failing.

Example error:

failed: [nas] (item={'name': 'documents', 'comment': 'Documents', 'guest_ok': True, 'public': True, 'writable': True, 'browsable': True, 'path': '/server/documents'}) => changed=false
  ansible_loop_var: item
  gid: 0
  group: root
  item:
    browsable: true
    comment: Documents
    guest_ok: true
    name: documents
    path: /server/documents
    public: true
    writable: true
  mode: '0777'
  msg: chgrp failed
  owner: root
  path: /server/documents
  size: 262144
  state: directory
  uid: 0

is it possible to skip/handle this task differently based on the filesystem?

Thanks!

The permissions of samba_shares_root should be set separately. Now, it will take the permissions of the first share being created. If that happens to be a restricted one (e.g. with directory mode 0700), shares are not visible for other users.

In Ubuntu 20.04 Samba Version 4.11.6 is installed. Even though the mitigation option nt pipe support = no is added to the global part of smb.conf. This results in windows clients not able to connect to the shares.
The reason is that ubuntu has its own naming convention for the version number which is not correctly detected by the mechnism already in place. The following happen on ubuntu.

$ smbd --version
Version 4.11.6-Ubuntu

Therefore the mechnism to detect the samba version fails to remove all text except the version number. I would propose to replace the shell command in main.yml

smbd --version | sed 's/Version //'

by

smbd --version | sed 's/Version //' | sed 's/-Ubuntu//'
# or even
smbd --version | sed 's/Version //' | sed 's/-.*//'

read_only is used in an example

The service names for Arch Linux are incorrect in roles/samba/vars/os_Archlinux.yml

https://wiki.archlinux.org/title/Samba#Enabling_and_starting_services

TASK [bertvv.samba : Start Samba service(s)] ***********************************
failed: [test] (item=smbd) => {"ansible_loop_var": "item", "changed": false, "item": "smbd", "msg": "Could not find the requested service smbd: host"}
failed: [test] (item=nmbd) => {"ansible_loop_var": "item", "changed": false, "item": "nmbd", "msg": "Could not find the requested service nmbd: host"}

When the Samba configuration is changed, only the smb service is notified to be restarted. nmb should also be restarted. E.g. when you change the netbios name, it is necessary to restart the WinBind service for the new name to be applied.

maybe it should be default to true, but it swallows every error

Request a feature that does not create directories or set permissions.
I use ZFS and my permissions and datasets are handles elsewhere.

Please use map to guest = never as default (which is the Samba default according to the man page).

If you use map to guest = bad user, one will be asked for credentials when browsing available samba shares from a Windows client. Windows will save those credentials, because they apparently worked (but were actually wrong). The Windows client will never be asked again for those credentials on browsing shares.

For me, it also broke somehow the authentication for a share (although the Windows GUI asked again for a password) because something seems to mess up in the authentication process then.

Hi,

If I read your code correctly, you can't change the password of an existing Samba user.

Could you please change the role so that a changed password in the Ansible configuration also changed the password of the user?

Cheers,
Thomas

Found your role when searching for a way to create samba users ... unfortunately it fails.
Do you assume that the underlying shell/system account already exists? Otherwise I'd have to add a task doing "useradd" before ...

As far as I can see in this role it doesn't keep previous shares intact.
For eg, if the role is called as a dependency to another, it'll wipe out any other shares previously defined.

It can be hard to find out if samba has been configured or shares defined therefore to keep things clean maybe the onus should be on the user to define if it should do a config reset or just add share info. A flag perhaps?

In CentOS 8 (and almost certainly RHEL 8 as well), libsemanage-python is renamed to python3-libsemanage. As a result, the SELinux Package installation fails when executed on a current CentOS system.

The issue could be fixed by updating the line in vars/os_RedHat.yml, no idea how to make it backwards compatible though.

Hi,

How do I get the global setting ntlm auth = yes to be added to the smb.conf file? I need this to deal with login's from some old machines on my LAN. Note that I'm aware that ntlmv1 is broken from a security standpoint but I need it none-the-less.

I tried the templates/global-include.conf trick but the samba role isn't finding the file:

fatal: [ansible-nas]: FAILED! => {"changed": false, "msg": "Could not find or access 'global-include.conf'\nSearched in:\n\t/home/skb/.ansible/roles/bertvv.samba/templates/global-include.conf\n\t/home/skb/.ansible/roles/bertvv.samba/global-include.conf\n\t/home/skb/.ansible/roles/bertvv.samba/tasks/templates/global-include.conf\n\t/home/skb/.ansible/roles/bertvv.samba/tasks/global-include.conf\n\t/home/skb/my-ansible-nas/ansible-nas/templates/global-include.conf\n\t/home/skb/my-ansible-nas/ansible-nas/global-include.conf"}

In my case I'm including a playbook that exists in a sub-directory beneath where I define the samba_global_include: global-include.conf in a master playbook. I include the playbook ansible-nas\nas.yml after defining the above symbol.

The role does engage in a search for the file so I believe it's seeing the symbol definition but it won't look in the templates directory from the directory of the top-most playbook.

Any insights here?

-Dale

Is this role still maintained?

Expected Behavior

templates/home-include.conf wordt gekopieerd naar /etc/samba/ door gebruik van de volgende variable: samba_home_include: home-include.conf

Current Behavior

De config file wordt niet gekopieerd van de host naar de virtual machine.

Possible Solution

• Gebruik de variable samba_homes_include en verander de documentatie zodat die overeenkomt met de definitie in tasks/main.yml
• Of verander de definitie van de module op lijn 100 in tasks/main.yml naar src: "{{ samba_homes_include }}" zodat dit overeenkomt met de documentatie

samba_mitigate_cve_2017_7494, which sets nt pipe support = no prevents access to IPC$. Therefore, Windows clients cannot browse shares anymore. README should state this behaviour.

The best option might be to ignore samba_mitigate_cve_2017_7494 on patched Samba versions.

This code is not idempotent

- name: Create Samba users if they don't exist yet
  shell: >
    (pdbedit -L | grep {{ item.name }} 2>&1 > /dev/null) \
    || (echo {{ item.password }}; echo {{ item.password }}) \
    | smbpasswd -s -a {{ item.name }}
  with_items: samba_users
  when: samba_users is defined
  tags: samba

There should be some check if all users in the list exists

- name: Check if user exists
  shell: pdbedit -L | grep -c {{ samba_user }} || true
  register: shell_output
  changed_when: False

but with_items ...

I am defining a global include with:

vars:
    # Include global options from `templates/global-include.conf`
    samba_global_include: global-include.conf

After running Ansible and SSH'ing into the machine, I see my file has made it:

❯ ls /etc/samba/global-include.conf
/etc/samba/global-include.conf

And that a configuration line has made it into /etc/samba/smb.conf:

❯ cat /etc/samba/smb.conf | grep include
  include = global-include.conf

However, this is an invalid smb.conf as shown with testparm:

❯ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file global-include.conf
...

The fix for me was making an absolute path definition in the Jinja template:

diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2
index a57d8bd..58e8273 100755
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@@ -79,7 +79,7 @@
 {% endif %}

 {% if samba_global_include is defined %}
-  include = {{ samba_global_include }}
+  include = /etc/samba/{{ samba_global_include }}
 {% endif %}

 {% if samba_load_homes %}
@@ -91,7 +91,7 @@
 {% endif %}

 {% if samba_home_include is defined %}
-  include = {{ samba_home_include }}
+  include = /etc/samba/{{ samba_home_include }}
 {% endif %}

 {% if samba_shares|length > 0 %}
@@ -138,7 +138,7 @@
   directory mode = {{ share.directory_mode|default('0775') }}
   force directory mode = {{ share.force_directory_mode|default('0775') }}
 {% if share.include_file is defined %}
-  include = {{ share.include_file }}
+  include = /etc/samba/{{ share.include_file }}
 {% endif %}

 {% endfor %}

Is this the correct fix for this bug? Would you be amenable to a PR?

samba_load_homes: yes does not work, but samba_load_homes: 'yes' does.

Also, it's probably better if this becomes a boolean instead of a string...

There is currently no way to restrict shares by host / subnet.

Basic functionality can be accomplished by adding the following to templates/smb.conf.j2. I recommend including it after "force directory mode = {{ share.force_directory_mode|default('0775') }}".

{% if share.allow_hosts is defined %}
  allow hosts = {% for entry in share.allow_hosts %}{{ entry }}{% if not loop.last %}, {% endif %}{% endfor %}
{% endif %}

Example Configuration:

samba_shares:
  - name: /srv/shares/test
    write_list: +users
    setype: public_content_rw_t
    allow_hosts:
      - 192.168.1.0/24
      - 172.16.10.0/255.255.255.0