bertvv / ansible-role-samba Goto Github PK
View Code? Open in Web Editor NEWAnsible role for managing Samba as a file server on RedHat- and Debian-based linux distros.
Home Page: https://galaxy.ansible.com/bertvv/samba/
License: Other
Ansible role for managing Samba as a file server on RedHat- and Debian-based linux distros.
Home Page: https://galaxy.ansible.com/bertvv/samba/
License: Other
Hey, thanks so much for this ansible role!
I am trying to get this up and running, to share data from an EXFAT drive. However, it fails at TASK [bertvv.samba : Create share directories]
. This because the EXFAT filesystem does not support chown/etc, and so chrgrp is failing.
Example error:
failed: [nas] (item={'name': 'documents', 'comment': 'Documents', 'guest_ok': True, 'public': True, 'writable': True, 'browsable': True, 'path': '/server/documents'}) => changed=false
ansible_loop_var: item
gid: 0
group: root
item:
browsable: true
comment: Documents
guest_ok: true
name: documents
path: /server/documents
public: true
writable: true
mode: '0777'
msg: chgrp failed
owner: root
path: /server/documents
size: 262144
state: directory
uid: 0
is it possible to skip/handle this task differently based on the filesystem?
Thanks!
Found your role when searching for a way to create samba users ... unfortunately it fails.
Do you assume that the underlying shell/system account already exists? Otherwise I'd have to add a task doing "useradd" before ...
I'm currently storing my samba passwords in an ansible-vault file. It was annoying to see them printed when ansible runs.
While it's not perfect, I believe that 'no_log' is the current ansible state of the art for hiding passwords.
This works for me:
@@ -100,6 +100,7 @@
|| (echo {{ item.password }}; echo {{ item.password }}) \
| smbpasswd -s -a {{ item.name }}
with_items: "{{ samba_users }}"
+ no_log: true
register: create_user_output
changed_when: "'Added user' in create_user_output.stdout"
tags: samba
g.
I am defining a global include with:
vars:
# Include global options from `templates/global-include.conf`
samba_global_include: global-include.conf
After running Ansible and SSH'ing into the machine, I see my file has made it:
❯ ls /etc/samba/global-include.conf
/etc/samba/global-include.conf
And that a configuration line has made it into /etc/samba/smb.conf
:
❯ cat /etc/samba/smb.conf | grep include
include = global-include.conf
However, this is an invalid smb.conf
as shown with testparm
:
❯ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file global-include.conf
...
The fix for me was making an absolute path definition in the Jinja template:
diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2
index a57d8bd..58e8273 100755
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@@ -79,7 +79,7 @@
{% endif %}
{% if samba_global_include is defined %}
- include = {{ samba_global_include }}
+ include = /etc/samba/{{ samba_global_include }}
{% endif %}
{% if samba_load_homes %}
@@ -91,7 +91,7 @@
{% endif %}
{% if samba_home_include is defined %}
- include = {{ samba_home_include }}
+ include = /etc/samba/{{ samba_home_include }}
{% endif %}
{% if samba_shares|length > 0 %}
@@ -138,7 +138,7 @@
directory mode = {{ share.directory_mode|default('0775') }}
force directory mode = {{ share.force_directory_mode|default('0775') }}
{% if share.include_file is defined %}
- include = {{ share.include_file }}
+ include = /etc/samba/{{ share.include_file }}
{% endif %}
{% endfor %}
Is this the correct fix for this bug? Would you be amenable to a PR?
Howdy
I've forked and added support for the IBM AIX Operating System, and have pulled it into my master branch here: https://github.com/d-little/ansible-role-samba
I'm still doing some testing to ensure that it works as expected, but if it does work, any thoughts or concerns with me submitting a PR to get this into the root project?
It's a different architecture, and outside the scope of the original 'RedHat- and Debian-based linux distros'; I'd just wanted a single role I can use on my Linux and AIX servers :) If there's a preference to keep AIX out of this role I can split it out and maintain it separately, probably remove the Linux support entirely and just have two separate roles per-environment.
Also NB: I'm very new to putting this together in Ansible, only a few weeks in, so I might have done thing's very wrong! Please let me know.
Thanks
In Ubuntu 20.04 Samba Version 4.11.6 is installed. Even though the mitigation option nt pipe support = no
is added to the global part of smb.conf
. This results in windows clients not able to connect to the shares.
The reason is that ubuntu has its own naming convention for the version number which is not correctly detected by the mechnism already in place. The following happen on ubuntu.
$ smbd --version
Version 4.11.6-Ubuntu
Therefore the mechnism to detect the samba version fails to remove all text except the version number. I would propose to replace the shell command in main.yml
smbd --version | sed 's/Version //'
by
smbd --version | sed 's/Version //' | sed 's/-Ubuntu//'
# or even
smbd --version | sed 's/Version //' | sed 's/-.*//'
samba_mitigate_cve_2017_7494
, which sets nt pipe support = no
prevents access to IPC$
. Therefore, Windows clients cannot browse shares anymore. README should state this behaviour.
The best option might be to ignore samba_mitigate_cve_2017_7494
on patched Samba versions.
samba_load_homes: yes
does not work, but samba_load_homes: 'yes'
does.
Also, it's probably better if this becomes a boolean instead of a string...
In CentOS 8 (and almost certainly RHEL 8 as well), libsemanage-python
is renamed to python3-libsemanage
. As a result, the SELinux Package installation fails when executed on a current CentOS system.
The issue could be fixed by updating the line in vars/os_RedHat.yml
, no idea how to make it backwards compatible though.
Please use map to guest = never
as default (which is the Samba default according to the man page).
If you use map to guest = bad user
, one will be asked for credentials when browsing available samba shares from a Windows client. Windows will save those credentials, because they apparently worked (but were actually wrong). The Windows client will never be asked again for those credentials on browsing shares.
For me, it also broke somehow the authentication for a share (although the Windows GUI asked again for a password) because something seems to mess up in the authentication process then.
Hi,
It would be good to see support for arbitrary configuration options added, OR, the ability to include other files.
As it stands there are lots of samba configuration options which might need a tweak which can't be used because the template overwrites them on every ansible run.
Is this role still maintained?
maybe it should be default to true, but it swallows every error
The service names for Arch Linux are incorrect in roles/samba/vars/os_Archlinux.yml
https://wiki.archlinux.org/title/Samba#Enabling_and_starting_services
TASK [bertvv.samba : Start Samba service(s)] ***********************************
failed: [test] (item=smbd) => {"ansible_loop_var": "item", "changed": false, "item": "smbd", "msg": "Could not find the requested service smbd: host"}
failed: [test] (item=nmbd) => {"ansible_loop_var": "item", "changed": false, "item": "nmbd", "msg": "Could not find the requested service nmbd: host"}
read_only
is used in an example
Line 146 in 8126435
read_only
only appears in README: https://github.com/bertvv/ansible-role-samba/search?q=read_only. So does this role support read_only
share option?Hi,
If I read your code correctly, you can't change the password of an existing Samba user.
Could you please change the role so that a changed password in the Ansible configuration also changed the password of the user?
Cheers,
Thomas
The permissions of samba_shares_root should be set separately. Now, it will take the permissions of the first share being created. If that happens to be a restricted one (e.g. with directory mode 0700), shares are not visible for other users.
As far as I can see in this role it doesn't keep previous shares intact.
For eg, if the role is called as a dependency to another, it'll wipe out any other shares previously defined.
It can be hard to find out if samba has been configured or shares defined therefore to keep things clean maybe the onus should be on the user to define if it should do a config reset
or just add share info
. A flag perhaps?
templates/home-include.conf
wordt gekopieerd naar /etc/samba/
door gebruik van de volgende variable: samba_home_include: home-include.conf
De config file wordt niet gekopieerd van de host naar de virtual machine.
samba_homes_include
en verander de documentatie zodat die overeenkomt met de definitie in tasks/main.ymlsrc: "{{ samba_homes_include }}"
zodat dit overeenkomt met de documentatieWhen the Samba configuration is changed, only the smb
service is notified to be restarted. nmb
should also be restarted. E.g. when you change the netbios name, it is necessary to restart the WinBind service for the new name to be applied.
There is currently no way to restrict shares by host / subnet.
Basic functionality can be accomplished by adding the following to templates/smb.conf.j2. I recommend including it after "force directory mode = {{ share.force_directory_mode|default('0775') }}".
{% if share.allow_hosts is defined %}
allow hosts = {% for entry in share.allow_hosts %}{{ entry }}{% if not loop.last %}, {% endif %}{% endfor %}
{% endif %}
Example Configuration:
samba_shares:
- name: /srv/shares/test
write_list: +users
setype: public_content_rw_t
allow_hosts:
- 192.168.1.0/24
- 172.16.10.0/255.255.255.0
This code is not idempotent
- name: Create Samba users if they don't exist yet
shell: >
(pdbedit -L | grep {{ item.name }} 2>&1 > /dev/null) \
|| (echo {{ item.password }}; echo {{ item.password }}) \
| smbpasswd -s -a {{ item.name }}
with_items: samba_users
when: samba_users is defined
tags: samba
There should be some check if all users in the list exists
- name: Check if user exists
shell: pdbedit -L | grep -c {{ samba_user }} || true
register: shell_output
changed_when: False
but with_items ...
Hi,
How do I get the global setting ntlm auth = yes
to be added to the smb.conf
file? I need this to deal with login's from some old machines on my LAN. Note that I'm aware that ntlmv1 is broken from a security standpoint but I need it none-the-less.
I tried the templates/global-include.conf
trick but the samba role isn't finding the file:
fatal: [ansible-nas]: FAILED! => {"changed": false, "msg": "Could not find or access 'global-include.conf'\nSearched in:\n\t/home/skb/.ansible/roles/bertvv.samba/templates/global-include.conf\n\t/home/skb/.ansible/roles/bertvv.samba/global-include.conf\n\t/home/skb/.ansible/roles/bertvv.samba/tasks/templates/global-include.conf\n\t/home/skb/.ansible/roles/bertvv.samba/tasks/global-include.conf\n\t/home/skb/my-ansible-nas/ansible-nas/templates/global-include.conf\n\t/home/skb/my-ansible-nas/ansible-nas/global-include.conf"}
In my case I'm including a playbook that exists in a sub-directory beneath where I define the samba_global_include: global-include.conf
in a master playbook. I include the playbook ansible-nas\nas.yml
after defining the above symbol.
The role does engage in a search for the file so I believe it's seeing the symbol definition but it won't look in the templates
directory from the directory of the top-most playbook.
Any insights here?
-Dale
Request a feature that does not create directories or set permissions.
I use ZFS and my permissions and datasets are handles elsewhere.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.