Giter Site home page Giter Site logo

genebean-winbind's Introduction

Build Status Puppet Forge GitHub tag

winbind

Table of Contents

  1. Overview
  2. Setup requirements
  3. Beginning with winbind
  4. Limitations
  5. Troubleshooting
  6. License
  7. Contributing

Overview

This module will configure winbind for joining Active Directory and is designed with hiera in mind. It will also, optionally, allow you to configure SMB shares since smb.conf is used for both purposes.

Setup Requirements

The configuration used in this module requires Samba >= 3.6. Bolt is required if you want to use the included task to join machines to your domain.

Beginning with winbind

Usage

This module does not join your machine to AD but does provide you a Puppet task to do so. The reason it is not done during a Puppet run is that we have not found a secure way to do the joins since they require a privileged account and its password. Having said that, below is a recommended method of putting this module to use that limits your manual work to running a single Puppet task with Bolt. The task can join one or many nodes to the domain in a single run.

Recommended setup

  1. Include this module in a suitable default location such as a profile that includes your base settings. An example of this can be seen in examples/winbind.pp.
  2. Add the defaults for your domain to hiera. An example of this can be seen in examples/common.yaml.
  3. Apply the profile to desired nodes.
  4. Run bolt plan run winbind::join_domain domainuser=some-ad-user domainpassword=$ad_password nodes=node1,node2,node3 --user root
  5. Enjoy

Alternate joinDomain.sh templates

This module contains scripts for joing mahcines in the Red Hat and SUSE families to a domain. If you would rather use your own scripts then be sure to add winbind::manage_joindomain_script: false to your common.yaml file. If, on the other hand, you simply find that the scripts in here could be improved or expanded then please send us a pull request on GitHub.

Configuring SMB shares

The settings above will get you on a domain. If you want to supplement those with one or more SMB shares you will need the following additional configuration settings:

  1. Add winbind::enable_sharing : true to your node's file in hiera

  2. Create a share by either placing files with the needed settings in /etc/samba/smb.conf.d/ OR by using a hash. Using a hash is the recommended method.

    If you choose to use files, their names will need to be listed in an array as part of winbind::smb_includes_files

    If you choose to use a hash, you can either put it in a manifest like so:

    $my_smb_settings_hash = {
  'share1' => {
    'path'      => '/tmp',
    'browsable' => 'yes',
    'read only' => 'yes'
  },
  'share2' => {
    'path'      => '/mnt',
    'browsable' => 'no',
    'read only' => 'yes'
  },
}

class { winbind:
  enable_sharing    => true,
  smb_settings_hash => $my_smb_settings_hash,
}

    Or if you choose to use hiera the same hash would look like this:

    ---
winbind::smb_settings_hash:
  share1:
    path      : '/tmp'
    browsable : 'yes'
    read only : 'yes'
  share2:
    path      : '/mnt'
    browsable : 'no'
    read only : 'yes'

Parameters

There is a parameter that corresponds directly to each setting in the four configuration files that get edited by this module. Each is prefixed so that you know which file it effects:

  • pam = /etc/security/pam_winbind.con
  • smb = /etc/samba/smb.conf
  • krb5 = /etc/krb5.conf
  • oddjobd = /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

The full list of parameters is listed at the top of the init.pp file. A fully functional setup should be attainable by providing values for the following three parameters:

pam_require_membership_of

If set, this will limit who can log in via winbind

smb_workgroup

This is the short name of your domain.

smb_realm

This is the long name of your domain. It is also used in krb5.conf for the realms and domain_realms settings.

Additional Parameters

manage_joindomain_script

Allows disabling the management of /root/joinDomain.sh. Defaults to true.

manage_messagebus_service

Allows disabling the management of the messagebus service. Defaults to true.

manage_oddjob_service

Allows disabling the management of the oddjobd service. Defaults to true.

package_ensure

Defines the ensure setting passed to all managed packages. Defaults to present.

Limitations

This module has only been tested on Red Hat 5, CentOS 6 & 7, and SLES 11 & 12.

Troubleshooting

On RHEL 5 we found that joining was difficult if just the right things were not in /etc/hosts. In particular, I got errors that my DNS name had to match the domain I was joining. I resolved this issue by making a host entry like this:

# this should all be on a single line
127.0.0.1 server.example.com server.ad.example.com server localhost
localhost.localdomain  localhost4 localhost4.localdomain4

This entry is maintained via a host resource defined elsewhere in my Puppet setup.

License

This is released under the New BSD / BSD-3-Clause license. A copy of the license can be found in the root of the module.

Contributing

Pull requests are welcome!

Contributors

  • Adam Stephens (@adamcstephens) - Added support for toggling service management and overriding the package ensure setting
  • Jake Spain (@thespain) - Added support for SLES 11 & 12

genebean-winbind's People

Contributors

genebean avatar jeff1evesque avatar yachub avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

covermymeds fraoh yachub jeff1evesque alexrswan elfranne bowdoincollege

genebean-winbind's Issues

Remove comment 'server string'

genebean-winbind/templates/smb.conf.erb

syslog = <%= @smb_syslog %>
; server string = <%= @smb_server_string %>
security = <%= @smb_security %>

PULL : #20

Allow Users To Specify Packages by Configuration

First, thanks. This is a solid module.

I am making an extension wrapper for this module. One area I am having to override is the install.pp. There are two things I would like to see addressed.

We prefer to install well versioned packages . This module has the packages hard coded in install.pp, without version information. I would rather the install class take variables. We can then pass in versioned packages.

The difference in "yum speak" would be
yum install samba-winbind-clients-4.7.1-6.el7.x86_64
instead of
yum install samba-winbind-clients.

We also want to install some krb packages as part of this module. We can add our own install.pp. Or you could allow packages to be passed into the install class as an array parameter.

Default config definition in another yaml

If I have the following hiera structure:

---
# hiera.yaml

:backends:
  - yaml

:yaml:
  :datadir: /

:hierarchy:
  - vagrant/puppet/hiera/common
  - vagrant/puppet/hiera/another

Then, define the following another.yaml:

winbind::pam_require_membership_of :
  - 'mymembership'
winbind::smb_realm                 : 'AD.DIFFERENT.COM'
winbind::smb_workgroup             : 'AD2'

It appears the module will ignore the custom setting, and proceed with the following, since it was not set in the default common.yaml:

  • smb_realm to AD.EXAMPLE.COM
  • smb_workgroup to AD
  • pam_require_membership_of:
    • 'sysadmins'
    • 'iso-scans'

If I move the configuration from another.yaml to common.yaml, it will be properly configured.

Example how to implement 'genebean-winbind'

Can the README.md provide examples how to implement this module:

  • command line
    • does the usage section imply that everything the module offers can be run in the command line, or just the Joining to AD portion?
  • hiera
    • how does the hiera file get included into a manifest implementing this module?
  • manifest
    • how can a manifest implement this module (if not through hiera)?

Rework README

I'm not happy with the flow of the readme as it stands today. This issue is to track work related to refactoring it into something I'm happier with. Step 1 is likely going to be pulling some of the sample code out and creating sample manifests under examples and then just referencing them.

Change package_ensure Default

I think we should consider changing the default value for the package_ensure parameter from latest to present. We experienced an issue that broke AD authentication for all RedHat 7 servers last night.

Apparently, when Puppet ensured samba-winbind from version 4.4 to 4.6 it required some modules/libraries from the latest kerberos packages, which are not hard dependencies because Kerberos can be used in conjunction with samba-winbind, but is not necessarily required. If the packages had all updated at the same time, then there would have been no interruption. I think it would be best to change the default to prevent this from happening in the future.

Just FYI, the authentication broke without the winbind service being restarted, but this is the error message I receive after attempting to manually restart the service after just the samba-winbind package was updated:

/usr/sbin/winbindd: relocation error: /usr/lib64/samba/libgse-samba4.so: symbol krb5_get_init_creds_opt_set_pac_request, version
 krb5_3_MIT not defined in file libkrb5.so.3 with link time reference

Question: confirm and possibly update 'README.md'

I applied your module to a local vagrant instance for testing, using the following structure:

  • puppet
    • hiera
      • common.yaml
    • hiera.yaml
    • manifests
      • site.pp
    • modules
      • test_module
        • manifests
          • init.pp
        • templates
          • joindomainForRedHat.erb
# init.pp

# baseline stuff
class test {
  # Used on selected OS only
  case $::kernel {
    'Linux'   : {
      include ::winbind

      $joindomain = $::osfamily ? {
        'RedHat' => template('test_module/joindomain_rhel.erb'),
        'Suse'   => template('test_module/joindomain_rhel.erb'),
        default  => template('test_module/joindomain_rhel.erb'),
      }

      file { '/root/joinDomain.sh':
        ensure => present,
        mode   => '0755',
        source =>dos2unix($joindomain),
      }

    } # end Linux

    'Windows' : {
    }

    default : {
      fail("${::operatingsystem} is not supported.")
    }

  } # end case $::kernel
}
# joindomainForRedHat.erb

### This file is auto generated by Puppet ###
### Manual changes will be overwritten    ###

#!/bin/bash

username=$1

if [ "$#" -ne 1 ]; then
  echo "Usage: $0 username"
  echo "Replace username with an account that can join this machine to the domain"
  exit 1
fi

# join domain with the name provided
net ads join -U $username
authconfig --enablemkhomedir --enablewinbind --enablewinbindauth --update
## site.pp: install winbind
include test_module
---
# hiera.yaml

:backends:
  - yaml

:yaml:
  :datadir: /

:hierarchy:
  - vagrant/puppet/hiera/common
---
# common.yaml
...

winbind::pam_require_membership_of :
  - 'sysadmins'
  - 'iso-scans'
winbind::smb_realm                 : 'AD.EXAMPLE.COM'
winbind::smb_workgroup             : 'AD'

We get the following traceback upon a corresponding puppet apply:

[root@localhost manifests]# puppet apply --modulepath=/vagrant/puppet/modules --confdir=/vagrant/puppet site.pp
Warning: Setting configtimeout is deprecated.
   (at /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1142:in `issue_deprecation_warning')
Notice: Compiled catalog for localhost.localdomain in environment production in 0.80 seconds
Notice: /Stage[main]/Winbind::Install/Package[samba-winbind-clients]/ensure: created
Notice: /Stage[main]/Winbind::Install/Package[oddjob-mkhomedir]/ensure: created
Notice: /Stage[main]/Winbind::Config/File[/etc/krb5.conf]/content:
--- /etc/krb5.conf      2015-11-19 17:52:27.000000000 -0500
+++ /tmp/puppet-file20160920-17167-13p01w3      2016-09-20 12:55:07.036475022 -0400
@@ -1,23 +1,26 @@
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- dns_lookup_realm = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
- rdns = false
-# default_realm = EXAMPLE.COM
- default_ccache_name = KEYRING:persistent:%{uid}
-
-[realms]
-# EXAMPLE.COM = {
-#  kdc = kerberos.example.com
-#  admin_server = kerberos.example.com
-# }
-
-[domain_realm]
-# .example.com = EXAMPLE.COM
-# example.com = EXAMPLE.COM
+###################################
+#
+# This file is managed by Puppet
+#
+###################################
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = AD.EXAMPLE.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+AD.EXAMPLE.COM = {
+ }
+
+[domain_realm]
+ .ad.example.com = AD.EXAMPLE.COM
+ ad.example.com = AD.EXAMPLE.COM

Notice: /Stage[main]/Winbind::Config/File[/etc/krb5.conf]/content: content changed '{md5}d7e5940125441e499a87525c60410b1b' to '{md5}af09dbbaa254bbde7f9d7c1fcab45f2f'
Notice: /Stage[main]/Winbind::Config/File[/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf]/content:
--- /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf  2013-07-30 17:22:23.000000000 -0400
+++ /tmp/puppet-file20160920-17167-14mk9ne      2016-09-20 12:55:07.095504522 -0400
@@ -1,46 +1,52 @@
-<?xml version="1.0"?>
-
-<!-- This configuration file snippet controls the oddjob daemon.  It
-     provides access to mkhomedir functionality via a service named
-     "com.redhat.oddjob_mkhomedir", which exposes a single object
-     ("/").
-     The object allows the root user to call any of the standard D-Bus
-     introspection interface's methods (these are implemented by
-     oddjobd itself), and also defines an interface named
-     "com.redhat.oddjob_mkhomedir", which provides two methods.  -->
-
-<oddjobconfig>
-
-  <service name="com.redhat.oddjob_mkhomedir">
-
-    <object name="/">
-
-      <interface name="org.freedesktop.DBus.Introspectable">
-
-        <allow min_uid="0" max_uid="0"/>
-        <!-- <method name="Introspect"/> -->
-
-      </interface>
-
-      <interface name="com.redhat.oddjob_mkhomedir">
-
-        <method name="mkmyhomedir">
-          <helper exec="/usr/libexec/oddjob/mkhomedir"
-                  arguments="0"
-                  prepend_user_name="yes"/>
-          <!-- no acl entries -> not allowed for anyone -->
-        </method>
-
-        <method name="mkhomedirfor">
-          <helper exec="/usr/libexec/oddjob/mkhomedir"
-                  arguments="1"/>
-          <allow user="root"/>
-        </method>
-
-      </interface>
-
-    </object>
-
-  </service>
-
-</oddjobconfig>
+<?xml version="1.0"?>
+
+<!-- ###################################
+     #
+     # This file is managed by Puppet
+     #
+     ###################################  -->
+
+<!-- This configuration file snippet controls the oddjob daemon.  It
+     provides access to mkhomedir functionality via a service named
+     "com.redhat.oddjob_mkhomedir", which exposes a single object
+     ("/").
+     The object allows the root user to call any of the standard D-Bus
+     introspection interface's methods (these are implemented by
+     oddjobd itself), and also defines an interface named
+     "com.redhat.oddjob_mkhomedir", which provides two methods.  -->
+
+<oddjobconfig>
+
+  <service name="com.redhat.oddjob_mkhomedir">
+
+    <object name="/">
+
+      <interface name="org.freedesktop.DBus.Introspectable">
+
+        <allow min_uid="0" max_uid="0"/>
+        <!-- <method name="Introspect"/> -->
+
+      </interface>
+
+      <interface name="com.redhat.oddjob_mkhomedir">
+
+        <method name="mkmyhomedir">
+          <helper exec="/usr/libexec/oddjob/mkhomedir -u 0077"
+                  arguments="0"
+                  prepend_user_name="yes"/>
+          <!-- no acl entries -> not allowed for anyone -->
+        </method>
+
+        <method name="mkhomedirfor">
+          <helper exec="/usr/libexec/oddjob/mkhomedir -u 0077"
+                  arguments="1"/>
+          <allow user="root"/>
+        </method>
+
+      </interface>
+
+    </object>
+
+  </service>
+
+</oddjobconfig>

Notice: /Stage[main]/Winbind::Config/File[/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf]/content: content changed '{md5}6f9831bca6dbc861e070bf43fcf78f14' to '{md5}0cdd14d1427ce995c6b73d0f7947e499'
Notice: /Stage[main]/Winbind::Config/File[/etc/samba/smb.conf]/content:
--- /etc/samba/smb.conf 2016-07-26 06:37:47.000000000 -0400
+++ /tmp/puppet-file20160920-17167-60pfgu       2016-09-20 12:55:07.115514522 -0400
@@ -1,320 +1,30 @@
-# This is the main Samba configuration file. For detailed information about the
-# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
-# number of configurable options, most of which are not shown in this example.
-#
-# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
-# guides for installing, configuring, and using Samba:
-# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
-#
-# The Samba-3 by Example guide has working examples for smb.conf. This guide is
-# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
-#
-# In this file, lines starting with a semicolon (;) or a hash (#) are
-# comments and are ignored. This file uses hashes to denote commentary and
-# semicolons for parts of the file you may wish to configure.
-#
-# Note: Run the "testparm" command after modifying this file to check for basic
-# syntax errors.
-#
-#---------------
-# Security-Enhanced Linux (SELinux) Notes:
-#
-# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
-# and groupadd family of binaries. Run the following command as the root user to
-# turn this Boolean on:
-# setsebool -P samba_domain_controller on
-#
-# Turn the samba_enable_home_dirs Boolean on if you want to share home
-# directories via Samba. Run the following command as the root user to turn this
-# Boolean on:
-# setsebool -P samba_enable_home_dirs on
-#
-# If you create a new directory, such as a new top-level directory, label it
-# with samba_share_t so that SELinux allows Samba to read and write to it. Do
-# not label system directories, such as /etc/ and /home/, with samba_share_t, as
-# such directories should already have an SELinux label.
-#
-# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
-# label for a given directory.
-#
-# Set SELinux labels only on files and directories you have created. Use the
-# chcon command to temporarily change a label:
-# chcon -t samba_share_t /path/to/directory
-#
-# Changes made via chcon are lost when the file system is relabeled or commands
-# such as restorecon are run.
-#
-# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
-# directories. To share such directories and only allow read-only permissions:
-# setsebool -P samba_export_all_ro on
-# To share such directories and allow read and write permissions:
-# setsebool -P samba_export_all_rw on
-#
-# To run scripts (preexec/root prexec/print command/...), copy them to the
-# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
-# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
-# their existing SELinux labels, which may be labels that SELinux does not allow
-# smbd to run. Copying the scripts will result in the correct SELinux labels.
-# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
-# apply the correct SELinux labels to these files.
-#
-#--------------
-#
-#======================= Global Settings =====================================
-
-[global]
-
-# ----------------------- Network-Related Options -------------------------
-#
-# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
-#
-# server string = the equivalent of the Windows NT Description field.
-#
-# netbios name = used to specify a server name that is not tied to the hostname.
-#
-# interfaces = used to configure Samba to listen on multiple network interfaces.
-# If you have multiple interfaces, you can use the "interfaces =" option to
-# configure which of those interfaces Samba listens on. Never omit the localhost
-# interface (lo).
-#
-# hosts allow = the hosts allowed to connect. This option can also be used on a
-# per-share basis.
-#
-# hosts deny = the hosts not allowed to connect. This option can also be used on
-# a per-share basis.
-#
-# max protocol = used to define the supported protocol. The default is NT1. You
-# can set it to SMB2 if you want experimental SMB2 support.
-#
-       workgroup = MYGROUP
-       server string = Samba Server Version %v
-
-;      netbios name = MYSERVER
-
-;      interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
-;      hosts allow = 127. 192.168.12. 192.168.13.
-
-;      max protocol = SMB2
-
-# --------------------------- Logging Options -----------------------------
-#
-# log file = specify where log files are written to and how they are split.
-#
-# max log size = specify the maximum size log files are allowed to reach. Log
-# files are rotated when they reach the size specified with "max log size".
-#
-
-       # log files split per-machine:
-       log file = /var/log/samba/log.%m
-       # maximum size of 50KB per log file, then rotate:
-       max log size = 50
-
-# ----------------------- Standalone Server Options ------------------------
-#
-# security = the mode Samba runs in. This can be set to user, share
-# (deprecated), or server (deprecated).
-#
-# passdb backend = the backend used to store user information in. New
-# installations should use either tdbsam or ldapsam. No additional configuration
-# is required for tdbsam. The "smbpasswd" utility is available for backwards
-# compatibility.
-#
-
-       security = user
-       passdb backend = tdbsam
-
-
-# ----------------------- Domain Members Options ------------------------
-#
-# security = must be set to domain or ads.
-#
-# passdb backend = the backend used to store user information in. New
-# installations should use either tdbsam or ldapsam. No additional configuration
-# is required for tdbsam. The "smbpasswd" utility is available for backwards
-# compatibility.
-#
-# realm = only use the realm option when the "security = ads" option is set.
-# The realm option specifies the Active Directory realm the host is a part of.
-#
-# password server = only use this option when the "security = server"
-# option is set, or if you cannot use DNS to locate a Domain Controller. The
-# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
-#
-# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
-#
-# Use "password server = *" to automatically locate Domain Controllers.
-
-;      security = domain
-;      passdb backend = tdbsam
-;      realm = MY_REALM
-
-;      password server = <NT-Server-Name>
-
-# ----------------------- Domain Controller Options ------------------------
-#
-# security = must be set to user for domain controllers.
-#
-# passdb backend = the backend used to store user information in. New
-# installations should use either tdbsam or ldapsam. No additional configuration
-# is required for tdbsam. The "smbpasswd" utility is available for backwards
-# compatibility.
-#
-# domain master = specifies Samba to be the Domain Master Browser, allowing
-# Samba to collate browse lists between subnets. Do not use the "domain master"
-# option if you already have a Windows NT domain controller performing this task.
-#
-# domain logons = allows Samba to provide a network logon service for Windows
-# workstations.
-#
-# logon script = specifies a script to run at login time on the client. These
-# scripts must be provided in a share named NETLOGON.
-#
-# logon path = specifies (with a UNC path) where user profiles are stored.
-#
-#
-;      security = user
-;      passdb backend = tdbsam
-
-;      domain master = yes
-;      domain logons = yes
-
-       # the following login script name is determined by the machine name
-       # (%m):
-;      logon script = %m.bat
-       # the following login script name is determined by the UNIX user used:
-;      logon script = %u.bat
-;      logon path = \\%L\Profiles\%u
-       # use an empty path to disable profile support:
-;      logon path =
-
-       # various scripts can be used on a domain controller or a stand-alone
-       # machine to add or delete corresponding UNIX accounts:
-
-;      add user script = /usr/sbin/useradd "%u" -n -g users
-;      add group script = /usr/sbin/groupadd "%g"
-;      add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
-;      delete user script = /usr/sbin/userdel "%u"
-;      delete user from group script = /usr/sbin/userdel "%u" "%g"
-;      delete group script = /usr/sbin/groupdel "%g"
-
-
-# ----------------------- Browser Control Options ----------------------------
-#
-# local master = when set to no, Samba does not become the master browser on
-# your network. When set to yes, normal election rules apply.
-#
-# os level = determines the precedence the server has in master browser
-# elections. The default value should be reasonable.
-#
-# preferred master = when set to yes, Samba forces a local browser election at
-# start up (and gives itself a slightly higher chance of winning the election).
-#
-;      local master = no
-;      os level = 33
-;      preferred master = yes
-
-#----------------------------- Name Resolution -------------------------------
-#
-# This section details the support for the Windows Internet Name Service (WINS).
-#
-# Note: Samba can be either a WINS server or a WINS client, but not both.
-#
-# wins support = when set to yes, the NMBD component of Samba enables its WINS
-# server.
-#
-# wins server = tells the NMBD component of Samba to be a WINS client.
-#
-# wins proxy = when set to yes, Samba answers name resolution queries on behalf
-# of a non WINS capable client. For this to work, there must be at least one
-# WINS server on the network. The default is no.
-#
-# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
-# nslookups.
-
-;      wins support = yes
-;      wins server = w.x.y.z
-;      wins proxy = yes
-
-;      dns proxy = yes
-
-# --------------------------- Printing Options -----------------------------
-#
-# The options in this section allow you to configure a non-default printing
-# system.
-#
-# load printers = when set you yes, the list of printers is automatically
-# loaded, rather than setting them up individually.
-#
-# cups options = allows you to pass options to the CUPS library. Setting this
-# option to raw, for example, allows you to use drivers on your Windows clients.
-#
-# printcap name = used to specify an alternative printcap file.
-#
-
-       load printers = yes
-       cups options = raw
-
-;      printcap name = /etc/printcap
-       # obtain a list of printers automatically on UNIX System V systems:
-;      printcap name = lpstat
-;      printing = cups
-
-# --------------------------- File System Options ---------------------------
-#
-# The options in this section can be un-commented if the file system supports
-# extended attributes, and those attributes are enabled (usually via the
-# "user_xattr" mount option). These options allow the administrator to specify
-# that DOS attributes are stored in extended attributes and also make sure that
-# Samba does not change the permission bits.
-#
-# Note: These options can be used on a per-share basis. Setting them globally
-# (in the [global] section) makes them the default for all shares.
-
-;      map archive = no
-;      map hidden = no
-;      map read only = no
-;      map system = no
-;      store dos attributes = yes
-
-
-#============================ Share Definitions ==============================
-
-[homes]
-       comment = Home Directories
-       browseable = no
-       writable = yes
-;      valid users = %S
-;      valid users = MYDOMAIN\%S
-
-[printers]
-       comment = All Printers
-       path = /var/spool/samba
-       browseable = no
-       guest ok = no
-       writable = no
-       printable = yes
-
-# Un-comment the following and create the netlogon directory for Domain Logons:
-;      [netlogon]
-;      comment = Network Logon Service
-;      path = /var/lib/samba/netlogon
-;      guest ok = yes
-;      writable = no
-;      share modes = no
-
-# Un-comment the following to provide a specific roving profile share.
-# The default is to use the user's home directory:
-;      [Profiles]
-;      path = /var/lib/samba/profiles
-;      browseable = no
-;      guest ok = yes
-
-# A publicly accessible directory that is read only, except for users in the
-# "staff" group (which have write permissions):
-;      [public]
-;      comment = Public Stuff
-;      path = /home/samba
-;      public = yes
-;      writable = yes
-;      printable = no
-;      write list = +staff
+###################################
+#
+# This file is managed by Puppet
+#
+###################################
+
+[global]
+  workgroup                      = AD
+  realm                          = AD.EXAMPLE.COM
+  encrypt passwords              = yes
+  log level                      = 0
+  syslog                         = 0
+;  server string                 = localhost
+  security                       = ads
+  log file                       = /var/log/samba/%m
+  max log size                   = 0
+  printcap name                  = cups
+  printing                       = cups
+  winbind enum users             = no
+  winbind enum groups            = no
+  winbind use default domain     = true
+  winbind nss info               = rfc2307
+  winbind normalize names        = no
+  winbind offline logon          = true
+  winbind separator              = +
+  template homedir               = /home/%D/%U
+  template shell                 = /bin/bash
+  idmap config *:backend         = autorid
+  idmap config *:range           = 1000000-19999999
+  idmap config *:rangesize       = 1000000

Notice: /Stage[main]/Winbind::Config/File[/etc/samba/smb.conf]/content: content changed '{md5}992caf5c7536cadd27b0882f2360c039' to '{md5}d32ea16a677f73951771647b2a449a74'
Notice: /Stage[main]/Winbind::Config/File[/etc/security/pam_winbind.conf]/content:
--- /etc/security/pam_winbind.conf      2016-07-26 06:37:47.000000000 -0400
+++ /tmp/puppet-file20160920-17167-xxvor2       2016-09-20 12:55:07.140527022 -0400
@@ -1,38 +1,44 @@
-#
-# pam_winbind configuration file
-#
-# /etc/security/pam_winbind.conf
-#
-
-[global]
-
-# turn on debugging
-;debug = no
-
-# turn on extended PAM state debugging
-;debug_state = no
-
-# request a cached login if possible
-# (needs "winbind offline logon = yes" in smb.conf)
-;cached_login = no
-
-# authenticate using kerberos
-;krb5_auth = no
-
-# when using kerberos, request a "FILE" krb5 credential cache type
-# (leave empty to just do krb5 authentication but not have a ticket
-# afterwards)
-;krb5_ccache_type =
-
-# make successful authentication dependend on membership of one SID
-# (can also take a name)
-;require_membership_of =
-
-# password expiry warning period in days
-;warn_pwd_expire = 14
-
-# omit pam conversations
-;silent = no
-
-# create homedirectory on the fly
-;mkhomedir = no
+###################################
+#
+# This file is managed by Puppet
+#
+###################################
+#
+# pam_winbind configuration file
+#
+# /etc/security/pam_winbind.conf
+#
+
+[global]
+
+# turn on debugging
+debug = no
+
+# turn on extended PAM state debugging
+debug_state = no
+
+# request a cached login if possible
+# (needs "winbind offline logon = yes" in smb.conf)
+cached_login = yes
+
+# authenticate using kerberos
+krb5_auth = no
+
+# when using kerberos, request a "FILE" krb5 credential cache type
+# (leave empty to just do krb5 authentication but not have a ticket
+# afterwards)
+krb5_ccache_type =
+
+# make successful authentication dependend on membership of one SID
+# (can also take a name)
+# Find SID with wbinfo -n groupname
+require_membership_of = sysadmins,iso-scans
+
+# password expiry warning period in days
+warn_pwd_expire = 14
+
+# omit pam conversations
+silent = no
+
+# create homedirectory on the fly
+mkhomedir = no

Notice: /Stage[main]/Winbind::Config/File[/etc/security/pam_winbind.conf]/content: content changed '{md5}f7526e3a2d6cbf8ee531cf8ae11bf294' to '{md5}6f30f9a2070b0f8bda7e6bdd7b6dc9e9'
Error: Could not start Service[winbind]: Execution of '/bin/systemctl start winbind.service' returned 1: Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details.
Error: /Stage[main]/Winbind::Service/Service[winbind]/ensure: change from stopped to running failed: Could not start Service[winbind]: Execution of '/bin/systemctl start winbind.service' returned 1: Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details.
Notice: /Stage[main]/Winbind::Service/Service[winbind]: Triggered 'refresh' from 4 events
Notice: /Stage[main]/Winbind::Service/Service[oddjobd]/ensure: ensure changed 'stopped' to 'running'
Notice: /Stage[main]/Winbind/Anchor[::winbind::end]: Dependency Service[winbind] has failures: true
Warning: /Stage[main]/Winbind/Anchor[::winbind::end]: Skipping because of failed dependencies
Notice: /Stage[main]/Nccoe_winbind/File[/root/joindomainForRedHat.sh]/ensure: defined content as '{md5}4dabbd469ec20afa1261813f7a9004b5'
Notice: Applied catalog in 8.68 seconds

Do I now perform the following suggested steps:

Join domain using script in root's home directory
Rerun puppet
Enjoy

Does the usage commands reflect the Join domain using script in root's home directory step:

net ads join -U yourADuserName
authconfig --enablemkhomedir --enablewinbind --enablewinbindauth --update

Once the above traceback is corrected, and I've joined the domain, should I reimplement puppet apply --modulepath=/vagrant/puppet/modules --confdir=/vagrant/puppet site.pp, for the Rerun puppet portion? Also, once my understanding of the above is cemented in, do you mind if I submit a pull request to update the README.md? I can tailor the language, and code snippet example(s) to your wish.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.