update samba config

7 files changed, 64 insertions, 233 deletions

diff --git a/clarkzjw.ca/config/atlas/README.md b/clarkzjw.ca/config/atlas/README.md
index 37e39b3..55f8989 100644
--- a/clarkzjw.ca/config/atlas/README.md
+++ b/clarkzjw.ca/config/atlas/README.md
@@ -29,5 +29,6 @@ zpool export pool1
 
 ### Setup Samba
 ```bash
+source admin-rc
 ansible-playbook samba.yaml
-```
\ No newline at end of file
+```
diff --git a/clarkzjw.ca/config/atlas/roles/debian_init/tasks/main.yaml b/clarkzjw.ca/config/atlas/roles/debian_init/tasks/main.yaml
index 4cfc23d..e53d3eb 100644
--- a/clarkzjw.ca/config/atlas/roles/debian_init/tasks/main.yaml
+++ b/clarkzjw.ca/config/atlas/roles/debian_init/tasks/main.yaml
@@ -39,6 +39,7 @@
 - name: Install ZFS
   apt:
     name:
+      - linux-headers-amd64
       - linux-headers-{{ ansible_kernel }}
       - zfsutils-linux
       - zfs-dkms
diff --git a/clarkzjw.ca/config/atlas/roles/samba/defaults/main.yaml b/clarkzjw.ca/config/atlas/roles/samba/defaults/main.yaml
new file mode 100644
index 0000000..88c23b1
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/roles/samba/defaults/main.yaml
@@ -0,0 +1,3 @@
+samba_users:
+- username: clarkzjw
+  password: "{{ lookup('env', 'SAMBA_PASSWORD') }}"
\ No newline at end of file
diff --git a/clarkzjw.ca/config/atlas/roles/samba/tasks/main.yaml b/clarkzjw.ca/config/atlas/roles/samba/tasks/main.yaml
index 7c1edec..0ada38a 100644
--- a/clarkzjw.ca/config/atlas/roles/samba/tasks/main.yaml
+++ b/clarkzjw.ca/config/atlas/roles/samba/tasks/main.yaml
@@ -6,9 +6,48 @@
       - cifs-utils
     update_cache: true
 
+- name: Disable Samba NetBIOS server nmbd
+  systemd:
+    name: nmbd
+    state: stopped
+    enabled: false
 
 - name: render samba config file
   template:
     src: smb.conf.j2
     dest: "/etc/samba/smb.conf"
-    mode: 0644
\ No newline at end of file
+    mode: 0644
+
+# https://stackoverflow.com/questions/44762488/non-interactive-samba-user-creation-via-ansible
+- name: shell - create samba users
+  shell: >
+    set -e -o pipefail
+    && (pdbedit --user={{ item.username }} 2>&1 > /dev/null)
+    || (echo '{{ item.password }}'; echo '{{ item.password }}')
+    | smbpasswd -s -a {{ item.username }}
+  args:
+    executable: /bin/bash
+  register: samba_create_users
+  changed_when: "'Added user' in samba_create_users.stdout"
+  loop: "{{ samba_users }}"
+#  no_log: true
+
+- name: shell - set samba passwords correctly
+  shell: >
+    set -e -o pipefail
+    && (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null)
+    || (echo '{{ item.password }}'; echo '{{ item.password }}')
+    | smbpasswd {{ item.username }}
+  args:
+    executable: /bin/bash
+  register: samba_verify_users
+  changed_when: "'New SMB password' in samba_verify_users.stdout"
+  loop: "{{ samba_users }}"
+#  no_log: true
+
+- name: Restart SMB service
+  systemd:
+    name: smbd
+    state: restarted
+    enabled: true
+    daemon_reload: true
diff --git a/clarkzjw.ca/config/atlas/roles/samba/templates/smb.conf.j2 b/clarkzjw.ca/config/atlas/roles/samba/templates/smb.conf.j2
index 5b59497..06e2567 100644
--- a/clarkzjw.ca/config/atlas/roles/samba/templates/smb.conf.j2
+++ b/clarkzjw.ca/config/atlas/roles/samba/templates/smb.conf.j2
@@ -1,240 +1,27 @@
-#
-# Sample configuration file for the Samba suite for Debian GNU/Linux.
-#
-#
-# This is the main Samba configuration file. You should read the
-# smb.conf(5) manual page in order to understand the options listed
-# here. Samba has a huge number of configurable options most of which
-# are not shown in this example
-#
-# Some options that are often worth tuning have been included as
-# commented-out examples in this file.
-#  - When such options are commented with ";", the proposed setting
-#    differs from the default Samba behaviour
-#  - When commented with "#", the proposed setting is the default
-#    behaviour of Samba but the option is considered important
-#    enough to be mentioned here
-#
-# NOTE: Whenever you modify this file you should run the command
-# "testparm" to check that you have not made any basic syntactic
-# errors.
-
-#======================= Global Settings =======================
-
 [global]
-
-## Browsing/Identification ###
-
-# Change this to the workgroup/NT-domain name your Samba server will part of
-   workgroup = WORKGROUP
-
-#### Networking ####
-
-# The specific set of interfaces / networks to bind to
-# This can be either the interface name or an IP address/netmask;
-# interface names are normally preferred
-;   interfaces = 127.0.0.0/8 eth0
-
-# Only bind to the named interfaces and/or networks; you must use the
-# 'interfaces' option above to use this.
-# It is recommended that you enable this feature if your Samba machine is
-# not protected by a firewall or is a firewall itself.  However, this
-# option cannot handle dynamic or non-broadcast interfaces correctly.
-;   bind interfaces only = yes
-
-
-
-#### Debugging/Accounting ####
-
-# This tells Samba to use a separate log file for each machine
-# that connects
-   log file = /var/log/samba/log.%m
-
-# Cap the size of the individual log files (in KiB).
-   max log size = 1000
-
-# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
-# Append syslog@1 if you want important messages to be sent to syslog too.
-   logging = file
-
-# Do something sensible when Samba crashes: mail the admin a backtrace
-   panic action = /usr/share/samba/panic-action %d
-
-
-####### Authentication #######
-
-# Server role. Defines in which mode Samba will operate. Possible
-# values are "standalone server", "member server", "classic primary
-# domain controller", "classic backup domain controller", "active
-# directory domain controller".
-#
-# Most people will want "standalone server" or "member server".
-# Running as "active directory domain controller" will require first
-# running "samba-tool domain provision" to wipe databases and create a
-# new domain.
-   server role = standalone server
-
-   obey pam restrictions = yes
-
-# This boolean parameter controls whether Samba attempts to sync the Unix
-# password with the SMB password when the encrypted SMB password in the
-# passdb is changed.
-   unix password sync = yes
-
-# For Unix password sync to work on a Debian GNU/Linux system, the following
-# parameters must be set (thanks to Ian Kahan <<[email protected]> for
-# sending the correct chat script for the passwd program in Debian Sarge).
-   passwd program = /usr/bin/passwd %u
-   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
-
-# This boolean controls whether PAM will be used for password changes
-# when requested by an SMB client instead of the program listed in
-# 'passwd program'. The default is 'no'.
-   pam password change = yes
-
-# This option controls how unsuccessful authentication attempts are mapped
-# to anonymous connections
-   map to guest = bad user
-
-########## Domains ###########
-
-#
-# The following settings only takes effect if 'server role = classic
-# primary domain controller', 'server role = classic backup domain controller'
-# or 'domain logons' is set
-#
-
-# It specifies the location of the user's
-# profile directory from the client point of view) The following
-# required a [profiles] share to be setup on the samba server (see
-# below)
-;   logon path = \\%N\profiles\%U
-# Another common choice is storing the profile in the user's home directory
-# (this is Samba's default)
-#   logon path = \\%N\%U\profile
-
-# The following setting only takes effect if 'domain logons' is set
-# It specifies the location of a user's home directory (from the client
-# point of view)
-;   logon drive = H:
-#   logon home = \\%N\%U
-
-# The following setting only takes effect if 'domain logons' is set
-# It specifies the script to run during logon. The script must be stored
-# in the [netlogon] share
-# NOTE: Must be store in 'DOS' file format convention
-;   logon script = logon.cmd
-
-# This allows Unix users to be created on the domain controller via the SAMR
-# RPC pipe.  The example command creates a user account with a disabled Unix
-# password; please adapt to your needs
-; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
-
-# This allows machine accounts to be created on the domain controller via the
-# SAMR RPC pipe.
-# The following assumes a "machines" group exists on the system
-; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
-
-# This allows Unix groups to be created on the domain controller via the SAMR
-# RPC pipe.
-; add group script = /usr/sbin/addgroup --force-badname %g
-
-############ Misc ############
-
-# Using the following line enables you to customise your configuration
-# on a per machine basis. The %m gets replaced with the netbios name
-# of the machine that is connecting
-;   include = /home/samba/etc/smb.conf.%m
-
-# Some defaults for winbind (make sure you're not using the ranges
-# for something else.)
-;   idmap config * :              backend = tdb
-;   idmap config * :              range   = 3000-7999
-;   idmap config YOURDOMAINHERE : backend = tdb
-;   idmap config YOURDOMAINHERE : range   = 100000-999999
-;   template shell = /bin/bash
-
-# Setup usershare options to enable non-root users to share folders
-# with the net usershare command.
-
-# Maximum number of usershare. 0 means that usershare is disabled.
-#   usershare max shares = 100
-
-# Allow users who've been granted usershare privileges to create
-# public shares, not just authenticated ones
-   usershare allow guests = yes
-
-#======================= Share Definitions =======================
+    workgroup = WORKGROUP
+    interfaces = 192.168.1.0/24 tailscale0
+    bind interfaces only = yes
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
 
 [homes]
    comment = Home Directories
    browseable = no
-
-# By default, the home directories are exported read-only. Change the
-# next parameter to 'no' if you want to be able to write to them.
    read only = yes
-
-# File creation mask is set to 0700 for security reasons. If you want to
-# create files with group=rw permissions, set next parameter to 0775.
    create mask = 0700
-
-# Directory creation mask is set to 0700 for security reasons. If you want to
-# create dirs. with group=rw permissions, set next parameter to 0775.
    directory mask = 0700
-
-# By default, \\server\username shares can be connected to by anyone
-# with access to the samba server.
-# The following parameter makes sure that only "username" can connect
-# to \\server\username
-# This might need tweaking when using external authentication schemes
    valid users = %S
 
-# Un-comment the following and create the netlogon directory for Domain Logons
-# (you need to configure Samba to act as a domain controller too.)
-;[netlogon]
-;   comment = Network Logon Service
-;   path = /home/samba/netlogon
-;   guest ok = yes
-;   read only = yes
-
-# Un-comment the following and create the profiles directory to store
-# users profiles (see the "logon path" option above)
-# (you need to configure Samba to act as a domain controller too.)
-# The path below should be writable by all users so that their
-# profile directory may be created the first time they log on
-;[profiles]
-;   comment = Users profiles
-;   path = /home/samba/profiles
-;   guest ok = no
-;   browseable = no
-;   create mask = 0600
-;   directory mask = 0700
-
-#[printers]
-#   comment = All Printers
-#   browseable = no
-#   path = /var/spool/samba
-#   printable = yes
-#   guest ok = no
-#   read only = yes
-#   create mask = 0700
-
-# Windows clients look for this share name as a source of downloadable
-# printer drivers
-#[print$]
-#   comment = Printer Drivers
-#   path = /var/lib/samba/printers
-#   browseable = yes
-#   read only = yes
-#   guest ok = no
-# Uncomment to allow remote administration of Windows print drivers.
-# You may need to replace 'lpadmin' with the name of the group your
-# admin users are members of.
-# Please note that you also need to set appropriate Unix permissions
-# to the drivers directory for these users to have write rights in it
-;   write list = root, @lpadmin
-
-
 [pool1]
     comment = NAS Share
     path = /pool1/clarkzjw
@@ -243,4 +30,4 @@
     valid users = @clarkzjw
     force create mode = 770
     force directory mode = 770
-    inherit permissions = yes
\ No newline at end of file
+    inherit permissions = yes
diff --git a/clarkzjw.ca/config/atlas/samba.yaml b/clarkzjw.ca/config/atlas/samba.yaml
index 374943c..f363afc 100644
--- a/clarkzjw.ca/config/atlas/samba.yaml
+++ b/clarkzjw.ca/config/atlas/samba.yaml
@@ -1,5 +1,5 @@
 - name: Setup Samba
-  hosts: storinator
+  hosts: atlas
   remote_user: clarkzjw
   gather_facts: true
 
diff --git a/clarkzjw.ca/config/atlas/setup.yaml b/clarkzjw.ca/config/atlas/setup.yaml
index 08592d3..0dbbd4a 100644
--- a/clarkzjw.ca/config/atlas/setup.yaml
+++ b/clarkzjw.ca/config/atlas/setup.yaml
@@ -1,5 +1,5 @@
-- name: Setup Storinator
-  hosts: storinator
+- name: Install ZFS and setup Debian
+  hosts: atlas
   remote_user: clarkzjw
   gather_facts: true