From e2ce2145f40ec9a2ea92f74c5ce314d7d4110324 Mon Sep 17 00:00:00 2001 From: Kurt Gardiner Date: Wed, 8 Jan 2014 17:14:14 +1100 Subject: [PATCH 1/3] Add support for sles, use lense for speed increase --- README.md | 5 +- README.md~ | 89 +++++++++ manifests/init.pp | 4 +- manifests/init.pp~ | 7 + manifests/params.pp | 29 +++ manifests/server.pp | 48 +++-- manifests/server.pp~ | 46 +++++ manifests/server/config.pp | 10 +- manifests/server/config.pp~ | 19 ++ manifests/server/install.pp | 2 +- manifests/server/install.pp~ | 5 + manifests/server/service.pp | 23 +-- manifests/server/service.pp~ | 27 +++ manifests/server/share.pp | 108 +++++++++-- manifests/server/share.pp~ | 211 ++++++++++++++++++++++ manifests/server/winbind.pp | 1 + manifests/server/winbind.pp~ | 16 ++ templates/configure_active_directory.erb | 1 + templates/configure_active_directory.erb~ | 148 +++++++++++++++ templates/verify_active_directory.erb | 1 + templates/verify_active_directory.erb~ | 107 +++++++++++ 21 files changed, 849 insertions(+), 58 deletions(-) create mode 100644 README.md~ create mode 100644 manifests/init.pp~ create mode 100644 manifests/params.pp create mode 100644 manifests/server.pp~ create mode 100644 manifests/server/config.pp~ create mode 100644 manifests/server/install.pp~ create mode 100644 manifests/server/service.pp~ create mode 100644 manifests/server/share.pp~ create mode 100644 manifests/server/winbind.pp~ create mode 100644 templates/configure_active_directory.erb~ create mode 100644 templates/verify_active_directory.erb~ diff --git a/README.md b/README.md index 6bb9a79..fb7b834 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Module for provisioning Samba -Tested on Ubuntu 12.04, CentOS 6.3, patches to support other operating systems are welcome. +Tested on Ubuntu 12.04, CentOS 6.3, SLES 11 SP2 patches to support other operating systems are welcome. ## Installation @@ -34,7 +34,7 @@ Tweak and add the following to your site manifest: guest_account => "guest", browsable => false, create_mask => 0777, - force_create_mask => 0777, + force_create_mode => 0777, directory_mask => 0777, force_directory_mask => 0777, force_group => 'group', @@ -86,3 +86,4 @@ Most configuration options are optional. This module is released under the MIT license: * [http://www.opensource.org/licenses/MIT](http://www.opensource.org/licenses/MIT) + diff --git a/README.md~ b/README.md~ new file mode 100644 index 0000000..fb7b834 --- /dev/null +++ b/README.md~ @@ -0,0 +1,89 @@ +# Puppet Samba Module + +Module for provisioning Samba + +Tested on Ubuntu 12.04, CentOS 6.3, SLES 11 SP2 patches to support other operating systems are welcome. + +## Installation + +Clone this repo to your Puppet modules directory + + git clone git://github.com/ajjahn/puppet-samba.git samba + +or + + puppet module install ajjahn/samba + +## Usage + +Tweak and add the following to your site manifest: + + node 'server.example.com' { + class {'samba::server': + workgroup => 'example', + server_string => "Example Samba Server", + interfaces => "eth0 lo", + security => 'share' + } + + samba::server::share {'example-share': + comment => 'Example Share', + path => '/path/to/share', + guest_only => true, + guest_ok => true, + guest_account => "guest", + browsable => false, + create_mask => 0777, + force_create_mode => 0777, + directory_mask => 0777, + force_directory_mask => 0777, + force_group => 'group', + force_user => 'user', + copy => 'some-other-share', + } + } + +If you want join Samba server to Active Directory. Tested on Ubuntu 12.04. + + node 'server.example.com' { + class {'samba::server': + workgroup => 'example', + server_string => "Example Samba Server", + interfaces => "eth0 lo", + security => 'ads' + } + + samba::server::share {'ri-storage': + comment => 'RBTH User Storage', + path => "$smb_share", + browsable => true, + writable => true, + create_mask => 0770, + directory_mask => 0770, + } + + class { 'samba::server::ads': + winbind_acct => $::domain_admin, + winbind_pass => $::admin_password, + realm => 'EXAMPLE.COM', + nsswitch => true, + target_ou => "Nix_Mashine" + } + } + +Most configuration options are optional. + +## Contributing + +1. Fork it +2. Create your feature branch (`git checkout -b my-new-feature`) +3. Commit your changes (`git commit -am 'Added some feature'`) +4. Push to the branch (`git push origin my-new-feature`) +5. Create new Pull Request + +## License + +This module is released under the MIT license: + +* [http://www.opensource.org/licenses/MIT](http://www.opensource.org/licenses/MIT) + diff --git a/manifests/init.pp b/manifests/init.pp index 8a914a4..0de6d91 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,7 +1,7 @@ -class samba { +class samba inherits samba::params { include samba::server if samba::server::security == 'ads' { include samba::server::ads } -} \ No newline at end of file +} diff --git a/manifests/init.pp~ b/manifests/init.pp~ new file mode 100644 index 0000000..8a914a4 --- /dev/null +++ b/manifests/init.pp~ @@ -0,0 +1,7 @@ +class samba { + include samba::server + + if samba::server::security == 'ads' { + include samba::server::ads + } +} \ No newline at end of file diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 0000000..ce5abf1 --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,29 @@ +# Class: samba::params +# +# This class defines default parameters used by the main module class samba +# Operating Systems differences in names and paths are addressed here +# +# == Variables +# +# Refer to samba class for the variables defined here. +# +# == Usage +# +# This class is not intended to be used directly. +# It may be imported or inherited by other classes +# +class samba::params { + $services = $::osfamily ? { + /(?i:RedHat)/ => 'smb', + /(?i:Debian)/ => 'smbd', + /(?i:Gentoo)/ => 'samba', + /(?i:Suse)/ => ['smb','nmb'], + default => 'smbd', + } + + $samba_config_dir = '/etc/samba' + $samba_config_file = '/etc/samba/smb.conf' + $lense = 'Samba.lns' +} + + diff --git a/manifests/server.pp b/manifests/server.pp index bc1e3d7..e5ca0b6 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -2,14 +2,21 @@ $security = '', $server_string = '', $unix_password_sync = '', - $workgroup = '') { + $workgroup = '', + $bind_interfaces_only = true, + $realm = '', + $machine_password_timeout = '', + $unix_extensions = '') inherits samba { include samba::server::install include samba::server::config include samba::server::service - $context = '/files/etc/samba/smb.conf' - $target = "target[. = 'global']" +# $lense = $lense +# $config_dir = $samba_config_dir +# $config_file = $samba_config_file + $context = "/files${samba_config_file}" + $target = "target[. = 'global']" augeas { 'global-section': context => $context, @@ -18,23 +25,34 @@ notify => Class['samba::server::service'] } - set_samba_option { - 'interfaces': value => $interfaces; - 'bind interfaces only': value => 'yes'; - 'security': value => $security; - 'server string': value => $server_string; - 'unix password sync': value => $unix_password_sync; - 'workgroup': value => $workgroup; + 'interfaces': value => $interfaces; + 'bind interfaces only': value => $bind_interfaces_only, bool => true; + 'security': value => $security; + 'server string': value => $server_string; + 'unix password sync': value => $unix_password_sync; + 'workgroup': value => $workgroup; + 'realm': value => $realm; + 'machine password timeout': value => $machine_password_timeout; + 'unix extensions': value => $unix_extensions, bool => true; } } -define set_samba_option ( $value = '', $signal = 'samba::server::service' ) { +define set_samba_option ( $value = '', $signal = 'samba::server::service', $bool = false ) { $context = $samba::server::context $target = $samba::server::target - $changes = $value ? { - default => "set \"${target}/$name\" \"$value\"", - '' => "rm ${target}/$name", + if ($bool) { + $changes = $value ? { + true => "set \"${target}/$name\" yes", + false => "set \"${target}/$name\" no", + default => "rm ${target}/$name" + } + } + else { + $changes = $value ? { + default => "set \"${target}/$name\" \"$value\"", + '' => "rm ${target}/$name", + } } augeas { "samba-$name": @@ -44,3 +62,5 @@ notify => Class[$signal] } } + + diff --git a/manifests/server.pp~ b/manifests/server.pp~ new file mode 100644 index 0000000..bc1e3d7 --- /dev/null +++ b/manifests/server.pp~ @@ -0,0 +1,46 @@ +class samba::server($interfaces = '', + $security = '', + $server_string = '', + $unix_password_sync = '', + $workgroup = '') { + + include samba::server::install + include samba::server::config + include samba::server::service + + $context = '/files/etc/samba/smb.conf' + $target = "target[. = 'global']" + + augeas { 'global-section': + context => $context, + changes => "set ${target} global", + require => Class['samba::server::config'], + notify => Class['samba::server::service'] + } + + + set_samba_option { + 'interfaces': value => $interfaces; + 'bind interfaces only': value => 'yes'; + 'security': value => $security; + 'server string': value => $server_string; + 'unix password sync': value => $unix_password_sync; + 'workgroup': value => $workgroup; + } +} + +define set_samba_option ( $value = '', $signal = 'samba::server::service' ) { + $context = $samba::server::context + $target = $samba::server::target + $changes = $value ? { + default => "set \"${target}/$name\" \"$value\"", + '' => "rm ${target}/$name", + } + + augeas { "samba-$name": + context => $context, + changes => $changes, + require => Augeas['global-section'], + notify => Class[$signal] + } +} diff --git a/manifests/server/config.pp b/manifests/server/config.pp index d51e432..26b3399 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,19 +1,19 @@ -class samba::server::config { +class samba::server::config inherits samba { - file { '/etc/samba': + file { "${samba_config_dir}": ensure => directory, owner => 'root', group => 'root', mode => '0755', } - file { '/etc/samba/smb.conf': + file { "${samba_config_file}": ensure => present, owner => 'root', group => 'root', - mode => '0644', + mode => '0444', require => [File['/etc/samba'], Class['samba::server::install']], notify => Class['samba::server::service'] } - } + diff --git a/manifests/server/config.pp~ b/manifests/server/config.pp~ new file mode 100644 index 0000000..d51e432 --- /dev/null +++ b/manifests/server/config.pp~ @@ -0,0 +1,19 @@ +class samba::server::config { + + file { '/etc/samba': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + file { '/etc/samba/smb.conf': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + require => [File['/etc/samba'], Class['samba::server::install']], + notify => Class['samba::server::service'] + } + +} diff --git a/manifests/server/install.pp b/manifests/server/install.pp index 1454bfe..5e9fdb5 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -2,4 +2,4 @@ package { 'samba': ensure => installed } -} \ No newline at end of file +} diff --git a/manifests/server/install.pp~ b/manifests/server/install.pp~ new file mode 100644 index 0000000..1454bfe --- /dev/null +++ b/manifests/server/install.pp~ @@ -0,0 +1,5 @@ +class samba::server::install { + package { 'samba': + ensure => installed + } +} \ No newline at end of file diff --git a/manifests/server/service.pp b/manifests/server/service.pp index 4bbe47f..7a7b925 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,27 +1,10 @@ -class samba::server::service ($ensure = running, $enable = true) { - case $::osfamily { - Redhat: { $service_name = 'smb' } - Debian: { $service_name = 'smbd' } - Gentoo: { $service_name = 'samba' } - - # Currently Gentoo has $::osfamily = "Linux". This should change in - # Factor 1.7.0 , so - # adding workaround. - Linux: { - case $::operatingsystem { - Gentoo: { $service_name = 'samba' } - default: { fail("$::operatingsystem is not supported by this module.") } - } - } - default: { fail("$::osfamily is not supported by this module.") } - } - - service { "$service_name" : +class samba::server::service ($ensure = running, $enable = true) inherits samba { + service { $services: ensure => $ensure, hasstatus => true, hasrestart => true, enable => $enable, require => Class['samba::server::config'] } - } + diff --git a/manifests/server/service.pp~ b/manifests/server/service.pp~ new file mode 100644 index 0000000..4bbe47f --- /dev/null +++ b/manifests/server/service.pp~ @@ -0,0 +1,27 @@ +class samba::server::service ($ensure = running, $enable = true) { + case $::osfamily { + Redhat: { $service_name = 'smb' } + Debian: { $service_name = 'smbd' } + Gentoo: { $service_name = 'samba' } + + # Currently Gentoo has $::osfamily = "Linux". This should change in + # Factor 1.7.0 , so + # adding workaround. + Linux: { + case $::operatingsystem { + Gentoo: { $service_name = 'samba' } + default: { fail("$::operatingsystem is not supported by this module.") } + } + } + default: { fail("$::osfamily is not supported by this module.") } + } + + service { "$service_name" : + ensure => $ensure, + hasstatus => true, + hasrestart => true, + enable => $enable, + require => Class['samba::server::config'] + } + +} diff --git a/manifests/server/share.pp b/manifests/server/share.pp index b4eb02f..b1f4134 100644 --- a/manifests/server/share.pp +++ b/manifests/server/share.pp @@ -4,8 +4,8 @@ $copy = '', $create_mask = '', $directory_mask = '', - $force_create_mask = '', - $force_directory_mask = '', + $force_create_mode = '', + $force_directory_mode = '', $force_group = '', $force_user = '', $guest_account = '', @@ -15,10 +15,15 @@ $read_only = '', $public = '', $writable = '', - $printable = '') { + $printable = '', + $wide_links = '', + $follow_symlinks = '', + $valid_users = '') { - $context = $samba::server::context - $target = "target[. = '${name}']" + $context = $samba::server::context + $config_file = $samba::params::samba_config_file + $lense = $samba::params::lense + $target = "target[. = '${name}']" augeas { "${name}-section": context => $context, @@ -26,11 +31,13 @@ present => "set ${target} '${name}'", default => "rm ${target} '${name}'", }, + incl => "${config_file}", + lens => "${lense}", require => Class['samba::server::config'], notify => Class['samba::server::service'] } - if $ensure == 'present' { + if $ensure == present { augeas { "${name}-browsable": context => $context, changes => $browsable ? { @@ -38,6 +45,8 @@ false => "set ${target}/browsable no", default => "rm ${target}/browsable", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -48,6 +57,8 @@ default => "set ${target}/comment '${comment}'", '' => "rm ${target}/comment", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -58,6 +69,8 @@ default => "set ${target}/copy '${copy}'", '' => "rm ${target}/copy", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -68,6 +81,8 @@ default => "set \"${target}/create mask\" '${create_mask}'", '' => "rm \"${target}/create mask\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -78,26 +93,32 @@ default => "set \"${target}/directory mask\" '${directory_mask}'", '' => "rm \"${target}/directory mask\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } - augeas { "${name}-force_create_mask": + augeas { "${name}-force_create_mode": context => $context, - changes => $force_create_mask ? { - default => "set \"${target}/force create mask\" '${force_create_mask}'", - '' => "rm \"${target}/force create mask\"", + changes => $force_create_mode ? { + default => "set \"${target}/force create mode\" '${force_create_mode}'", + '' => "rm \"${target}/force create mode\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } - augeas { "${name}-force_directory_mask": + augeas { "${name}-force_directory_mode": context => $context, - changes => $force_directory_mask ? { - default => "set \"${target}/force directory mask\" '${force_directory_mask}'", - '' => "rm \"${target}/force directory mask\"", + changes => $force_directory_mode ? { + default => "set \"${target}/force directory mode\" '${force_directory_mode}'", + '' => "rm \"${target}/force directory mode\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -108,6 +129,8 @@ default => "set \"${target}/force group\" '${force_group}'", '' => "rm \"${target}/force group\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -118,6 +141,8 @@ default => "set \"${target}/force user\" '${force_user}'", '' => "rm \"${target}/force user\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -128,6 +153,8 @@ default => "set \"${target}/guest account\" '${guest_account}'", '' => "rm \"${target}/guest account\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -139,6 +166,8 @@ false => "set \"${target}/guest ok\" no", default => "rm \"${target}/guest ok\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -150,6 +179,8 @@ false => "set \"${target}/guest only\" no", default => "rm \"${target}/guest only\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -160,6 +191,8 @@ default => "set ${target}/path '${path}'", '' => "rm ${target}/path", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -171,6 +204,8 @@ false => "set \"${target}/read only\" no", default => "rm \"${target}/read_only\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -182,6 +217,8 @@ false => "set \"${target}/public\" no", default => "rm \"${target}/public\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -193,6 +230,8 @@ false => "set \"${target}/writable\" no", default => "rm \"${target}/writable\"", }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } @@ -204,8 +243,49 @@ false => "set \"${target}/printable\" no", default => "rm \"${target}/printable\"", }, + incl => "${config_file}", + lens => "${lense}", + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-wide-links": + context => $context, + changes => $wide_links ? { + true => "set \"${target}/wide links\" yes", + false => "set \"${target}/wide links\" no", + default => "rm \"${target}/wide links\"", + }, + incl => "${config_file}", + lens => "${lense}", + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-follow-symlinks": + context => $context, + changes => $follow_symlinks ? { + true => "set \"${target}/follow symlinks\" yes", + false => "set \"${target}/follow symlinks\" no", + default => "rm \"${target}/follow symlinks\"", + }, + incl => "${config_file}", + lens => "${lense}", + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-valid-users": + context => $context, + changes => $valid_users ? { + default => "set \"${target}/valid users\" '${valid_users}'", + '' => "rm \"${target}/valid users\"", + }, + incl => "${config_file}", + lens => "${lense}", require => Augeas["${name}-section"], notify => Class['samba::server::service'] } } } + diff --git a/manifests/server/share.pp~ b/manifests/server/share.pp~ new file mode 100644 index 0000000..b4eb02f --- /dev/null +++ b/manifests/server/share.pp~ @@ -0,0 +1,211 @@ +define samba::server::share($ensure = present, + $browsable = '', + $comment = '', + $copy = '', + $create_mask = '', + $directory_mask = '', + $force_create_mask = '', + $force_directory_mask = '', + $force_group = '', + $force_user = '', + $guest_account = '', + $guest_ok = '', + $guest_only = '', + $path = '', + $read_only = '', + $public = '', + $writable = '', + $printable = '') { + + $context = $samba::server::context + $target = "target[. = '${name}']" + + augeas { "${name}-section": + context => $context, + changes => $ensure ? { + present => "set ${target} '${name}'", + default => "rm ${target} '${name}'", + }, + require => Class['samba::server::config'], + notify => Class['samba::server::service'] + } + + if $ensure == 'present' { + augeas { "${name}-browsable": + context => $context, + changes => $browsable ? { + true => "set ${target}/browsable yes", + false => "set ${target}/browsable no", + default => "rm ${target}/browsable", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-comment": + context => $context, + changes => $comment ? { + default => "set ${target}/comment '${comment}'", + '' => "rm ${target}/comment", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-copy": + context => $context, + changes => $copy ? { + default => "set ${target}/copy '${copy}'", + '' => "rm ${target}/copy", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-create_mask": + context => $context, + changes => $create_mask ? { + default => "set \"${target}/create mask\" '${create_mask}'", + '' => "rm \"${target}/create mask\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-directory_mask": + context => $context, + changes => $directory_mask ? { + default => "set \"${target}/directory mask\" '${directory_mask}'", + '' => "rm \"${target}/directory mask\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-force_create_mask": + context => $context, + changes => $force_create_mask ? { + default => "set \"${target}/force create mask\" '${force_create_mask}'", + '' => "rm \"${target}/force create mask\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-force_directory_mask": + context => $context, + changes => $force_directory_mask ? { + default => "set \"${target}/force directory mask\" '${force_directory_mask}'", + '' => "rm \"${target}/force directory mask\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-force_group": + context => $context, + changes => $force_group ? { + default => "set \"${target}/force group\" '${force_group}'", + '' => "rm \"${target}/force group\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-force_user": + context => $context, + changes => $force_user ? { + default => "set \"${target}/force user\" '${force_user}'", + '' => "rm \"${target}/force user\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-guest_account": + context => $context, + changes => $guest_account ? { + default => "set \"${target}/guest account\" '${guest_account}'", + '' => "rm \"${target}/guest account\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-guest_ok": + context => $context, + changes => $guest_ok ? { + true => "set \"${target}/guest ok\" yes", + false => "set \"${target}/guest ok\" no", + default => "rm \"${target}/guest ok\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-guest_only": + context => $context, + changes => $guest_only ? { + true => "set \"${target}/guest only\" yes", + false => "set \"${target}/guest only\" no", + default => "rm \"${target}/guest only\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-path": + context => $context, + changes => $path ? { + default => "set ${target}/path '${path}'", + '' => "rm ${target}/path", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-read_only": + context => $context, + changes => $read_only ? { + true => "set \"${target}/read only\" yes", + false => "set \"${target}/read only\" no", + default => "rm \"${target}/read_only\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-public": + context => $context, + changes => $public ? { + true => "set \"${target}/public\" yes", + false => "set \"${target}/public\" no", + default => "rm \"${target}/public\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-writable": + context => $context, + changes => $writable ? { + true => "set \"${target}/writable\" yes", + false => "set \"${target}/writable\" no", + default => "rm \"${target}/writable\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + + augeas { "${name}-printable": + context => $context, + changes => $printable ? { + true => "set \"${target}/printable\" yes", + false => "set \"${target}/printable\" no", + default => "rm \"${target}/printable\"", + }, + require => Augeas["${name}-section"], + notify => Class['samba::server::service'] + } + } +} diff --git a/manifests/server/winbind.pp b/manifests/server/winbind.pp index 76136b9..9210e91 100644 --- a/manifests/server/winbind.pp +++ b/manifests/server/winbind.pp @@ -14,3 +14,4 @@ } } + diff --git a/manifests/server/winbind.pp~ b/manifests/server/winbind.pp~ new file mode 100644 index 0000000..76136b9 --- /dev/null +++ b/manifests/server/winbind.pp~ @@ -0,0 +1,16 @@ +class samba::server::winbind ($ensure = running, $enable = true) { + $service_name = 'winbind' + + notify { 'winbind-service': + message => 'Check winbind service', + } + + service { $service_name: + ensure => $ensure, + hasstatus => true, + hasrestart => true, + enable => $enable, + require => Class['samba::server::config'] + } + +} diff --git a/templates/configure_active_directory.erb b/templates/configure_active_directory.erb index c860c78..4e80883 100644 --- a/templates/configure_active_directory.erb +++ b/templates/configure_active_directory.erb @@ -146,3 +146,4 @@ rm -f $KRB5CCNAME &> /dev/null || : fi [ "$success" = "true" ] && exit 0 || exit 1 + diff --git a/templates/configure_active_directory.erb~ b/templates/configure_active_directory.erb~ new file mode 100644 index 0000000..c860c78 --- /dev/null +++ b/templates/configure_active_directory.erb~ @@ -0,0 +1,148 @@ +#!/bin/bash + +# This script can cause a host to join or leave +# the Windows Active Directory domain + +# variables +# +# specify a timeout for domain operations +seconds=300 +# +# post_join_delay seems to be necessary after joing domain +post_join_delay=30 +# + +PROG=$(basename $0) + +function usage () { + cat >&2 <<- EOF + Usage: $PROG -[hjl] + -h help + -j join the domain + -l leave the domain + Return code indicates success (0) or failure. + EOF +} + +# kinit and klist path depend on krb5 release +export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/kerberos/bin + +NET=$(which net) +if ! [ -x "$NET" ]; then + echo "ERROR: net command is missing or not executable." >&2 + exit 1 +fi + +EXPECT=$(which expect) +if ! [ -x "$EXPECT" ]; then + echo "ERROR: cannot run expect" >&2 + exit 1 +fi + +if [ $# -eq 0 ]; then + usage + exit 2 +fi + +while getopts "hjlq" option +do + case $option in + h ) usage; exit 0;; + j ) action="join";; + l ) action="leave";; + * ) usage; exit 2;; + esac +done + +password='<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>' + +# short hostname from facter +my_hostname="<%= hostname -%>" + +# what account do we use for net ads commands? +winbind_acct="<%= scope.lookupvar('samba::server::ads::winbind_acct') -%>" + +# which realm will we be joining? +my_realm="<%= scope.lookupvar('samba::server::ads::realm') -%>" + +# where should we create computer accounts? +target_ou="<%= scope.lookupvar('samba::server::ads::target_ou') -%>" + +echo "Please do not kill me; I may be slow" >&2 + +#TODO, need write time check check_kdc_time +#if ! /bin/check_kdc_time; then +# echo "ERROR: time offset too large to manipulate domain" >&2 +# exit 1 +#else +# echo "INFO: time offset seems ok" >&2 +#fi + +if [ "$action" = "leave" ]; then + logger -st $PROG "Leaving AD domain" + $NET ads $action -U "${winbind_acct}%${password}" | grep Deleted && success=true || success=false + kdestroy + rm -f /etc/krb5.keytab + if [ $success = "true" ]; then + logger -st $PROG "Left AD domain" + else + logger -st $PROG "Failed to leave AD domain" + fi +fi + +ad_settle() { + ( + echo -n "Waiting $post_join_delay seconds" + for x in $(seq 1 $post_join_delay); do + echo -n "." + sleep 1 + done + echo + ) >&2 +} + +# ldapmodify _does_ use the env var for sasl bind +export KRB5CCNAME=$(umask 0077; mktemp -q winbind_cache.XXXXXXXX) + +if [ "$action" = "join" ]; then + if [ "${target_ou}" != "" ]; then + ou_parameter="createcomputer=\"${target_ou}\"" + else + ou_parameter="" + fi + + logger -st $PROG "Joining AD domain" >&2 + $NET ads $action -U "${winbind_acct}%${password}" ${ou_parameter} \ + | grep Joined && success=true || success=false + +if [ $success = "false" ]; then + echo ERROR: failed to join domain >&2 + exit 2 +fi + +max_attempts=5 +for attempt in $(seq 1 $max_attempts); do + echo "$attempt of $max_attempts:" + ad_settle + echo "Getting TGT for ${winbind_acct}@${my_realm}" >&2 + $EXPECT -c spawn -noecho kinit -c $KRB5CCNAME '${winbind_acct}@${my_realm}; + expect :; + send ${password}\n; + expect eof' + klist -c $KRB5CCNAME &> /dev/null && break +done + +if [ $(wbinfo -u|wc -l) != 0 ]; then + success=true +else + echo "ERROR: return user list from AD is empty" >&2 + success=false +fi + +# get rid of cred cache +kdestroy -c $KRB5CCNAME &> /dev/null +rm -f $KRB5CCNAME &> /dev/null || : + +fi + +[ "$success" = "true" ] && exit 0 || exit 1 diff --git a/templates/verify_active_directory.erb b/templates/verify_active_directory.erb index 5a2a506..2284d27 100644 --- a/templates/verify_active_directory.erb +++ b/templates/verify_active_directory.erb @@ -105,3 +105,4 @@ fi [[ $success == "false" ]] && exit 1 exit 0 + diff --git a/templates/verify_active_directory.erb~ b/templates/verify_active_directory.erb~ new file mode 100644 index 0000000..5a2a506 --- /dev/null +++ b/templates/verify_active_directory.erb~ @@ -0,0 +1,107 @@ +#!/bin/bash + +PROG=$(basename $0) +export EXPIRATION=90 + +# kinit and klist path depend on krb5 release +export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/kerberos/bin + +EXPECT=$(which expect) +if ! [ -x "$EXPECT" ]; then + echo "ERROR: cannot run expect" >&2 + exit 1 +fi + +#TODO +#if ! check_kdc_time; then +# { +# echo "====================================" +# echo "WARNING: time offset seems too large" +# echo "====================================" +# } >&2 +#fi + +password="<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>" + +# short hostname from facter +my_hostname="<%= hostname -%>" + +winbind_acct="<%= scope.lookupvar('samba::server::ads::winbind_acct') -%>" + +default_realm=$(grep -i '^[[:space:]]*realm.*=' /etc/samba/smb.conf | sed 's/ //g' | sed 's/realm=//g') + +# if we're still here, let's try the testjoin +do_testjoin() { + echo "Running net ads testjoin with EXPIRATION=$EXPIRATION" >&2 + _cmd="net ads testjoin -P" + if [[ -n "$1" ]]; then + _cmd="${_cmd} $@" + fi + output=$(${_cmd} 2>&1) + grep -q 'Join is OK' <<< $output + _rc=$? + if [ ${_rc} -ne 0 ]; then + logger -st $PROG "Error: net ads testjoin -P failed: $output" + fi + return ${_rc} +} +do_testjoin +if [ $? -ne 0 ]; then + # get verbose failure info + do_testjoin -d3 +fi + + +# if we're still here, we need to: +# - get a TGT that enables us to query the attribute 'useraccountcontrol' +# - confirm that AD trusts us for GSSAPI delegation + +export KRB5CCNAME=$(umask 0077; mktemp -q winbind_cache.XXXXXXXX) + +get_tgt() { + ( + $EXPECT -c "spawn -noecho kinit -c $KRB5CCNAME ${winbind_acct}@${default_realm}; + expect :; + send ${password}\n; + expect eof" + ) &> /dev/null + klist -c $KRB5CCNAME &> /dev/null + return $? +} + +# try this several times. +max_attempts=5 +# assume non-zero for has_tgt +has_tgt=1 +for attempt in $(seq 1 $max_attempts); do + # If we just joined the domain, it takes a small amount of time + # for AD to sort things out amongst the DC's, and it + # depends in part on DNS performance. + if get_tgt; then + has_tgt=0 + break + fi + echo "." >&2 + sleep 3 +done + +success=true + +if [ $has_tgt -ne 0 ]; then + logger -st $PROG "ERROR: failed to get TGT from AD" + success=false +else + if [ $(wbinfo -u|wc -l) != 0 ]; then + success=true + else + echo "ERROR: return user list from AD is empty" >&2 + success=false + fi + + # get rid of cred cache + kdestroy -c $KRB5CCNAME &> /dev/null +fi + +[[ $success == "false" ]] && exit 1 + +exit 0 From 4204d19342658276c597b23860948f40527abc7a Mon Sep 17 00:00:00 2001 From: Kurt Gardiner Date: Thu, 9 Jan 2014 08:45:12 +1100 Subject: [PATCH 2/3] Remove temp files --- README.md~ | 89 --------------- manifests/init.pp~ | 7 -- manifests/server.pp~ | 46 -------- manifests/server/config.pp~ | 19 ---- manifests/server/install.pp~ | 5 - manifests/server/service.pp~ | 27 ----- manifests/server/share.pp~ | 211 ----------------------------------- manifests/server/winbind.pp~ | 16 --- 8 files changed, 420 deletions(-) delete mode 100644 README.md~ delete mode 100644 manifests/init.pp~ delete mode 100644 manifests/server.pp~ delete mode 100644 manifests/server/config.pp~ delete mode 100644 manifests/server/install.pp~ delete mode 100644 manifests/server/service.pp~ delete mode 100644 manifests/server/share.pp~ delete mode 100644 manifests/server/winbind.pp~ diff --git a/README.md~ b/README.md~ deleted file mode 100644 index fb7b834..0000000 --- a/README.md~ +++ /dev/null @@ -1,89 +0,0 @@ -# Puppet Samba Module - -Module for provisioning Samba - -Tested on Ubuntu 12.04, CentOS 6.3, SLES 11 SP2 patches to support other operating systems are welcome. - -## Installation - -Clone this repo to your Puppet modules directory - - git clone git://github.com/ajjahn/puppet-samba.git samba - -or - - puppet module install ajjahn/samba - -## Usage - -Tweak and add the following to your site manifest: - - node 'server.example.com' { - class {'samba::server': - workgroup => 'example', - server_string => "Example Samba Server", - interfaces => "eth0 lo", - security => 'share' - } - - samba::server::share {'example-share': - comment => 'Example Share', - path => '/path/to/share', - guest_only => true, - guest_ok => true, - guest_account => "guest", - browsable => false, - create_mask => 0777, - force_create_mode => 0777, - directory_mask => 0777, - force_directory_mask => 0777, - force_group => 'group', - force_user => 'user', - copy => 'some-other-share', - } - } - -If you want join Samba server to Active Directory. Tested on Ubuntu 12.04. - - node 'server.example.com' { - class {'samba::server': - workgroup => 'example', - server_string => "Example Samba Server", - interfaces => "eth0 lo", - security => 'ads' - } - - samba::server::share {'ri-storage': - comment => 'RBTH User Storage', - path => "$smb_share", - browsable => true, - writable => true, - create_mask => 0770, - directory_mask => 0770, - } - - class { 'samba::server::ads': - winbind_acct => $::domain_admin, - winbind_pass => $::admin_password, - realm => 'EXAMPLE.COM', - nsswitch => true, - target_ou => "Nix_Mashine" - } - } - -Most configuration options are optional. - -## Contributing - -1. Fork it -2. Create your feature branch (`git checkout -b my-new-feature`) -3. Commit your changes (`git commit -am 'Added some feature'`) -4. Push to the branch (`git push origin my-new-feature`) -5. Create new Pull Request - -## License - -This module is released under the MIT license: - -* [http://www.opensource.org/licenses/MIT](http://www.opensource.org/licenses/MIT) - diff --git a/manifests/init.pp~ b/manifests/init.pp~ deleted file mode 100644 index 8a914a4..0000000 --- a/manifests/init.pp~ +++ /dev/null @@ -1,7 +0,0 @@ -class samba { - include samba::server - - if samba::server::security == 'ads' { - include samba::server::ads - } -} \ No newline at end of file diff --git a/manifests/server.pp~ b/manifests/server.pp~ deleted file mode 100644 index bc1e3d7..0000000 --- a/manifests/server.pp~ +++ /dev/null @@ -1,46 +0,0 @@ -class samba::server($interfaces = '', - $security = '', - $server_string = '', - $unix_password_sync = '', - $workgroup = '') { - - include samba::server::install - include samba::server::config - include samba::server::service - - $context = '/files/etc/samba/smb.conf' - $target = "target[. = 'global']" - - augeas { 'global-section': - context => $context, - changes => "set ${target} global", - require => Class['samba::server::config'], - notify => Class['samba::server::service'] - } - - - set_samba_option { - 'interfaces': value => $interfaces; - 'bind interfaces only': value => 'yes'; - 'security': value => $security; - 'server string': value => $server_string; - 'unix password sync': value => $unix_password_sync; - 'workgroup': value => $workgroup; - } -} - -define set_samba_option ( $value = '', $signal = 'samba::server::service' ) { - $context = $samba::server::context - $target = $samba::server::target - $changes = $value ? { - default => "set \"${target}/$name\" \"$value\"", - '' => "rm ${target}/$name", - } - - augeas { "samba-$name": - context => $context, - changes => $changes, - require => Augeas['global-section'], - notify => Class[$signal] - } -} diff --git a/manifests/server/config.pp~ b/manifests/server/config.pp~ deleted file mode 100644 index d51e432..0000000 --- a/manifests/server/config.pp~ +++ /dev/null @@ -1,19 +0,0 @@ -class samba::server::config { - - file { '/etc/samba': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - } - - file { '/etc/samba/smb.conf': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - require => [File['/etc/samba'], Class['samba::server::install']], - notify => Class['samba::server::service'] - } - -} diff --git a/manifests/server/install.pp~ b/manifests/server/install.pp~ deleted file mode 100644 index 1454bfe..0000000 --- a/manifests/server/install.pp~ +++ /dev/null @@ -1,5 +0,0 @@ -class samba::server::install { - package { 'samba': - ensure => installed - } -} \ No newline at end of file diff --git a/manifests/server/service.pp~ b/manifests/server/service.pp~ deleted file mode 100644 index 4bbe47f..0000000 --- a/manifests/server/service.pp~ +++ /dev/null @@ -1,27 +0,0 @@ -class samba::server::service ($ensure = running, $enable = true) { - case $::osfamily { - Redhat: { $service_name = 'smb' } - Debian: { $service_name = 'smbd' } - Gentoo: { $service_name = 'samba' } - - # Currently Gentoo has $::osfamily = "Linux". This should change in - # Factor 1.7.0 , so - # adding workaround. - Linux: { - case $::operatingsystem { - Gentoo: { $service_name = 'samba' } - default: { fail("$::operatingsystem is not supported by this module.") } - } - } - default: { fail("$::osfamily is not supported by this module.") } - } - - service { "$service_name" : - ensure => $ensure, - hasstatus => true, - hasrestart => true, - enable => $enable, - require => Class['samba::server::config'] - } - -} diff --git a/manifests/server/share.pp~ b/manifests/server/share.pp~ deleted file mode 100644 index b4eb02f..0000000 --- a/manifests/server/share.pp~ +++ /dev/null @@ -1,211 +0,0 @@ -define samba::server::share($ensure = present, - $browsable = '', - $comment = '', - $copy = '', - $create_mask = '', - $directory_mask = '', - $force_create_mask = '', - $force_directory_mask = '', - $force_group = '', - $force_user = '', - $guest_account = '', - $guest_ok = '', - $guest_only = '', - $path = '', - $read_only = '', - $public = '', - $writable = '', - $printable = '') { - - $context = $samba::server::context - $target = "target[. = '${name}']" - - augeas { "${name}-section": - context => $context, - changes => $ensure ? { - present => "set ${target} '${name}'", - default => "rm ${target} '${name}'", - }, - require => Class['samba::server::config'], - notify => Class['samba::server::service'] - } - - if $ensure == 'present' { - augeas { "${name}-browsable": - context => $context, - changes => $browsable ? { - true => "set ${target}/browsable yes", - false => "set ${target}/browsable no", - default => "rm ${target}/browsable", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-comment": - context => $context, - changes => $comment ? { - default => "set ${target}/comment '${comment}'", - '' => "rm ${target}/comment", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-copy": - context => $context, - changes => $copy ? { - default => "set ${target}/copy '${copy}'", - '' => "rm ${target}/copy", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-create_mask": - context => $context, - changes => $create_mask ? { - default => "set \"${target}/create mask\" '${create_mask}'", - '' => "rm \"${target}/create mask\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-directory_mask": - context => $context, - changes => $directory_mask ? { - default => "set \"${target}/directory mask\" '${directory_mask}'", - '' => "rm \"${target}/directory mask\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_create_mask": - context => $context, - changes => $force_create_mask ? { - default => "set \"${target}/force create mask\" '${force_create_mask}'", - '' => "rm \"${target}/force create mask\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_directory_mask": - context => $context, - changes => $force_directory_mask ? { - default => "set \"${target}/force directory mask\" '${force_directory_mask}'", - '' => "rm \"${target}/force directory mask\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_group": - context => $context, - changes => $force_group ? { - default => "set \"${target}/force group\" '${force_group}'", - '' => "rm \"${target}/force group\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-force_user": - context => $context, - changes => $force_user ? { - default => "set \"${target}/force user\" '${force_user}'", - '' => "rm \"${target}/force user\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-guest_account": - context => $context, - changes => $guest_account ? { - default => "set \"${target}/guest account\" '${guest_account}'", - '' => "rm \"${target}/guest account\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-guest_ok": - context => $context, - changes => $guest_ok ? { - true => "set \"${target}/guest ok\" yes", - false => "set \"${target}/guest ok\" no", - default => "rm \"${target}/guest ok\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-guest_only": - context => $context, - changes => $guest_only ? { - true => "set \"${target}/guest only\" yes", - false => "set \"${target}/guest only\" no", - default => "rm \"${target}/guest only\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-path": - context => $context, - changes => $path ? { - default => "set ${target}/path '${path}'", - '' => "rm ${target}/path", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-read_only": - context => $context, - changes => $read_only ? { - true => "set \"${target}/read only\" yes", - false => "set \"${target}/read only\" no", - default => "rm \"${target}/read_only\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-public": - context => $context, - changes => $public ? { - true => "set \"${target}/public\" yes", - false => "set \"${target}/public\" no", - default => "rm \"${target}/public\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-writable": - context => $context, - changes => $writable ? { - true => "set \"${target}/writable\" yes", - false => "set \"${target}/writable\" no", - default => "rm \"${target}/writable\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - - augeas { "${name}-printable": - context => $context, - changes => $printable ? { - true => "set \"${target}/printable\" yes", - false => "set \"${target}/printable\" no", - default => "rm \"${target}/printable\"", - }, - require => Augeas["${name}-section"], - notify => Class['samba::server::service'] - } - } -} diff --git a/manifests/server/winbind.pp~ b/manifests/server/winbind.pp~ deleted file mode 100644 index 76136b9..0000000 --- a/manifests/server/winbind.pp~ +++ /dev/null @@ -1,16 +0,0 @@ -class samba::server::winbind ($ensure = running, $enable = true) { - $service_name = 'winbind' - - notify { 'winbind-service': - message => 'Check winbind service', - } - - service { $service_name: - ensure => $ensure, - hasstatus => true, - hasrestart => true, - enable => $enable, - require => Class['samba::server::config'] - } - -} From ee69a198b3fa5b7a70c657b3777edd6ab22b91cc Mon Sep 17 00:00:00 2001 From: Kurt Gardiner Date: Thu, 9 Jan 2014 16:15:40 +1100 Subject: [PATCH 3/3] Remove temp files --- templates/configure_active_directory.erb~ | 148 ---------------------- templates/verify_active_directory.erb~ | 107 ---------------- 2 files changed, 255 deletions(-) delete mode 100644 templates/configure_active_directory.erb~ delete mode 100644 templates/verify_active_directory.erb~ diff --git a/templates/configure_active_directory.erb~ b/templates/configure_active_directory.erb~ deleted file mode 100644 index c860c78..0000000 --- a/templates/configure_active_directory.erb~ +++ /dev/null @@ -1,148 +0,0 @@ -#!/bin/bash - -# This script can cause a host to join or leave -# the Windows Active Directory domain - -# variables -# -# specify a timeout for domain operations -seconds=300 -# -# post_join_delay seems to be necessary after joing domain -post_join_delay=30 -# - -PROG=$(basename $0) - -function usage () { - cat >&2 <<- EOF - Usage: $PROG -[hjl] - -h help - -j join the domain - -l leave the domain - Return code indicates success (0) or failure. - EOF -} - -# kinit and klist path depend on krb5 release -export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/kerberos/bin - -NET=$(which net) -if ! [ -x "$NET" ]; then - echo "ERROR: net command is missing or not executable." >&2 - exit 1 -fi - -EXPECT=$(which expect) -if ! [ -x "$EXPECT" ]; then - echo "ERROR: cannot run expect" >&2 - exit 1 -fi - -if [ $# -eq 0 ]; then - usage - exit 2 -fi - -while getopts "hjlq" option -do - case $option in - h ) usage; exit 0;; - j ) action="join";; - l ) action="leave";; - * ) usage; exit 2;; - esac -done - -password='<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>' - -# short hostname from facter -my_hostname="<%= hostname -%>" - -# what account do we use for net ads commands? -winbind_acct="<%= scope.lookupvar('samba::server::ads::winbind_acct') -%>" - -# which realm will we be joining? -my_realm="<%= scope.lookupvar('samba::server::ads::realm') -%>" - -# where should we create computer accounts? -target_ou="<%= scope.lookupvar('samba::server::ads::target_ou') -%>" - -echo "Please do not kill me; I may be slow" >&2 - -#TODO, need write time check check_kdc_time -#if ! /bin/check_kdc_time; then -# echo "ERROR: time offset too large to manipulate domain" >&2 -# exit 1 -#else -# echo "INFO: time offset seems ok" >&2 -#fi - -if [ "$action" = "leave" ]; then - logger -st $PROG "Leaving AD domain" - $NET ads $action -U "${winbind_acct}%${password}" | grep Deleted && success=true || success=false - kdestroy - rm -f /etc/krb5.keytab - if [ $success = "true" ]; then - logger -st $PROG "Left AD domain" - else - logger -st $PROG "Failed to leave AD domain" - fi -fi - -ad_settle() { - ( - echo -n "Waiting $post_join_delay seconds" - for x in $(seq 1 $post_join_delay); do - echo -n "." - sleep 1 - done - echo - ) >&2 -} - -# ldapmodify _does_ use the env var for sasl bind -export KRB5CCNAME=$(umask 0077; mktemp -q winbind_cache.XXXXXXXX) - -if [ "$action" = "join" ]; then - if [ "${target_ou}" != "" ]; then - ou_parameter="createcomputer=\"${target_ou}\"" - else - ou_parameter="" - fi - - logger -st $PROG "Joining AD domain" >&2 - $NET ads $action -U "${winbind_acct}%${password}" ${ou_parameter} \ - | grep Joined && success=true || success=false - -if [ $success = "false" ]; then - echo ERROR: failed to join domain >&2 - exit 2 -fi - -max_attempts=5 -for attempt in $(seq 1 $max_attempts); do - echo "$attempt of $max_attempts:" - ad_settle - echo "Getting TGT for ${winbind_acct}@${my_realm}" >&2 - $EXPECT -c spawn -noecho kinit -c $KRB5CCNAME '${winbind_acct}@${my_realm}; - expect :; - send ${password}\n; - expect eof' - klist -c $KRB5CCNAME &> /dev/null && break -done - -if [ $(wbinfo -u|wc -l) != 0 ]; then - success=true -else - echo "ERROR: return user list from AD is empty" >&2 - success=false -fi - -# get rid of cred cache -kdestroy -c $KRB5CCNAME &> /dev/null -rm -f $KRB5CCNAME &> /dev/null || : - -fi - -[ "$success" = "true" ] && exit 0 || exit 1 diff --git a/templates/verify_active_directory.erb~ b/templates/verify_active_directory.erb~ deleted file mode 100644 index 5a2a506..0000000 --- a/templates/verify_active_directory.erb~ +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/bash - -PROG=$(basename $0) -export EXPIRATION=90 - -# kinit and klist path depend on krb5 release -export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/kerberos/bin - -EXPECT=$(which expect) -if ! [ -x "$EXPECT" ]; then - echo "ERROR: cannot run expect" >&2 - exit 1 -fi - -#TODO -#if ! check_kdc_time; then -# { -# echo "====================================" -# echo "WARNING: time offset seems too large" -# echo "====================================" -# } >&2 -#fi - -password="<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>" - -# short hostname from facter -my_hostname="<%= hostname -%>" - -winbind_acct="<%= scope.lookupvar('samba::server::ads::winbind_acct') -%>" - -default_realm=$(grep -i '^[[:space:]]*realm.*=' /etc/samba/smb.conf | sed 's/ //g' | sed 's/realm=//g') - -# if we're still here, let's try the testjoin -do_testjoin() { - echo "Running net ads testjoin with EXPIRATION=$EXPIRATION" >&2 - _cmd="net ads testjoin -P" - if [[ -n "$1" ]]; then - _cmd="${_cmd} $@" - fi - output=$(${_cmd} 2>&1) - grep -q 'Join is OK' <<< $output - _rc=$? - if [ ${_rc} -ne 0 ]; then - logger -st $PROG "Error: net ads testjoin -P failed: $output" - fi - return ${_rc} -} -do_testjoin -if [ $? -ne 0 ]; then - # get verbose failure info - do_testjoin -d3 -fi - - -# if we're still here, we need to: -# - get a TGT that enables us to query the attribute 'useraccountcontrol' -# - confirm that AD trusts us for GSSAPI delegation - -export KRB5CCNAME=$(umask 0077; mktemp -q winbind_cache.XXXXXXXX) - -get_tgt() { - ( - $EXPECT -c "spawn -noecho kinit -c $KRB5CCNAME ${winbind_acct}@${default_realm}; - expect :; - send ${password}\n; - expect eof" - ) &> /dev/null - klist -c $KRB5CCNAME &> /dev/null - return $? -} - -# try this several times. -max_attempts=5 -# assume non-zero for has_tgt -has_tgt=1 -for attempt in $(seq 1 $max_attempts); do - # If we just joined the domain, it takes a small amount of time - # for AD to sort things out amongst the DC's, and it - # depends in part on DNS performance. - if get_tgt; then - has_tgt=0 - break - fi - echo "." >&2 - sleep 3 -done - -success=true - -if [ $has_tgt -ne 0 ]; then - logger -st $PROG "ERROR: failed to get TGT from AD" - success=false -else - if [ $(wbinfo -u|wc -l) != 0 ]; then - success=true - else - echo "ERROR: return user list from AD is empty" >&2 - success=false - fi - - # get rid of cred cache - kdestroy -c $KRB5CCNAME &> /dev/null -fi - -[[ $success == "false" ]] && exit 1 - -exit 0