From 5309521c18fdf61df52e53ebbd82d1d27c58adf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Fri, 14 Jun 2013 12:25:45 +0300 Subject: [PATCH] samba: Refactored samba module to use templates. --- .../files/{sync-netlogon.sh => sync-netlogon} | 8 +- samba/manifests/init.pp | 462 +++++++++++++----- samba/templates/domain.conf-bdc.erb | 11 + samba/templates/domain.conf-pdc.erb | 12 + samba/templates/share.conf.erb | 13 + samba/templates/smb.conf.erb | 47 ++ 6 files changed, 430 insertions(+), 123 deletions(-) rename samba/files/{sync-netlogon.sh => sync-netlogon} (92%) create mode 100644 samba/templates/domain.conf-bdc.erb create mode 100644 samba/templates/domain.conf-pdc.erb create mode 100644 samba/templates/share.conf.erb create mode 100644 samba/templates/smb.conf.erb diff --git a/samba/files/sync-netlogon.sh b/samba/files/sync-netlogon similarity index 92% rename from samba/files/sync-netlogon.sh rename to samba/files/sync-netlogon index f3c0327..8c5c104 100755 --- a/samba/files/sync-netlogon.sh +++ b/samba/files/sync-netlogon @@ -13,7 +13,7 @@ WINSSERVER=`echo '' | testparm -v --section-name global 2> /dev/null | \ if [ "${WINSSERVER}" = "" ]; then NMBLOOKUP="nmblookup" else - NMBLOOKUP="nmblookup -r ${WINSSERVER}" + NMBLOOKUP="nmblookup -R -U ${WINSSERVER}" fi PDC=`${NMBLOOKUP} "${WORKGROUP}#1B" | \ sed -n "s/^\([0-9\.]*\) ${WORKGROUP}<1b>/\1/p" | head -1` @@ -62,6 +62,10 @@ if [ $? -ne 0 ]; then echo "Error in netlogon sync, rsync failed" exit 1 fi -chcon -Rh -u system_u -t samba_share_t ${TARGETDIR}/ +which restorecon > /dev/null 2>&1 +if [ $# -eq 0 ]; then + restorecon -r ${TARGETDIR} +fi rm -rf ${TMPDIR} + diff --git a/samba/manifests/init.pp b/samba/manifests/init.pp index e1b42df..ab1b7b3 100644 --- a/samba/manifests/init.pp +++ b/samba/manifests/init.pp @@ -1,169 +1,389 @@ -# Install samba server. + +# Install Samba client tools # -class samba::server { +class samba::client { + + package { "samba-client": + ensure => installed, + } + +} + + +# Add included samba configuration files +# +# This class is used internally by samba to override various configs. +# +class samba::server::configs { + + file { "/etc/samba/smb.conf.d/print.conf": + ensure => present, + content => "load printers = no\nprintcap name = /dev/null\n", + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + require => File["/etc/samba/smb.conf.d"], + notify => Service["smb"], + } + + file { "/etc/samba/smb.conf.d/domain.conf": + ensure => present, + content => "os level = 20\n", + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + require => File["/etc/samba/smb.conf.d"], + notify => Service["smb"], + } + + file { "/etc/samba/smb.conf.d/wins.conf": + ensure => present, + content => $samba_wins ? { + "" => "name resolve order = lmhosts host bcast\n", + default => "name resolve order = lmhosts host wins bcast\nwins server=${samba_wins}\n", + }, + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + require => File["/etc/samba/smb.conf.d"], + notify => Service["smb"], + } + +} + + +# Install Samba server +# +# === Parameters +# +# $auth: +# Server authentication type. Valid values are tdbsam, ldap and +# domain. Default is tdbsam. +# $description: +# Server description. Defaults to "Samba Server Version %v". +# $interfaces: +# Array of intefaces samba should listen to. See "interfaces" option +# from smb.conf manual page for syntax. Localhost interface is +# added automatically. Defaults to all active interfaces. +# $names: +# Array of NetBIOS names that host will be advertised. Defaults to +# [$::hostname]. +# $workgroup: +# Workgroup or domain name. +# +# === Global variables +# +# $samba_wins: +# WINS server address +# +# $ldap_server: +# LDAP server URI's to use. Only used when $auth is set to ldap. +# $ldap_basedn: +# LDAP basedn. Only used when $auth is set to ldap. +# +# $samba_join_user: +# Username to use when joining to domain. Only used when $auth is +# set to domain. +# $samba_join_pass: +# Password to use when joining to domain. Only used when $auth is +# set to domain. +# +class samba::server($names=[$::hostname], $auth="tdbsam", + $workgroup="WORKGROUP", + $description="Samba Server Version %v", + $interfaces=undef) { + + include samba::server::configs package { "samba": ensure => installed, } - case $::operatingsystem { - "openbsd": { - service { "nmbd": - ensure => running, - enable => true, - binary => "/usr/local/libexec/nmbd", - start => "/usr/local/libexec/nmbd -D", - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } - service { "smbd": - ensure => running, - enable => true, - binary => "/usr/local/libexec/smbd", - start => "/usr/local/libexec/smbd -D", - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } - } - "centos","redhat": { - case $::operatingsystemrelease { - /^[1-5]\./: { - service { "smb": - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } - } - default: { - service { [ "smb", "nmb" ]: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } - } - } - } - "fedora": { - service { [ "smb", "nmb" ]: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } - } - "ubuntu": { - service { [ "smbd", "nmbd" ]: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } - } - default: { - fail("samba::server not supported in '${::operatingsystem}'") - } - } - file { "/etc/samba/smb.conf": ensure => present, - source => [ "puppet:///files/samba/smb.conf.${fqdn}", - "puppet:///files/samba/smb.conf", ], + content => template("samba/smb.conf.erb"), mode => "0644", owner => "root", group => $::operatingsystem ? { - openbsd => "wheel", - default => "root", + "openbsd" => "wheel", + default => "root", }, require => Package["samba"], + notify => Service["smb"], + } + + file { "/etc/samba/smb.conf.d": + ensure => directory, + mode => "0755", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + purge => true, + require => Package["samba"], + } + + exec { "generate-samba-shares-conf": + command => "find /etc/samba/smb.conf.d/share-*.conf -exec echo 'include = {}' \; > /etc/samba/smb.conf.d/shares.conf", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + refreshonly => true, + notify => Service["smb"], + } + file { "/etc/samba/smb.conf.d/shares.conf": + ensure => present, + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, } file { "/etc/samba/lmhosts": - ensure => present, - source => [ "puppet:///files/samba/lmhosts.${fqdn}", + ensure => present, + source => [ "puppet:///files/samba/lmhosts.${fqdn}", "puppet:///files/samba/lmhosts", "puppet:///modules/samba/lmhosts", ], mode => "0644", owner => "root", group => $::operatingsystem ? { - openbsd => "wheel", - default => "root", + "openbsd" => "wheel", + default => "root", }, require => Package["samba"], } + case $auth { + "ldap": { + exec { "smbpasswd -w": + command => "smbpasswd -w \"\${SECRET}\"", + environment => "SECRET=${samba_ldap_pass}", + path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin", + unless => "fgrep SECRETS/LDAP_BIND_PW /var/lib/samba/private/secrets.tdb", + require => File["/etc/samba/smb.conf"], + notify => Service["smb"], + } + } + "domain": { + exec { "net join": + command => "net join -U ${samba_join_user}%\"\${SECRET}\"", + environment => "SECRET=${samba_join_pass}", + path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin", + unless => "net rpc testjoin -U ${samba_join_user}%\"\${SECRET}\"", + require => Service["smb"], + } + } + } + + service { "smb": + name => $::operatingsystem ? { + "openbsd" => "smbd", + "ubuntu" => "smbd", + default => "smb", + }, + ensure => running, + enable => true, + } + service { "nmb": + name => $::operatingsystem ? { + "openbsd" => "nmbd", + "ubuntu" => "nmbd", + default => "nmb", + }, + ensure => running, + enable => true, + subscribe => Service["smb"], + } + } -# Install support scripts for Backup Domain Controller +# Add WINS server role to Samba server # -class samba::bdc { +class samba::server::wins inherits samba::server::configs { - include samba::server + File["/etc/samba/smb.conf.d/wins.conf"] { + content => "name resolve order = lmhosts host wins bcast\nwins support = true\ndns proxy = true\n", + } - file { "/etc/cron.hourly/sync-netlogon.sh": +} + + +# Add Primary Domain Controller role to Samba server +# +class samba::server::pdc inherits samba::server::configs { + + file { "/srv/netlogon": + ensure => directory, + mode => "0755", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + seltype => "samba_share_t", + before => Service["smb"], + } + selinux::manage_fcontext { "/srv/netlogon(/.*)?": + type => "samba_share_t", + before => File["/srv/netlogon"], + } + + samba::server::share { "netlogon": + path => "/srv/netlogon", + comment => "Network Logon Service", + readonly => true, + options => [ "locking = no", "guest ok = yes", ], + } + + File["/etc/samba/smb.conf.d/domain.conf"] { + content => template("samba/domain.conf-pdc.erb"), + } + +} + + +# Add Backup Domain Controller role to Samba server +# +class samba::server::bdc inherits samba::server::pdc { + + require samba::client + + file { "/usr/local/sbin/sync-netlogon": ensure => present, - source => "puppet:///modules/samba/sync-netlogon.sh", + source => "puppet:///modules/samba/sync-netlogon", mode => "0755", owner => "root", group => "root", } + cron { "sync-netlogon": + command => "/usr/local/sbin/sync-netlogon", + minute => "52", + user => "root", + require => File["/usr/local/sbin/sync-netlogon"], + } -} - - -# Join samba server into domain. -# -# === Global variables -# -# $samba_join_user: -# Username to use when joining domain. -# -# $samba_join_pass: -# Password to use when joining domain. -# -class samba::domainmember { - - include samba::server - - exec { "net join": - command => "net join -U ${samba_join_user}%\"\${SECRET}\"", - environment => "SECRET=${samba_join_pass}", - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => "net rpc testjoin -U ${samba_join_user}%\"\${SECRET}\"", - require => Service["smb"], + File["/etc/samba/smb.conf.d/domain.conf"] { + content => template("samba/domain.conf-bdc.erb"), } } -# Set LDAP auth password to samba. +# Add Home directory server role to Samba server # -# === Global variables -# -# $samba_ldap_pass: -# Password to set in samba secrets. -# -class samba::ldap { +class samba::server::homes { - include samba::server + if !defined(Selinux::Boolean["samba_enable_home_dirs"]) { + selinux::boolean { "samba_enable_home_dirs": + value => "on", + before => Service["smb"], + } + } - exec { "smbpasswd -w": - command => "smbpasswd -w \"\${SECRET}\"", - environment => "SECRET=${samba_ldap_pass}", - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => "tdbtool /etc/samba/secrets.tdb keys | fgrep 'SECRETS/LDAP_BIND_PW/'", - require => File["/etc/samba/smb.conf"], - notify => Service["smb"], + samba::server::share { "homes": + path => "%H", + comment => "Home Directories", + options => [ "veto files = /.windows/", "browseable = no", ], } } + + +# Add Profile server role to Samba server +# +class samba::server::profiles { + + if !defined(Selinux::Boolean["samba_enable_home_dirs"]) { + selinux::boolean { "samba_enable_home_dirs": + value => "on", + before => Service["smb"], + } + } + + selinux::boolean { "samba_create_home_dirs": + value => on, + before => Service["smb"], + } + + file { "/srv/profiles": + ensure => directory, + mode => "0755", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + seltype => "samba_share_t", + before => Service["smb"], + } + selinux::manage_fcontext { "/srv/profiles(/.*)?": + type => "samba_share_t", + before => File["/srv/profiles"], + } + + samba::server::share { "profiles": + path => "/srv/profiles", + comment => "Roaming Profiles", + options => [ + "wide links = yes", + "profile acls = yes", + "root preexec = sh -c 'umask 022 ; ( [ -h /srv/profiles/%U ] || ln -s %H/.windows/profile /srv/profiles/%U ) ; ( [ -h /srv/profiles/%U.V2 ] || ln -s %H/.windows/vista /srv/profiles/%U.V2 )'", + "preexec = sh -c 'umask 077; mkdir -p %H/.windows/profile %H/.windows/vista'", + ], + } + +} + + +# Add new share to Samba server +# +# === Parameters +# +# $name: +# Share name +# $path: +# Directory to share +# $comment: +# Share description. Defaults to $name. +# $readonly: +# Set to true to make share read only. +# $options: +# Array of extra options to add for share. +# +# === Sample usage +# +# samba::server::share { "r-sysadm": +# comment => "Role: sysadm", +# path => "/roles/sysadm", +# options => [ "hide files = /desktop.ini/Desktop.ini/" ], +# } +# +define samba::server::share($path, $comment=undef, $readonly=undef, + $options=[]) { + + file { "/etc/samba/smb.conf.d/share-${name}.conf": + ensure => present, + content => template("samba/share.conf.erb"), + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + require => File["/etc/samba/smb.conf.d"], + notify => Exec["generate-samba-shares-conf"] + } + +} + diff --git a/samba/templates/domain.conf-bdc.erb b/samba/templates/domain.conf-bdc.erb new file mode 100644 index 0000000..ebca096 --- /dev/null +++ b/samba/templates/domain.conf-bdc.erb @@ -0,0 +1,11 @@ + +os level = 130 + +domain master = no +domain logons = yes +time server = yes + +logon script = logon.bat +logon drive = p: +logon path = \\%L\profiles\%U +logon home = \\%L\%U diff --git a/samba/templates/domain.conf-pdc.erb b/samba/templates/domain.conf-pdc.erb new file mode 100644 index 0000000..4ad801b --- /dev/null +++ b/samba/templates/domain.conf-pdc.erb @@ -0,0 +1,12 @@ + +os level = 140 + +domain master = yes +preferred master = yes +domain logons = yes +time server = yes + +logon script = logon.bat +logon drive = p: +logon path = \\%L\profiles\%U +logon home = \\%L\%U diff --git a/samba/templates/share.conf.erb b/samba/templates/share.conf.erb new file mode 100644 index 0000000..86b9df9 --- /dev/null +++ b/samba/templates/share.conf.erb @@ -0,0 +1,13 @@ +[<%= @name %>] + comment = <% if @comment %><%= @comment %><% else %><%= @name %><% end %> + path = <%= @path %> + inherit permissions = yes + invalid users = root +<% if @readonly -%> + read only = yes +<% else -%> + read only = no +<% end -%> +<% @options.each do |option| -%> + <%= option %> +<% end -%> diff --git a/samba/templates/smb.conf.erb b/samba/templates/smb.conf.erb new file mode 100644 index 0000000..c6cfba3 --- /dev/null +++ b/samba/templates/smb.conf.erb @@ -0,0 +1,47 @@ + +[global] + +# host naming +workgroup = <%= @workgroup %> +server string = <%= @description %> +netbios name = <%= @names[0] %> +<% if @names.length > 1 -%> +netbios aliases = <%= @names.drop(1).join(' ') %> +<% end -%> + +<% if @interfaces -%> +interfaces = lo <%= @interfaces.join(' ') %> +bind interfaces only = true + +<% end -%> +# authentication +<% if @auth == 'tdbsam' -%> +security = user +passdb backend = tdbsam +<% elsif @auth == 'ldap' -%> +security = user +passdb backend = ldapsam:"<%= @ldap_server.join(' ') -%>" +ldap passwd sync = Only +ldap admin dn = "uid=smbadmin,ou=System,<%= @ldap_basedn %> +ldap ssl = no +ldap suffix = <%= @ldap_basedn %> +<% elsif @auth == 'domain' -%> +security = domain +password server = * +<% else -%> +<% scope.function_fail(['Invalid value "%s" for auth.' % @auth]) -%> +<% end -%> + +# log per machine and rotate after 128MB +log file = /var/log/samba/%m.log +max log size = 131072 + +unix charset = iso-8859-1 +unix extensions = no +wide links = no + +include = /etc/samba/smb.conf.d/domain.conf +include = /etc/samba/smb.conf.d/print.conf +include = /etc/samba/smb.conf.d/wins.conf + +include = /etc/samba/smb.conf.d/shares.conf