This is an ansible role that join Linux machine to Active directory domain using realm, sssd and samba-winbind.
This role is tested only on Ubuntu 20.04
- Support both
sssdandwinbindviarealm - Can restrict login policy
- Add sudoers
- ansible > 2.1
-
Ubuntu 20.04
- Internet connection (currently under proxy environment does not supported)
-
RHEL/Centos 7
- Internet connection (currently under proxy environment does not supported)
- NOTE: Centos 7 only tested with SSSD. if you want to use join with winbind, it may not work as expected
-
basic domain information
variable description join_methodjoin domain method (default: sssd, possible value:sssdorwinbind)domain_nameActive directory domain name domain_netbios_nameActive directory NetBIOS name (winbind only) domain_admin_userUser that can join to domain (default: Administrator) domain_admin_passwordDomain admin password -
misc
variable description domain_sudoerslist of group name that want to give sudo permission. if you don't want to give sudo permission, than leave as blank
(default: administrators, domain admins, enterprise admins)user_home_creationif enabled, home directory created when new user login (default: yes) set_default_domainif enabled, set domain as system default (default: yes) -
sssd configuration
-
login policy
the below configuration is stands for restrict login policy when using
sssd. if you don't want to restrict login policy, than setsssd_permit_deny_alltonoand leave blank othersvariable description sssd_permit_deny_alldisable login for all users and groups. this should be yes if want to restrict login with below allow list (default: yes) sssd_permit_allow_groupsallow login specific groups
(default: administrators, domain admins, enterprise admins)sssd_permit_allow_usersgive permission to login in specific user (default: blank) sssd_permit_block_groupsblock login specific groups (default: blank) sssd_permit_block_usersblock login specific users (default: blank) -
dynamic dns update
variable description sssd_dyndns_updateenable/disable dyndns option (default: yes) sssd_dyndns_refresh_intervaldyndns_refresh_inverval(default: 43200)sssd_dyndns_update_ptrdyndns_update_ptr(default: true)sssd_dyndns_ttldyndns_ttl(default: 3600)
-
-
winbind configuration
-
idmap
note that current implementation on winbind idmap is
tdbonly. no other methods are supported.variable description winbind_idmap_default_rangeidmap range
(default: 10000-999999)winbind_idmap_current_domain_rangedefault domain id map range
(default: 2000000-2999999) -
login policy
if you don't want to restrict login policy, than leave as blank
variable description winbind_permit_allow_sidssids that allow login
(default: BUILTIN\administrator)winbind_permit_allow_namesgroup name that allow login
(default: domain admins, enterprise admins)
-
| variable | description |
|---|---|
sudoers_path |
sudoers config directory location (default: /etc/sudoers.d) |
sssd_config_path |
sssd config location (default: /etc/sssd/sssd.config) |
samba_config_path |
samba config location (default: /etc/samba/smb.conf) |
template_sudoers_sssd |
sudoers template for sssd (default: sudoers.sssd.j2) |
template_sudoers_winbind |
sudoers template for winbind (default: sudoers.winbind.j2) |
-
minimum setup (sssd)
The minimum setup for sssd. after join domain, you can login with following groups
- administrator
- domain admins
- enterprise admins
- hosts: servers roles: - lazyrichard.linux_join_ad_domain vars: join_method: sssd domain_name: contoso.com domain_admin_user: domain_admin domain_admin_password: really-strong-password
-
minimum setup (winbind)
The minimum setup for winbind. after join domain, you can login with following groups
- administrator
- domain admins
- enterprise admins
- hosts: servers roles: - lazyrichard.linux_join_ad_domain vars: join_method: winbind domain_name: contoso.com domain_netbios_name: CONTOSO domain_admin_user: domain_admin domain_admin_password: really-strong-password
BSD