This commit is contained in:
vincent 2021-07-10 21:13:53 +02:00
parent 812643507e
commit 1c0e2b003f
13 changed files with 35 additions and 750 deletions

19
.drone.yml Normal file
View File

@ -0,0 +1,19 @@
---
kind: pipeline
type: docker
name: lint
steps:
- name: ansible linting
image: cytopia/ansible-lint
commands:
- ansible-lint tasks/main.yml
- name: markdown linting
image: 06kellyjac/markdownlint-cli
commands:
- markdownlint .
when:
status:
- success
- failure

9
.markdownlint.yaml Normal file
View File

@ -0,0 +1,9 @@
---
# Default state for all rules
default: true
MD009:
strict: false
MD013: false
MD033: false
MD024: false

View File

@ -1,43 +0,0 @@
---
language: python
# Use the new container infrastructure
sudo: required
env:
global:
- ROLE_NAME: samba
matrix:
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: debian9
- MOLECULE_DISTRO: fedora29
- MOLECULE_DISTRO: ubuntu1804
#Enable docker support
services:
- docker
install:
- sudo apt-get update
- sudo apt-get install bats curl smbclient samba-testsuite
# Install dependencies for Molecule test
- python3 -m pip install molecule yamllint ansible-lint docker
# Check ansible, molecule and nmblookup version
- ansible --version
- molecule --version
- nmblookup --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
before_script:
#Renames ansible-role-bind to bertvv.bind to make it match with Ansible Galaxy
- cd ../
- mv ansible-role-$ROLE_NAME bertvv.$ROLE_NAME
- cd bertvv.$ROLE_NAME
script:
#Run molecule test
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,33 +1,11 @@
--- ---
# Based on ansible-lint config
extends: default extends: default
rules: rules:
braces: # 80 chars should be enough, but don't fail if a line is longer
max-spaces-inside: 1 line-length:
level: error max: 80
brackets: level: warning
max-spaces-inside: 1 allow-non-breakable-words: true
level: error comments:
colons: min-spaces-from-content: 1
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable

View File

@ -1,179 +0,0 @@
# Change log
This file contains al notable changes to the bertvv.samba Ansible role.
This file adheres to the guidelines of [http://keepachangelog.com/](http://keepachangelog.com/). Versioning follows [Semantic Versioning](http://semver.org/). "GH-X" refers to the X'th issue or pull request on the Github project.
## 2.7.1 - 2019-06-22
## Changed
- (GH-39) Have include_options use absolute paths (credit: [Bengt Giger](https://github.com/BenGig))
- (GH-41) Change default of "map to guest" to "never"
- (GH-42) Only apply mitigation of vulnerability CVE-2017-7494 to vulnerable Samba versions
- Fix deprecation warnings for Ansible 2.8.x
- Removed with_items loop from package tasks
## 2.7.0 - 2018-10-04
## Added
- (GH-36) Control the Samba log level (credit: [Karl Goetz](https://github.com/goetzk))
- (GH-35) Load arbitrary config files in every section (credit: [Karl Goetz](https://github.com/goetzk))
- (GH-34) Control if shares are browseable or not (credit: [Karl Goetz](https://github.com/goetzk))
- (GH-33) Support for enabling Apple SMB extensions (credit: [Karl Goetz](https://github.com/goetzk))
## 2.6.0 - 2018-08-16
### Added
- (GH-28) Enable a cups server to be used (credit: [Thiago Gomes Verissimo](https://github.com/thiagogomesverissimo))
### Changed
- (GH-30, GH-31) Improve handling of link to www_documentroot (credit: [Karl Goetz](https://github.com/goetzk))
- Update supported versions of Fedora to 27 and 28. Fedora 25 and 26 are EOL. This role will probably still work (for a while) on these platforms, but we do no effort to test them.
- (GH-29) Don't print passwords out to the log (credit: [George Hartzell](https://github.com/hartzell))
## 2.5.1 - 2018-05-20
### Added
- (GH-21) Add config flag to disable CVE-2017-7494 mitigation (credit: [Tiemo Kieft](https://github.com/blubber))
- (GH-23) Added username map configuration (credit: [Tomohiko Ozawa](https://github.com/kota65535))
- (GH-24) Add samba_server_max_protocol parameter (credit: [Jonathan Underwood](https://github.com/jonathanunderwood))
- (GH-25) Add Fedora 26 and 27 support explicitly in meta (credit: [Jonathan Underwood](https://github.com/jonathanunderwood))
- (GH-26) Name the include_vars task (credit: [Tobias Wolter](https://github.com/towo))
## 2.5.0 - 2017-11-21
## Added
- (GH-20) Added variable `ansible_realm`, which adds support for Realmd. This variable is only needed when the host is joined to an already existing domain by using realmd, and you want to configure this member server as a Samba file server. (credit: [Sven Eeckeman](https://github.com/SvenEeckeman))
## 2.4.0 - 2017-09-15
### Changed
- (GH-19) Made WINS support configurable (credit: [Ben Tomasik](https://github.com/tomislacker))
## 2.3.1 - 2017-05-29
### Changed
- Fix for remote code execution vulnerability CVE-2017-7494: <https://access.redhat.com/security/cve/cve-2017-7494>
## 2.3.0 - 2017-05-10
### Changed
- Fix service names for Ubuntu/Debian
- Start services in a single task
- Fix issue with NetBIOS name resolution not working on Ubuntu and Debian
- Updated list of supported platforms
- Added Fedora 25
- Removed Ubuntu 14.04 (the name of the `samba` service was changed to `smbd` in more recent versions, supporting both would become cumbersome)
- Removed older versions of EL. The role should still be working on EL6, but the test environment doesn't work.
### Added
- (GH-16) Added global option `guest_account`, share options `writable` and `guest_ok` (credit: [morbidick](https://github.com/morbidick))
- (GH-17) Added support for vfs options (credit: [Slavek Jurkowski](https://github.com/slavekjurkowski2))
## 2.2.2 - 2017-01-20
### Changed
- (GH-13) Updated documentation, added `setype:`
- (GH-14) Fixed an issue with creating users (credit: [Sven Eeckeman](https://github.com/SvenEeckeman))
- (GH-15) Fixed the check for SELinux status (credit: [Tomohiko Ozawa](https://github.com/kota65535))
## 2.2.1 - 2016-10-29
### Added
- (GH-12) Add the ability to set owner to the path (credit: [Paul Montero](https://github.com/lpaulmp))
### Changes
- Added tags to all tasks
## 2.2.0 - 2016-07-29
### Added
- (GH-11) Introduced variable `samba_interfaces` (credit: [Jonas Heinrich](https://github.com/onny))
- (GH-11) Added support for Arch Linux (credit: [Jonas Heinrich](https://github.com/onny))
## 2.1.1 - 2016-05-29
This is a bugfix release.
### Changed
- (GH-6) Made creation of Samba users idempotent. The task "Create Samba users [...]" will now only indicate it has changed when it actually created a user.
- (GH-9) Fixed forgotten `when: samba_create_varwww_symlinks` (credit: [DarkStar1973](https://github.com/DarkStar1973))
## 2.1.0 - 2016-05-12
### Added
- (GH-7) Support for Debian/Ubuntu (credit: [Ian Young](https://github.com/iangreenleaf)) and Fedora.
- Vagrant test environment for all supported platforms
### Changed
- Moved test code to a separate branch
- (GH-8) Fixed deprecation warnings in Ansible 2.0 (partial credit: [Ian Young](https://github.com/iangreenleaf))
- Use the generic `package:` module introduced in Ansible 2.0.
### Removed
- The `version:` field in `meta/main.yml` was removed because it is no longer accepted in Ansible 2.0. Unfortunately, this change breaks compatibility with `librarian-ansible`. For more info on this issue, see [ansible/ansible#](https://github.com/ansible/ansible/issues/13496).
## 2.0.2 - 2015-12-01
### Changed
- The directory `samba_shares_root` is now created befor creating the directories of the shares, with sane permissions set. This fixes GH-3. Contributed by @birgitcroux.
### Removed
- The role variables `create_mask` and `create_directory_mask` were removed. Samba settings `create mask` and `create directory mask` are synonyms for `create mode` and `create directory mode`, respectively. The former name is misleading, because it suggests they work like the Linux command `umask`.
## 2.0.1 - 2015-11-05
### Changed
- (GH-1) The variable type of `samba_create_varwww_symlinks` is now boolean instead of string
- The variable `samba_netbios_name` is no longer required and defaults to `ansible_hostname`.
## 2.0.0 - 2015-11-05
Bugfix release with changes that are not backwards compatible
### Changed
- (GH-1) The variable type of `samba_load_*` is now boolean instead of string, which makes more sense. However, this change is **not backwards compatible**.
- (GH-2) Restart WinBind when changing the configuration
- Updated the base box for the test environment to CentOS 7.1 ([bertvv/centos71](https://atlas.hashicorp.com/bertvv/boxes/centos71/))
- Cleaned up indentation and spaces in the configuration file template
### Removed
- The firewall configuration is no longer set by this role. This also removes the dependency on firewalld.
## 1.0.0 - 2015-03-14
First release
### Added
- Installation
- Create directories
- SELinux settings
- Configuration template with a.o. configurable print sharing, home directories, user access control
- Set user passwords

View File

@ -1,28 +0,0 @@
---
galaxy_info:
author: Bert Van Vreckem
description: This role installs and configures Samba as a file server.
license: BSD
min_ansible_version: 2.8
platforms:
- name: EL
versions:
- 7
- name: Fedora
versions:
- 28
- name: Ubuntu
versions:
- xenial
- bionic
- name: Debian
versions:
- jessie
- stretch
- name: ArchLinux
versions:
- all
galaxy_tags:
- system
- networking
dependencies: []

View File

@ -1,93 +0,0 @@
---
- name: Converge
hosts: all
pre_tasks:
- name: Ensure package database is up-to-date
apt:
update-cache: true
failed_when: false
changed_when: false
when: ansible_os_family == 'Debian'
- name: Create users
user:
name: "{{ item }}"
groups: users
append: true
with_items:
- usr1
- usr2
- timemachine
vars:
samba_netbios_name: SAMBA_TEST
samba_server_string: 'Welcome to the test file server'
samba_workgroup: TESTGROUP
samba_global_include: global-include.conf
samba_load_homes: true
samba_load_printers: false
samba_create_varwww_symlinks: true
samba_log: /var/log/samba.log
samba_log_size: 60000
samba_log_level: '3 passdb:5 auth:10 winbind:2 '
# The smbclient version of the Travis CI environment crashes when `min
# protocol' is set:
# protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
# Uncomment the following lines if you want to test this setting locally.
#
# samba_server_min_protocol: SMB2
# samba_server_max_protocol: SMB3
samba_map_to_guest: Never
samba_users:
- name: usr1
password: usr1
- name: usr2
password: usr2
- name: timemachine
password: timemachine
samba_username_map:
- from: 'User Two'
to: usr2
samba_shares_root: /srv/samba
samba_shares:
- name: restrictedshare
- name: privateshare
comment: 'Only readable/writeable by usr1'
valid_users: usr1
write_list: usr1
group: usr1
browseable: 'no'
- name: protectedshare
public: 'yes'
comment: 'Public, but only writeable by usr2'
write_list: usr2
group: users
browseable: 'yes'
include_file: protectedshare-include.conf
- name: publicshare
comment: 'Public share, writeable by all members of group users'
public: 'yes'
write_list: +users
group: users
setype: public_content_t
browseable: 'yes'
- name: guestshare
comment: 'Share accessible for guests'
guest_ok: 'yes'
writable: 'yes'
browseable: 'yes'
- name: TimeMachine
comment: 'Share useable as a TimeMachine backup target on MacOS'
vfs_objects:
- name: fruit
options:
- name: time machine
value: 'yes'
- name: streams_xattr
path: /srv/timemachine
write_list: timemachine
owner: timemachine
group: timemachine
public: 'no'
guest_ok: 'no'
browseable: 'no'
roles:
- role: bertvv.samba

View File

@ -1,111 +0,0 @@
#! /usr/bin/env bash
#
# Author: Bert Van Vreckem <bert.vanvreckem@gmail.com>
#
# Run BATS test files in the current directory, and the ones in the subdirectory
# matching the host name.
#
# The script installs BATS if needed. It's best to put ${bats_install_dir} in
# your .gitignore.
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
#{{{ Variables
test_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
bats_archive="v1.1.0.tar.gz"
bats_url="https://github.com/bats-core/bats-core/archive/${bats_archive}"
bats_install_dir="/opt"
bats_default_location="${bats_install_dir}/bats/libexec/bats"
test_file_pattern="*.bats"
# Color definitions
readonly reset='\e[0m'
readonly yellow='\e[0;33m'
readonly cyan='\e[0;36m'
#}}}
main() {
bats=$(find_bats_executable)
if [ -z "${bats}" ]; then
install_bats
bats="${bats_default_location}"
fi
debug "Using BATS executable at: ${bats}"
# List all test cases (i.e. files in the test dir matching the test file
# pattern)
# Tests to be run on all hosts
global_tests=$(find_tests "${test_dir}" 1)
# Tests for individual hosts
host_tests=$(find_tests "${test_dir}/${HOSTNAME}")
# Loop over test files
for test_case in ${global_tests} ${host_tests}; do
info "Running test ${test_case}"
${bats} "${test_case}"
done
}
#{{{ Functions
# Tries to find BATS executable in the PATH or the place where this script
# installs it.
find_bats_executable() {
if which bats > /dev/null; then
which bats
elif [ -x "${bats_default_location}" ]; then
echo "${bats_default_location}"
else
echo ""
fi
}
# Usage: install_bats
install_bats() {
pushd "${bats_install_dir}" > /dev/null 2>&1
curl --location --remote-name "${bats_url}"
tar xzf "${bats_archive}"
mv bats-* bats
rm "${bats_archive}"
popd > /dev/null 2>&1
}
# Usage: find_tests DIR [MAX_DEPTH]
#
# Finds BATS test suites in the specified directory
find_tests() {
local max_depth=""
if [ "$#" -eq "2" ]; then
max_depth="-maxdepth $2"
fi
local tests
tests=$(find "$1" ${max_depth} -type f -name "${test_file_pattern}" -printf '%p\n' 2> /dev/null)
echo "${tests}"
}
# Usage: info [ARG]...
#
# Prints all arguments on the standard output stream
info() {
printf "${yellow}### %s${reset}\n" "${*}"
}
# Usage: debug [ARG]...
#
# Prints all arguments on the standard output stream
debug() {
printf "${cyan}### %s${reset}\n" "${*}"
}
#}}}
main

View File

@ -1,208 +0,0 @@
#! /usr/bin/env bats
#
# Author: Bert Van Vreckem <bert.vanvreckem@gmail.com>
#
# Test a Samba server
sut_wins_name=SAMBA_TEST # NetBIOS name
workgroup=TESTGROUP # Workgroup
# The name of a directory and file that will be created to test for
# write access (= random string)
test_dir=peghawJaup
test_file=Nocideicye
# {{{Helper functions
# Checks if a user has shell access to the system
# Usage: assert_can_login USER PASSWD
assert_can_login() {
echo $2 | su -c 'ls ${HOME}' - $1
}
# Checks that a user has NO shell access to the system
# Usage: assert_cannot_login USER
assert_cannot_login() {
run sudo su -c 'ls' - $1
[ "0" -ne "${status}" ]
}
# Check that the guest account has read access
# Usage: assert_guest_read SHARE
assert_guest_read() {
local share="${1}"
run smbclient "//${SUT_IP}/${share}" \
--user=% \
--command='ls'
echo "${output}"
[ "${status}" -eq "0" ]
}
# Check that a user has read acces to a share
# Usage: read_access SHARE USER PASSWORD
assert_read_access() {
local share="${1}"
local user="${2}"
local password="${3}"
run smbclient "//${SUT_IP}/${share}" \
--user=${user}%${password} \
--command='ls'
echo "${output}"
[ "${status}" -eq "0" ]
}
# Check that a user has NO read access to a share
# Usage: no_read_access SHARE USER PASSWORD
assert_no_read_access() {
local share="${1}"
local user="${2}"
local password="${3}"
run smbclient "//${SUT_IP}/${share}" \
--user=${user}%${password} \
--command='ls'
echo "${output}"
[ "${status}" -eq "1" ]
}
# Check that a user has write access to a share
# Usage: write_access SHARE USER PASSWORD
assert_write_access() {
local share="${1}"
local user="${2}"
local password="${3}"
run smbclient "//${SUT_IP}/${share}" \
--user=${user}%${password} \
--command="mkdir ${test_dir};rmdir ${test_dir}"
echo "${output}"
# Output should NOT contain any error message. Checking on exit status is
# not reliable, it can be 0 when the command failed...
[ -z "$(echo ${output} | grep NT_STATUS_)" ]
}
# Check that a user has NO write access to a share
# Usage: no_write_access SHARE USER PASSWORD
assert_no_write_access() {
local share="${1}"
local user="${2}"
local password="${3}"
run smbclient "//${SUT_IP}/${share}" \
--user=${user}%${password} \
--command="mkdir ${test_dir};rmdir ${test_dir}"
echo "${output}"
# Output should contain an error message (beginning with NT_STATUS, usually
# NT_STATUS_MEDIA_WRITE_PROTECTED
[ -n "$(echo ${output} | grep NT_STATUS_)" ]
}
# Check that users from the same group can write to each others files
# Usage: assert_group_write_file SHARE USER1 PASSWD1 USER2 PASSWD2
assert_group_write_file() {
local share="${1}"
local user1="${2}"
local passwd1="${3}"
local user2="${4}"
local passwd2="${5}"
echo "Hello world!" > ${test_file}
smbclient "//${SUT_IP}/${share}" --user=${user1}%${passwd1} \
--command="put ${test_file}"
# In order to overwrite the file, write access is needed. This will fail
# if user2 doesnt have write access.
smbclient "//${SUT_IP}/${share}" --user=${user2}%${passwd2} \
--command="put ${test_file}"
}
# Check that users from the same group can write to each others directories
# Usage: assert_group_write_dir SHARE USER1 PASSWD1 USER2 PASSWD2
assert_group_write_dir() {
local share="${1}"
local user1="${2}"
local passwd1="${3}"
local user2="${4}"
local passwd2="${5}"
smbclient "//${SUT_IP}/${share}" --user=${user1}%${passwd1} \
--command="mkdir ${test_dir}; mkdir ${test_dir}/tst"
run smbclient "//${SUT_IP}/${share}" --user=${user2}%${passwd2} \
--command="rmdir ${test_dir}/tst"
[ -z $(echo "${output}" | grep NT_STATUS_ACCESS_DENIED) ]
}
#}}}
@test 'NetBIOS name resolution should work' {
#skip
# Look up the Samba servers NetBIOS name under the specified workgroup
# The result should contain the IP followed by NetBIOS name
nmblookup -U ${SUT_IP} --workgroup ${workgroup} ${sut_wins_name} | grep "^${SUT_IP} ${sut_wins_name}"
}
# Read / write access to shares
@test 'read access for share restrictedshare' {
# Share User Password
assert_read_access restrictedshare usr1 usr1
assert_read_access restrictedshare usr2 usr2
}
@test 'write access for share restrictedshare' {
# Share User Password
assert_no_write_access restrictedshare usr1 usr1
assert_no_write_access restrictedshare usr2 usr2
}
@test 'read access for share privateshare' {
# Share User Password
assert_read_access privateshare usr1 usr1
assert_no_read_access privateshare usr2 usr2
}
@test 'write access for share privateshare' {
# Share User Password
assert_write_access privateshare usr1 usr1
assert_no_write_access privateshare usr2 usr2
}
@test 'read access for share protectedshare' {
# Share User Password
assert_read_access protectedshare usr1 usr1
assert_read_access protectedshare usr2 usr2
}
@test 'write access for share protectedshare' {
# Share User Password
assert_no_write_access protectedshare usr1 usr1
assert_write_access protectedshare usr2 usr2
}
@test 'read access for share publicshare' {
# Share User Password
assert_read_access publicshare usr1 usr1
assert_read_access publicshare usr2 usr2
}
@test 'write access for share publicshare' {
# Share User Password
assert_write_access publicshare usr1 usr1
assert_write_access publicshare usr2 usr2
}
@test 'Guest access in share guestshare' {
assert_guest_read guestshare
}

View File

@ -1,33 +0,0 @@
---
dependency:
name: galaxy
driver:
#Specifies the driver that should be used. Podman should also work
name: docker
lint: |
yamllint .
ansible-lint --exclude=molecule/default/verify.yml
platforms:
#Set name and hostname
- name: smb1
hostname: smb1
#Specify which image should be used. Geerlingguys images are Ansible compatible and have Systemd installed
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
#Command to execute when the container starts
command: ${MOLECULE_DOCKER_COMMAND:-""}
#Volumes to mount within the container. Important to enable systemd
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
#Give extended privileges to the container. Necessary for Systemd to operate within the container.
# DO NOT use extended privileges in a production environment!
privileged: true
#Allocate pseudo-TTY
tty: True
environment:
container: docker
provisioner:
name: ansible
#Runs the verify.yml playbook. Testinfra is also a supported method. Check the Molecule documention for more information.
verifier:
name: ansible

View File

@ -1,11 +0,0 @@
# {{ ansible_managed }}
# These come from Debians 4.8.4 config file
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
# vim: ft=samba

View File

@ -1,6 +0,0 @@
# Additional Samba options for protectedshare
# {{ ansible_managed }}
delete readonly = yes
# vim: ft=samba

View File

@ -1,9 +0,0 @@
---
- name: Verify
hosts: all
tasks:
# We run the BATS tests from the localhost, since they are black box tests
- name: "Run BATS tests for {{ ansible_hostname }}"
shell: SUT_IP={{ ansible_default_ipv4.address }} bats {{ playbook_dir }}/files/samba.bats
delegate_to: localhost
changed_when: false