From 675baed46574090298c2217d83f4842ba36cfd33 Mon Sep 17 00:00:00 2001 From: Tomohiko Date: Thu, 28 Dec 2017 16:40:28 +0900 Subject: [PATCH 1/3] Added username map configuration --- tasks/main.yml | 9 +++++++++ templates/smb.conf.j2 | 3 +++ templates/smbusers.j2 | 3 +++ vars/os_Archlinux.yml | 1 + vars/os_Debian.yml | 1 + vars/os_RedHat.yml | 1 + 6 files changed, 18 insertions(+) create mode 100644 templates/smbusers.j2 diff --git a/tasks/main.yml b/tasks/main.yml index 5ee5518..98b1ab8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -76,6 +76,15 @@ - Restart Samba services tags: samba +- name: Create username map file if needed + template: + dest: "{{ samba_username_map_file }}" + src: smbusers.j2 + notify: + - Restart Samba services + tags: samba + when: samba_username_map is defined + - name: Start Samba service(s) service: name: "{{ item }}" diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2 index a0109f9..1104fb1 100755 --- a/templates/smb.conf.j2 +++ b/templates/smb.conf.j2 @@ -29,6 +29,9 @@ server string = {{ samba_server_string }} {% if samba_guest_account is defined %} guest account = {{ samba_guest_account }} {% endif %} +{% if samba_username_map is defined %} + username map = {{ samba_username_map_file }} +{% endif %} {% if samba_interfaces|length > 0 %} interfaces = {{ samba_interfaces }} diff --git a/templates/smbusers.j2 b/templates/smbusers.j2 new file mode 100644 index 0000000..5290421 --- /dev/null +++ b/templates/smbusers.j2 @@ -0,0 +1,3 @@ +{% for entry in samba_username_map %} +{{ entry.to }} = {{ entry.from }} +{% endfor %} diff --git a/vars/os_Archlinux.yml b/vars/os_Archlinux.yml index 71f28c4..19fb13a 100644 --- a/vars/os_Archlinux.yml +++ b/vars/os_Archlinux.yml @@ -9,6 +9,7 @@ samba_selinux_packages: [] samba_selinux_booleans: [] samba_configuration: /etc/samba/smb.conf +samba_username_map_file: /etc/samba/smbusers samba_services: - smbd diff --git a/vars/os_Debian.yml b/vars/os_Debian.yml index 76f9996..4e2df2e 100644 --- a/vars/os_Debian.yml +++ b/vars/os_Debian.yml @@ -10,6 +10,7 @@ samba_selinux_packages: [] samba_selinux_booleans: [] samba_configuration: /etc/samba/smb.conf +samba_username_map_file: /etc/samba/smbusers # The name of the Samba service in older releases (Ubuntu 14.04, # Debian <8) is "samba". diff --git a/vars/os_RedHat.yml b/vars/os_RedHat.yml index b8fbf56..801e084 100644 --- a/vars/os_RedHat.yml +++ b/vars/os_RedHat.yml @@ -14,6 +14,7 @@ samba_selinux_booleans: - samba_export_all_rw samba_configuration: /etc/samba/smb.conf +samba_username_map_file: /etc/samba/smbusers samba_services: - smb From 277c308199e2abc8923434eea593d9154313d20e Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Mon, 2 Apr 2018 22:28:15 +0100 Subject: [PATCH 2/3] Add Fedora 26 and 27 support explicitly in meta --- meta/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index c2f4d5d..674dd36 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -12,6 +12,8 @@ galaxy_info: - name: Fedora versions: - 25 + - 26 + - 27 - name: Ubuntu versions: - xenial From b0066706154ca57af4739bba9324a581f3e5c08e Mon Sep 17 00:00:00 2001 From: Tiemo Kieft Date: Mon, 25 Dec 2017 08:51:53 +0100 Subject: [PATCH 3/3] Add flag to disable CVE-2017-7494 mitigation Setting "nt pipe support = no" seems to break macOS High Sierra clients. --- README.md | 47 ++++++++++++++++++++++--------------------- defaults/main.yml | 1 + templates/smb.conf.j2 | 2 ++ 3 files changed, 27 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index e793048..26a1cb3 100644 --- a/README.md +++ b/README.md @@ -33,29 +33,30 @@ No specific requirements ## Role Variables -| Variable | Default | Comments | -| :--- | :--- | :--- | -| `samba_create_varwww_symlinks` | false | When true, symlinks are created in `/var/www/html` to the shares. | -| `samba_interfaces` | [] | List of network interfaces used for browsing, name registration, etc. | -| `samba_load_homes` | false | When true, user home directories are accessible. | -| `samba_load_printers` | false | When true, printers attached to the host are shared | -| `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. | -| `samba_log_size` | 5000 | Set the maximum size of the log file. | -| `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. | -| `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. | -| `samba_passdb_backend` | `tdbsam` | Password database backend. | -| `samba_realm` | - | Realm domain name | -| `samba_security` | `user` | Samba security setting | -| `samba_server_string` | `fileserver %m` | Comment string for the server. | -| `samba_shares` | [] | List of dicts containing share definitions. See below for details. | -| `samba_shares_root` | `/srv/shares` | Directories for the shares are created under this directory. | -| `samba_users` | [] | List of dicts defining users that can access shares. | -| `samba_workgroup` | `WORKGROUP` | Name of the server workgroup. | -| `samba_guest_account` | - | Guest account for unknown users | -| `samba_wins_support` | true | When true, Samba will act as a WINS server | -| `samba_local_master` | true | When true, nmbd will try & become local master of the subnet | -| `samba_domain_master` | true | When true, smbd enables WAN-wide browse list collation | -| `samba_preferred_master` | true | When true, indicates nmbd is a preferred master browser for workgroup | +| Variable | Default | Comments | +| :--- | :--- | :--- | +| `samba_create_varwww_symlinks` | false | When true, symlinks are created in `/var/www/html` to the shares. | +| `samba_interfaces` | [] | List of network interfaces used for browsing, name registration, etc. | +| `samba_load_homes` | false | When true, user home directories are accessible. | +| `samba_load_printers` | false | When true, printers attached to the host are shared | +| `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. | +| `samba_log_size` | 5000 | Set the maximum size of the log file. | +| `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. | +| `samba_mitigate_cve_2017_7494` | true | CVE-2017-7494 mitigation breaks some clients, such as macOS High Sierra. | +| `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. | +| `samba_passdb_backend` | `tdbsam` | Password database backend. | +| `samba_realm` | - | Realm domain name | +| `samba_security` | `user` | Samba security setting | +| `samba_server_string` | `fileserver %m` | Comment string for the server. | +| `samba_shares` | [] | List of dicts containing share definitions. See below for details. | +| `samba_shares_root` | `/srv/shares` | Directories for the shares are created under this directory. | +| `samba_users` | [] | List of dicts defining users that can access shares. | +| `samba_workgroup` | `WORKGROUP` | Name of the server workgroup. | +| `samba_guest_account` | - | Guest account for unknown users | +| `samba_wins_support` | true | When true, Samba will act as a WINS server | +| `samba_local_master` | true | When true, nmbd will try & become local master of the subnet | +| `samba_domain_master` | true | When true, smbd enables WAN-wide browse list collation | +| `samba_preferred_master` | true | When true, indicates nmbd is a preferred master browser for workgroup | ### Defining users diff --git a/defaults/main.yml b/defaults/main.yml index 98b977b..c786d30 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,3 +19,4 @@ samba_wins_support: yes samba_local_master: yes samba_domain_master: yes samba_preferred_master: yes +samba_mitigate_cve_2017_7494: true diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2 index a0109f9..816386e 100755 --- a/templates/smb.conf.j2 +++ b/templates/smb.conf.j2 @@ -48,9 +48,11 @@ server string = {{ samba_server_string }} disable spoolss = yes {% endif %} +{% if samba_mitigate_cve_2017_7494 %} # Fix for CVE-2017-7494 # https://access.redhat.com/security/cve/cve-2017-7494 nt pipe support = no +{% endif %} {% if samba_load_homes %} ## Make home directories accessible