Go to file
2018-05-19 23:44:24 +02:00
defaults Add flag to disable CVE-2017-7494 mitigation 2018-04-04 08:56:26 +02:00
handlers Fix variable name typo in handlers 2017-05-10 12:31:56 +02:00
meta Add Fedora 26 and 27 support explicitly in meta 2018-04-02 22:28:15 +01:00
tasks Merge pull request #26 from towo/master 2018-05-19 23:43:50 +02:00
templates Merge branch 'master' into server_max_protocol 2018-05-19 23:41:58 +02:00
vars Added username map configuration 2017-12-28 16:49:12 +09:00
.gitignore Ignore *-test/ directories 2017-01-20 10:56:31 +01:00
.travis.yml Update Docker image versions 2018-05-19 23:44:24 +02:00
CHANGELOG.md Updated change log for v2.5.0 2017-11-21 09:05:00 +01:00
LICENSE.md Initial commit, basic install and template. Works without setting variables 2015-03-13 21:55:33 +01:00
README.md Add flag to disable CVE-2017-7494 mitigation 2018-04-04 08:56:26 +02:00

Ansible role bertvv.samba

Build Status

An Ansible role for setting up Samba as a file server. It is tested on CentOS, Debian, Ubuntu and Arch Linux. Specifically, the responsibilities of this role are to:

  • Install the necessary packages
  • Configure SELinux settings (when SELinux is active)
  • Create share directories
  • Manage Samba users and passwords
  • Manage access to shares

The following are not considered concerns of this role, and you should configure these using another role (e.g. bertvv.rh-base:

  • Managing firewall settings.
  • Creating system users. Samba users should already exist as system users.

If you like/use this role, please consider giving it a star! Thanks!

CVE-2017-7494

A recently discovered remote code execution vulnerability may affect your Samba server installation.

If SELinux is enabled on your system, it is NOT vulnerable.

Version 2.3.1 of this role has a fix for the vulnerability. Upgrade your system if necessary.

More info: https://access.redhat.com/security/cve/cve-2017-7494

Requirements

No specific requirements

Role Variables

Variable Default Comments
samba_create_varwww_symlinks false When true, symlinks are created in /var/www/html to the shares.
samba_interfaces [] List of network interfaces used for browsing, name registration, etc.
samba_load_homes false When true, user home directories are accessible.
samba_load_printers false When true, printers attached to the host are shared
samba_log - Set the log file. If left undefined, logging is done through syslog.
samba_log_size 5000 Set the maximum size of the log file.
samba_map_to_guest bad user Behaviour when unregistered users access the shares.
samba_netbios_name {{ ansible_hostname }} The NetBIOS name of this server.
samba_passdb_backend tdbsam Password database backend.
samba_realm - Realm domain name
samba_security user Samba security setting
samba_server_min_protocol - Specify a minimum protocol version offered by the server.
samba_server_max_protocol - Specify a maximum protocol version offered by the server.
samba_server_string fileserver %m Comment string for the server.
samba_shares [] List of dicts containing share definitions. See below for details.
samba_shares_root /srv/shares Directories for the shares are created under this directory.
samba_users [] List of dicts defining users that can access shares.
samba_workgroup WORKGROUP Name of the server workgroup.
samba_guest_account - Guest account for unknown users
samba_wins_support true When true, Samba will act as a WINS server
samba_local_master true When true, nmbd will try & become local master of the subnet
samba_domain_master true When true, smbd enables WAN-wide browse list collation
samba_preferred_master true When true, indicates nmbd is a preferred master browser for workgroup

Defining users

In order to allow users to access the shares, they need to get a password specifically for Samba:

samba_users:
  - name: alice
    password: ecila
  - name: bob
    password: bob
  - name: charlie
    password: eilrahc

Unfortunately, passwords have to be in plain text for now. Also, remark that this role will not change the password of an existing user.

These users should already have an account on the host! Creating system users is not a concern of this role, so you should do this separately. A possibility is my role bertvv.rh-base. An example:

rhbase_users:
  - name: alice
    comment: 'Alice'
    password: !!
    shell: /sbin/nologin
    groups:
      [...]

This user is not allowed to log in on the system (e.g. with SSH) and would only get access to the Samba shares.

Defining shares

Defining Samba shares and configuring access control can be challenging, since it involves not only getting the Samba configuration right, but also user and file permissions, and SELinux settings. This role attempts to simplify the process.

To specify a share, you should at least give it a name:

samba_shares:
  - name: readonlyshare

This will create a share with only read access for registered users. Guests will not be able to see the contents of the share.

A good way to configure write access for a share is to create a system user group, add users to that group, and make sure they have write access to the directory of the share. This role assumes groups are already set up and users are members of the groups that control write access. Let's assume you have two users jack and teach, members of the group pirates. This share definition will give both read and write access to the pirates:

samba_shares:
  - name: piratecove
    comment: 'A place for pirates to hang out'
    group: pirates
    write_list: +pirates

Guests have no access to this share, registered users can read. You can further tweak access control. Read access can be extended to guests (add public: yes) or restricted to specified users or groups (add valid_users: +pirates). Write access can be restricted to individual pirates (e.g. write_list: jack). Files added to the share will be added to the specified group and group write access will be granted by default.

This is an example of configuring multiple vfs object modules to share a glusterfs volume. VFS object options are optional. The necessary VFS object modules must be present/installed outside this role. In this case samba-glusterfs was installed on centos. See samba documentation for how to install or what the default VFS object modules are.

samba_shares:
  - name: gluster-app_deploys
    comment: 'For samba share of volume app_deploys'
    vfs_objects:
      - name: audit
        options:
          - name: facility
            value: LOCAL1
          - name: priority
            value: NOTICE
      - name: glusterfs
        options:
          - name: volume
            value: app_deploys
          - name: logfile
            value: /var/log/samba/glusterfs-app_deploys.%M.log
          - name: loglevel
            value: 7
    path: /
    read_only: no
    guest_ok: yes
    write_list: tomcat
    group: tomcat

A complete overview of share options follows below. Only name is required, the rest is optional.

Option Default Comment
comment - A comment string for the share
create_mode 0664 See the Samba documentation for details.
directory_mode 0775 See the Samba documentation for details.
force_create_mode 0664 See the Samba documentation for details.
force_directory_mode 0775 See the Samba documentation for details.
group users The user group files in the share will be added to.
guest_ok - Allow guest access.
name (required) - The name of the share.
owner root Set the owner of the path
path /{{samba_shares_root}}/{{name}} The path to the share directory.
public no Controls read access for guest users
setype samba_share_t The SELinux type of the share directory
valid_users - Controls read access for registered users. Use the syntax of the corresponding Samba setting.
vfs_objects - See the Samba documentation for details.
writable - Writable for guests.
write_list - Controls write access for registered users. Use the syntax of the corresponding Samba setting.

The values for valid_users and write_list should be a comma separated list of users. Names prepended with + or @ are interpreted as groups. The documentation for the Samba configuration has more details on these options.

Dependencies

No dependencies.

Example Playbook

See the test playbook

Testing

Setting up the test environment

Tests for this role are provided in the form of a Vagrant environment that is kept in a separate branch, tests. I use git-worktree(1) to include the test code into the working directory. Instructions for running the tests:

  1. Fetch the tests branch: git fetch origin tests
  2. Create a Git worktree for the test code: git worktree add tests tests (remark: this requires at least Git v2.5.0). This will create a directory tests/.
  3. cd tests/
  4. vagrant up will then create test VMs for all supported distros and apply a test playbook (test.yml) to each one.

Issues

On Ubuntu 16.04, setting up the VM may fail while running the test playbook because a background process is running the package manager. The output looks like:

...
TASK [samba : Install Samba packages] ******************************************
failed: [samba-ubuntu1604] (item=[u'samba-common', u'samba', u'samba-client']) => {"cache_update_time": 0, "cache_updated": false, "failed": true, "item": ["samba-common", "samba", "samba-client"], "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\"   install 'samba-common' 'samba' 'samba-client'' failed: E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)\nE: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?\n", "stderr": "E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)\nE: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?\n", "stdout": "", "stdout_lines": []}

The workaround is waiting a bit and running vagrant provision again.

Contributing

Issues, feature requests, ideas are appreciated and can be posted in the Issues section.

Pull requests are also very welcome. The best way to submit a PR is by first creating a fork of this Github project, then creating a topic branch for the suggested change and pushing that branch to your own fork. Github can then easily create a PR based on that branch. Don't forget to add yourself to the list of contributors below!

License

2-clause BSD license, see LICENSE.md

Contributors

Ben Tomasik Bert Van Vreckem (maintainer), Birgit Croux, DarkStar1973, Ian Young, Jonas Heinrich, morbidick, Paul Montero, Slavek Jurkowski, Sven Eeckeman, Tomohiko Ozawa, Jonathan Underwood.