106 lines
3.2 KiB
YAML
106 lines
3.2 KiB
YAML
---
|
|
|
|
# Can be dc, standalone, or member
|
|
samba_role: member
|
|
|
|
# Netbios name. Default is the hostname part of the dns name
|
|
# samba_netbios_name:
|
|
|
|
# The following settings are only needed when role is dc or member
|
|
#
|
|
# Default samba domain will be your domain name without the TLD
|
|
# samba_domain: EXAMPLE
|
|
# samba_realm: ad.example.org
|
|
# Must be defined manually
|
|
# samba_dc_admin_pass:
|
|
|
|
# log level directive in smb.conf
|
|
samba_log_level: >
|
|
1
|
|
auth_audit:3@/var/log/samba/auth.log
|
|
auth_json_audit:4@/var/log/samba/json/auth.log
|
|
dsdb_json_audit:5@/var/log/samba/json/dsdb.log
|
|
dsdb_password_json_audit:5@/var/log/samba/json/dsdb_password.log
|
|
dsdb_transaction_json_audit:5@/var/log/samba/json/dsdb_transaction.log
|
|
dns:3@/var/log/samba/dns.log
|
|
kerberos:2@/var/log/samba/kerberos.log
|
|
ldb:2@/var/log/samba/ldb.log
|
|
winbind:3@/var/log/samba/winbind.log
|
|
idmap:3@/var/log/samba/idmap.log
|
|
|
|
samba_serve_homes: False
|
|
|
|
# The following are only used when role is dc
|
|
|
|
# There's no real "primary" DC, but you should set this to the
|
|
# first DC. It'll be provisionned, get the FSMO roles and setup
|
|
# rsync share for the sysvol. Others DC will replicate its sysvol
|
|
# samba_primary_dc: dc1.domain.net
|
|
|
|
# Password used for rsyncd. Used to fetch sysvol from the primary DC
|
|
samba_sysvol_rsync_pass: "{{ samba_dc_admin_pass | password_hash('sha512', 65534 | random(seed=samba_realm) | string) }}"
|
|
|
|
# The following are for the password policy to apply to the domain
|
|
samba_base_pwd_policy:
|
|
complexity: 'off'
|
|
min-pwd-length: 6
|
|
max-pwd-age: 0
|
|
min-pwd-age: 0
|
|
history-length: 1
|
|
account-lockout-duration: 30
|
|
account-lockout-threshold: 0
|
|
reset-account-lockout-after: 30
|
|
samba_pwd_policy: {}
|
|
|
|
# Used to parse the output of samba-tool domain passwordsettings show. You shouldn't modify this
|
|
samba_pwd_policy_descriptions:
|
|
complexity: Password complexity
|
|
min-pwd-length: Minimum password length
|
|
max-pwd-age: Maximum password age \(days\)
|
|
min-pwd-age: Minimum password age \(days\)
|
|
history-length: Password history length
|
|
account-lockout-duration: Account lockout duration \(mins\)
|
|
account-lockout-threshold: Account lockout threshold \(attempts\)
|
|
reset-account-lockout-after: Reset account lockout after \(mins\)
|
|
|
|
# List of DNS servers to which requests for non local domains should be forwarded
|
|
# samba_dns_forwarder:
|
|
|
|
# Ports used by the internal DNS server, and the IP allowed to access this
|
|
# This port will be opened for both TCP and UDP
|
|
samba_dns_ports: [53]
|
|
# Empty list means nobody can access the service
|
|
samba_dns_src_ip: []
|
|
|
|
# Ports needed when acting as a DC
|
|
samba_dc_tcp_ports: [389,636,88,135,137,138,139,445,464,3268,3269,'49152:65535']
|
|
samba_dc_udp_ports: [389,88,464,123,137,138]
|
|
|
|
samba_dc_src_ip: []
|
|
|
|
# Ports needed when acting as a file server
|
|
samba_file_tcp_ports: [137,138,139,445]
|
|
samba_file_udp_ports: [137,138]
|
|
samba_file_src_ip: []
|
|
|
|
samba_trusted_domains: {}
|
|
# samba_trusted_domains:
|
|
# - name: ad.other-domain.org
|
|
# admin_user: administrator
|
|
# admin_pass: s3cret
|
|
|
|
# samba_tls_cert:
|
|
# samba_tls_key:
|
|
# samba_tls_ca:
|
|
#
|
|
# Or
|
|
#
|
|
# samba_tls_letsencrypt_cert:
|
|
|
|
|
|
# samba_min_protocol: NT1
|
|
# samba_max_protocol: SMB3
|
|
|
|
# Custom samba global parameters
|
|
samba_custom_conf: '# No custom configuration defined'
|