Jose/ansible_samba_ad_dc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6c75e2910baba27dada55b90574705f106817ccc
ansible_samba_ad_dc/tasks/verify.yml

166 lines
5.5 KiB
YAML
Raw Normal View History

First draft generated by LLM
2025-09-30 17:40:18 +02:00
---
patch undefined: Updated the DNS configuration in the `resolv.conf.j2` template to include both the local host and the Ansible-managed DNS server. Added a new line to the `resolv.conf.j2` template to specify the Ansible-managed DNS server (`{{ addc_ansible_host }}`). This ensures that the system uses both the local host and the managed DNS server for DNS resolution.
2025-10-19 22:25:19 +02:00
- name: Start the samba service
ansible.builtin.service:
name: samba
state: started
enabled: true
- name: Create the reverse DNS zone {{ addc_reverse_zone_name }}
community.general.expect:
# Note: The 'expect' module is in the 'community.general' collection
command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
responses:
# Use the '(?i)' flag for case-insensitive matching of the prompt.
'(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # Highly recommended to prevent the password from appearing in logs
- name: Create the PTR (reverse) DNS record
community.general.expect:
# Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
command: >
samba-tool dns add {{ addc_ansible_host }}
{{ addc_reverse_zone_name }}
{{ addc_ip_last_octet }} PTR
{{ addc_hostname | lower }}.{{ addc_tld }}
-U Administrator
responses:
# Expects the standard Samba password prompt
'(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # Hide sensitive data from logs
- name: Verify Samba file server by listing local shares
ansible.builtin.command: smbclient -L localhost -N
register: smbclient_output
changed_when: false # This is a verification step, it doesn't change the host state
- name: Report the results of the smbclient verification
ansible.builtin.debug:
msg: "Samba Shares found: {{ smbclient_output.stdout }}"
- name: Verify Samba AD authentication by accessing the netlogon share
community.general.expect:
# Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
# The -c 'ls' command lists files on the share.
command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
responses:
# Use the (?i) flag for case-insensitive matching of the prompt.
'(?i)password:': "{{ addc_admin_password }}"
no_log: true # CRITICAL: Prevents the password from being logged
register: auth_verification
changed_when: false # This is a verification/check, not a change
- name: Verify LDAP Service Record (SRV _ldap._tcp)
ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_tld }}.
register: ldap_srv_check
changed_when: false
failed_when: "'has SRV record' not in ldap_srv_check.stdout"
- name: Debug - Show LDAP SRV check result
ansible.builtin.debug:
var: ldap_srv_check.stdout
- name: Verify Kerberos Service Record (SRV _kerberos._udp)
ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_tld }}.
register: kerberos_srv_check
changed_when: false
failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
- name: Debug - Show Kerberos SRV check result
ansible.builtin.debug:
var: kerberos_srv_check.stdout
- name: Verify DC's A (Forward) Record
ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_tld }}.
register: a_record_check
changed_when: false
failed_when: "{{ addc_ansible_host }} not in a_record_check.stdout"
- name: Debug - Show A Record check result
ansible.builtin.debug:
var: a_record_check.stdout
- name: Verify DC's PTR (Reverse) Record
ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
register: ptr_record_check
changed_when: false
# Assuming dc1.{{ addc_tld }} is the expected output for the reverse record
failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_tld }}' not in ptr_record_check.stdout"
- name: Debug - Show PTR Record check result
ansible.builtin.debug:
var: ptr_record_check.stdout
- name: Verify Kerberos authentication using kinit
community.general.expect:
# Command to run: kinit administrator
command: kinit administrator
responses:
# Expects the standard Kerberos password prompt
# The (?i) flag ensures case-insensitive matching.
'(?i)password for administrator.*:': "{{ addc_admin_password }}"
no_log: true # CRITICAL: Prevents the password from being logged
register: kinit_check
changed_when: false # This is a verification/check, not a change
- name: Debug - Show kinit verification result (should be empty on success)
ansible.builtin.debug:
msg: "Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}"
- name: Optional: Show the cached Kerberos ticket
ansible.builtin.command: klist
register: klist_output
changed_when: false
when: kinit_check is succeeded
- name: Debug - Show klist output
ansible.builtin.debug:
var: klist_output.stdout
when: klist_check is defined
# - name: Run 'samba-tool domain info'
# command: samba-tool domain info 127.0.0.1
# register: domain_info
# changed_when: false
# - name: Assert that the domain is provisioned
# assert:
# that:
# - "'Netbios name' in domain_info.stdout"
# - "'Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout"
# - name: Attempt kinit with administrator
# command: echo "{{ samba_admin_password }}" | kinit administrator@{{ samba_realm }}
# register: kinit_result
# changed_when: false
# failed_when: kinit_result.rc != 0
# - name: Check Kerberos ticket
# command: klist
# register: klist_result
# changed_when: false
# - name: Assert Kerberos ticket exists
# assert:
# that:
# - "'krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout"
# - name: Check Samba AD DC service status
# service_facts:
# - name: Assert samba-ad-dc service is active
# assert:
# that:
# - "'samba-ad-dc' in ansible_facts.services"
# - ansible_facts.services['samba-ad-dc'].state == 'running'
Reference in New Issue Copy Permalink