First draft generated by LLM

tasks/dns_hosts.yml

@@ -0,0 +1,29 @@
+---
+- name: Backup original /etc/resolv.conf if not already backed up
+  copy:
+    src: /etc/resolv.conf
+    dest: "{{ samba_resolv_conf_backup_path }}"
+    remote_src: yes
+    force: no
+  when:
+    - samba_ad_dc_state == "present"
+    - ansible_virtualization_type != "docker"
+
+- name: Template /etc/resolv.conf with custom DNS nameservers
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when:
+    - samba_ad_dc_state == "present"
+    - ansible_virtualization_type != "docker"
+
+- name: Set /etc/hosts entry for Samba AD DC
+  lineinfile:
+    path: /etc/hosts
+    line: "{{ ansible_default_ipv4.address }} {{ samba_hostname }}.{{ samba_realm | lower }} {{ samba_hostname }}"
+    state: present
+    create: yes
+

tasks/dns_hosts_restore.yml

@@ -0,0 +1,11 @@
+---
+- name: Restore original /etc/resolv.conf from backup
+  copy:
+    src: "{{ samba_resolv_conf_backup_path }}"
+    dest: /etc/resolv.conf
+    remote_src: yes
+    force: yes
+  when:
+    - samba_ad_dc_state == "absent"
+    - ansible_virtualization_type != "docker"
+    - samba_resolv_conf_backup_path is defined

tasks/install.yml

@@ -0,0 +1,47 @@
+---
+- name: Install required packages
+  apt:
+    name:
+      - samba
+      - krb5-config
+      - krb5-user
+      - winbind
+      - smbclient
+      - dnsutils
+    state: present
+    update_cache: yes
+
+- name: Stop samba-ad-dc before provisioning (if running)
+  service:
+    name: samba-ad-dc
+    state: stopped
+    enabled: no
+  ignore_errors: yes
+
+- name: Provision AD domain
+  include_tasks: provision.yml
+
+- name: Deploy smb.conf
+  template:
+    src: smb.conf.j2
+    dest: "{{ samba_conf_path }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Samba AD DC
+
+- name: Enable and start samba-ad-dc service
+  service:
+    name: samba-ad-dc
+    state: started
+    enabled: yes
+
+- name: Configure Kerberos
+  include_tasks: kerberos.yml
+
+- name: Set DNS resolver and hosts entry
+  include_tasks: dns_hosts.yml
+
+- name: Run verification checks
+  include_tasks: verify.yml
+  when: samba_verify | bool

tasks/kerberos.yml

@@ -0,0 +1,8 @@
+---
+- name: Configure Kerberos (krb5.conf)
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: '0644'

tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Install or remove Samba AD DC
+  include_tasks: install.yml
+  when: samba_ad_dc_state == 'present'
+
+- name: Remove Samba AD DC
+  include_tasks: remove.yml
+  when: samba_ad_dc_state == 'absent'

tasks/provision.yml

@@ -0,0 +1,37 @@
+---
+---
+- name: Ensure Samba log directory exists
+  file:
+    path: "{{ samba_log_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Provision the Samba AD DC (with logging)
+  command: >
+    samba-tool domain provision
+    --use-rfc2307
+    --realm={{ samba_realm }}
+    --domain={{ samba_domain }}
+    --server-role=dc
+    --dns-backend={{ samba_dns_backend }}
+    --adminpass={{ samba_admin_password }}
+  args:
+    creates: "{{ samba_samdb_path }}"
+  register: samba_provision_output
+  no_log: false  # You may toggle this if password should be hidden
+
+- name: Write provisioning output to log
+  copy:
+    content: "{{ samba_provision_output.stdout }}"
+    dest: "{{ samba_provision_log_file }}"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Redact passwords in provisioning log (optional)
+  replace:
+    path: "{{ samba_provision_log_file }}"
+    regexp: "--adminpass=.*"
+    replace: "--adminpass=********"

tasks/remove.yml

@@ -0,0 +1,39 @@
+---
+- name: Stop Samba AD DC
+  service:
+    name: samba-ad-dc
+    state: stopped
+    enabled: no
+  ignore_errors: true
+
+- name: Remove Samba configuration
+  file:
+    path: "{{ samba_conf_path }}"
+    state: absent
+
+- name: Remove Samba DB and related files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /var/lib/samba
+    - /etc/krb5.conf
+    - /etc/samba
+    - /var/cache/samba
+    - /var/log/samba
+
+- name: Remove Samba-related packages
+  apt:
+    name:
+      - samba
+      - krb5-config
+      - krb5-user
+      - winbind
+      - smbclient
+      - dnsutils
+    state: absent
+    purge: yes
+    autoremove: yes
+
+- name: Restore DNS config
+  include_tasks: dns_hosts_restore.yml

tasks/verify.yml

@@ -0,0 +1,40 @@
+---
+- name: Verify Samba AD DC setup
+  when: samba_verify | bool
+  block:
+
+    - name: Run 'samba-tool domain info'
+      command: samba-tool domain info 127.0.0.1
+      register: domain_info
+      changed_when: false
+
+    - name: Assert that the domain is provisioned
+      assert:
+        that:
+          - "'Netbios name' in domain_info.stdout"
+          - "'Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout"
+
+    - name: Attempt kinit with administrator
+      command: echo "{{ samba_admin_password }}" | kinit administrator@{{ samba_realm }}
+      register: kinit_result
+      changed_when: false
+      failed_when: kinit_result.rc != 0
+
+    - name: Check Kerberos ticket
+      command: klist
+      register: klist_result
+      changed_when: false
+
+    - name: Assert Kerberos ticket exists
+      assert:
+        that:
+          - "'krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout"
+
+    - name: Check Samba AD DC service status
+      service_facts:
+
+    - name: Assert samba-ad-dc service is active
+      assert:
+        that:
+          - "'samba-ad-dc' in ansible_facts.services"
+          - ansible_facts.services['samba-ad-dc'].state == 'running'