style 💎: Update Samba configuration for reverse DNS zone creation and verification
This commit updates the Samba configuration to create and verify a reverse DNS zone, PTR record, and Kerberos authentication. The changes include updating debug messages and adding new tasks to verify the setup.
This commit is contained in:
@@ -1,26 +1,23 @@
|
||||
---
|
||||
- name: Start the samba service
|
||||
- name: "Start the samba service"
|
||||
ansible.builtin.service:
|
||||
name: samba
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: vars
|
||||
- name: "Show key variables"
|
||||
ansible.builtin.debug:
|
||||
msg:
|
||||
"{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
|
||||
msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
|
||||
|
||||
- name: Create the reverse DNS zone
|
||||
# {{ addc_reverse_zone_name }}
|
||||
- name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}"
|
||||
community.general.expect:
|
||||
# Note: The 'expect' module is in the 'community.general' collection
|
||||
command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
|
||||
responses:
|
||||
# Use the '(?i)' flag for case-insensitive matching of the prompt.
|
||||
'(?i)password for.*:': "{{ addc_admin_password }}"
|
||||
no_log: true # Highly recommended to prevent the password from appearing in logs
|
||||
|
||||
- name: Create the PTR (reverse) DNS record
|
||||
- name: "Create the PTR (reverse) DNS record"
|
||||
community.general.expect:
|
||||
# Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
|
||||
command: >
|
||||
@@ -31,102 +28,102 @@
|
||||
-U Administrator
|
||||
responses:
|
||||
# Expects the standard Samba password prompt
|
||||
'(?i)password for.*:': '{{ addc_admin_password }}'
|
||||
'(?i)password for.*:': "{{ addc_admin_password }}"
|
||||
no_log: true # Hide sensitive data from logs
|
||||
|
||||
|
||||
- name: Verify Samba file server by listing local shares
|
||||
- name: "Verify Samba file server by listing local shares"
|
||||
ansible.builtin.command: smbclient -L localhost -N
|
||||
register: smbclient_output
|
||||
changed_when: false # This is a verification step, it doesn't change the host state
|
||||
|
||||
- name: Report the results of the smbclient verification
|
||||
- name: "Report the results of the smbclient verification"
|
||||
ansible.builtin.debug:
|
||||
msg: 'Samba Shares found: {{ smbclient_output.stdout }}'
|
||||
|
||||
- name: Verify Samba AD authentication by accessing the netlogon share
|
||||
- name: "Verify Samba AD authentication by accessing the netlogon share"
|
||||
community.general.expect:
|
||||
# Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
|
||||
# The -c 'ls' command lists files on the share.
|
||||
command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
|
||||
responses:
|
||||
# Use the (?i) flag for case-insensitive matching of the prompt.
|
||||
'(?i)password:': '{{ addc_admin_password }}'
|
||||
'(?i)password for.*:': "{{ addc_admin_password }}"
|
||||
no_log: true # CRITICAL: Prevents the password from being logged
|
||||
register: auth_verification
|
||||
changed_when: false # This is a verification/check, not a change
|
||||
|
||||
|
||||
- name: Verify LDAP Service Record (SRV _ldap._tcp)
|
||||
- name: "Verify LDAP Service Record (SRV _ldap._tcp)"
|
||||
ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
|
||||
register: ldap_srv_check
|
||||
changed_when: false
|
||||
failed_when: "'has SRV record' not in ldap_srv_check.stdout"
|
||||
|
||||
- name: Debug - Show LDAP SRV check result
|
||||
- name: "Debug - Show LDAP SRV check result"
|
||||
ansible.builtin.debug:
|
||||
var: ldap_srv_check.stdout
|
||||
|
||||
|
||||
- name: Verify Kerberos Service Record (SRV _kerberos._udp)
|
||||
- name: "Verify Kerberos Service Record (SRV _kerberos._udp)"
|
||||
ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
|
||||
register: kerberos_srv_check
|
||||
changed_when: false
|
||||
failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
|
||||
|
||||
- name: Debug - Show Kerberos SRV check result
|
||||
- name: "Debug - Show Kerberos SRV check result"
|
||||
ansible.builtin.debug:
|
||||
var: kerberos_srv_check.stdout
|
||||
|
||||
|
||||
- name: Verify DC's A (Forward) Record
|
||||
- name: "Verify DC's A (Forward) Record"
|
||||
ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
|
||||
register: a_record_check
|
||||
changed_when: false
|
||||
failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout'
|
||||
|
||||
- name: Debug - Show A Record check result
|
||||
- name: "Debug - Show A Record check result"
|
||||
ansible.builtin.debug:
|
||||
var: a_record_check.stdout
|
||||
|
||||
|
||||
- name: Verify DC's PTR (Reverse) Record
|
||||
- name: "Verify DC's PTR (Reverse) Record"
|
||||
ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
|
||||
register: ptr_record_check
|
||||
changed_when: false
|
||||
# Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
|
||||
failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"
|
||||
|
||||
- name: Debug - Show PTR Record check result
|
||||
- name: "Debug - Show PTR Record check result"
|
||||
ansible.builtin.debug:
|
||||
var: ptr_record_check.stdout
|
||||
|
||||
- name: Verify Kerberos authentication using kinit
|
||||
- name: "Verify Kerberos authentication using kinit"
|
||||
community.general.expect:
|
||||
# Command to run: kinit administrator
|
||||
command: kinit administrator
|
||||
responses:
|
||||
# Expects the standard Kerberos password prompt
|
||||
# The (?i) flag ensures case-insensitive matching.
|
||||
'(?i)password for administrator.*:': '{{ addc_admin_password }}'
|
||||
'(?i)password for administrator.*:': "{{ addc_admin_password }}"
|
||||
no_log: true # CRITICAL: Prevents the password from being logged
|
||||
register: kinit_check
|
||||
changed_when: false # This is a verification/check, not a change
|
||||
|
||||
- name: Debug - Show kinit verification result (should be empty on success)
|
||||
- name: "Debug - Show kinit verification result (should be empty on success)"
|
||||
ansible.builtin.debug:
|
||||
msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'
|
||||
|
||||
- name: Optional - Show the cached Kerberos ticket
|
||||
- name: "Optional - Show the cached Kerberos ticket"
|
||||
ansible.builtin.command: klist
|
||||
register: klist_output
|
||||
changed_when: false
|
||||
when: kinit_check is succeeded
|
||||
|
||||
- name: Debug - Show klist output
|
||||
- name: "Debug - Show klist output"
|
||||
ansible.builtin.debug:
|
||||
var: klist_output.stdout
|
||||
when: klist_check is defined
|
||||
when: klist_output is defined
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user