From 8d740e77a6bc20dd8443763bfd25e683f14a2e04 Mon Sep 17 00:00:00 2001
From: Jose <joseraj@gmail.com>
Date: Thu, 6 Nov 2025 18:52:58 +0100
Subject: [PATCH] =?UTF-8?q?style=20=F0=9F=92=8E:=20Update=20Samba=20config?=
 =?UTF-8?q?uration=20for=20reverse=20DNS=20zone=20creation=20and=20verific?=
 =?UTF-8?q?ation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit updates the Samba configuration to create and verify a reverse DNS zone, PTR record, and Kerberos authentication. The changes include updating debug messages and adding new tasks to verify the setup.
---
 tasks/verify.yml | 51 +++++++++++++++++++++++-------------------------
 1 file changed, 24 insertions(+), 27 deletions(-)

diff --git a/tasks/verify.yml b/tasks/verify.yml
index d81a74b..4d794f3 100644
--- a/tasks/verify.yml
+++ b/tasks/verify.yml
@@ -1,26 +1,23 @@
 ---
-- name: Start the samba service
+- name: "Start the samba service"
   ansible.builtin.service:
     name: samba
     state: started
     enabled: true
 
-- name: vars
+- name: "Show key variables"
   ansible.builtin.debug:
-    msg:
-      "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
+    msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
 
-- name: Create the reverse DNS zone 
-  # {{ addc_reverse_zone_name }}
+- name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}"
   community.general.expect:
-    # Note: The 'expect' module is in the 'community.general' collection
     command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
     responses:
       # Use the '(?i)' flag for case-insensitive matching of the prompt.
       '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # Highly recommended to prevent the password from appearing in logs
 
-- name: Create the PTR (reverse) DNS record
+- name: "Create the PTR (reverse) DNS record"
   community.general.expect:
     # Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
     command: >
@@ -31,102 +28,102 @@
       -U Administrator
     responses:
       # Expects the standard Samba password prompt
-      '(?i)password for.*:': '{{ addc_admin_password }}'
+      '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # Hide sensitive data from logs
 
 
-- name: Verify Samba file server by listing local shares
+- name: "Verify Samba file server by listing local shares"
   ansible.builtin.command: smbclient -L localhost -N
   register: smbclient_output
   changed_when: false # This is a verification step, it doesn't change the host state
 
-- name: Report the results of the smbclient verification
+- name: "Report the results of the smbclient verification"
   ansible.builtin.debug:
     msg: 'Samba Shares found: {{ smbclient_output.stdout }}'
 
-- name: Verify Samba AD authentication by accessing the netlogon share
+- name: "Verify Samba AD authentication by accessing the netlogon share"
   community.general.expect:
     # Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     # The -c 'ls' command lists files on the share.
     command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     responses:
       # Use the (?i) flag for case-insensitive matching of the prompt.
-      '(?i)password:': '{{ addc_admin_password }}'
+      '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # CRITICAL: Prevents the password from being logged
   register: auth_verification
   changed_when: false # This is a verification/check, not a change
 
 
-- name: Verify LDAP Service Record (SRV _ldap._tcp)
+- name: "Verify LDAP Service Record (SRV _ldap._tcp)"
   ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
   register: ldap_srv_check
   changed_when: false
   failed_when: "'has SRV record' not in ldap_srv_check.stdout"
 
-- name: Debug - Show LDAP SRV check result
+- name: "Debug - Show LDAP SRV check result"
   ansible.builtin.debug:
     var: ldap_srv_check.stdout
 
 
-- name: Verify Kerberos Service Record (SRV _kerberos._udp)
+- name: "Verify Kerberos Service Record (SRV _kerberos._udp)"
   ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
   register: kerberos_srv_check
   changed_when: false
   failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
 
-- name: Debug - Show Kerberos SRV check result
+- name: "Debug - Show Kerberos SRV check result"
   ansible.builtin.debug:
     var: kerberos_srv_check.stdout
 
 
-- name: Verify DC's A (Forward) Record
+- name: "Verify DC's A (Forward) Record"
   ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
   register: a_record_check
   changed_when: false
   failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout'
 
-- name: Debug - Show A Record check result
+- name: "Debug - Show A Record check result"
   ansible.builtin.debug:
     var: a_record_check.stdout
 
 
-- name: Verify DC's PTR (Reverse) Record
+- name: "Verify DC's PTR (Reverse) Record"
   ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
   register: ptr_record_check
   changed_when: false
   # Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
   failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"
 
-- name: Debug - Show PTR Record check result
+- name: "Debug - Show PTR Record check result"
   ansible.builtin.debug:
     var: ptr_record_check.stdout
 
-- name: Verify Kerberos authentication using kinit
+- name: "Verify Kerberos authentication using kinit"
   community.general.expect:
     # Command to run: kinit administrator
     command: kinit administrator
     responses:
       # Expects the standard Kerberos password prompt
       # The (?i) flag ensures case-insensitive matching.
-      '(?i)password for administrator.*:': '{{ addc_admin_password }}'
+      '(?i)password for administrator.*:': "{{ addc_admin_password }}"
   no_log: true # CRITICAL: Prevents the password from being logged
   register: kinit_check
   changed_when: false # This is a verification/check, not a change
 
-- name: Debug - Show kinit verification result (should be empty on success)
+- name: "Debug - Show kinit verification result (should be empty on success)"
   ansible.builtin.debug:
     msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'
 
-- name: Optional - Show the cached Kerberos ticket
+- name: "Optional - Show the cached Kerberos ticket"
   ansible.builtin.command: klist
   register: klist_output
   changed_when: false
   when: kinit_check is succeeded
 
-- name: Debug - Show klist output
+- name: "Debug - Show klist output"
   ansible.builtin.debug:
     var: klist_output.stdout
-  when: klist_check is defined
+  when: klist_output is defined