Jose/ansible_samba_ad_dc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

style 💎: Update Samba configuration for reverse DNS zone creation and verification

Browse Source 
This commit updates the Samba configuration to create and verify a reverse DNS zone, PTR record, and Kerberos authentication. The changes include updating debug messages and adding new tasks to verify the setup.
This commit is contained in:
Jose
2025-11-06 18:52:58 +01:00
parent 6a926da12a
commit 8d740e77a6
1 changed files with 24 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
tasks/verify.yml
View File

@@ -1,26 +1,23 @@
--- ---
- name: Start the samba service - name: "Start the samba service"
ansible.builtin.service: ansible.builtin.service:
name: samba name: samba
state: started state: started
enabled: true enabled: true
- name: vars - name: "Show key variables"
ansible.builtin.debug: ansible.builtin.debug:
msg: msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
"{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
- name: Create the reverse DNS zone - name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}"
# {{ addc_reverse_zone_name }}
community.general.expect: community.general.expect:
# Note: The 'expect' module is in the 'community.general' collection
command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator" command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
responses: responses:
# Use the '(?i)' flag for case-insensitive matching of the prompt. # Use the '(?i)' flag for case-insensitive matching of the prompt.
'(?i)password for.*:': "{{ addc_admin_password }}" '(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # Highly recommended to prevent the password from appearing in logs no_log: true # Highly recommended to prevent the password from appearing in logs
- name: Create the PTR (reverse) DNS record - name: "Create the PTR (reverse) DNS record"
community.general.expect: community.general.expect:
# Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn> # Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
command: > command: >
@@ -31,102 +28,102 @@
-U Administrator -U Administrator
responses: responses:
# Expects the standard Samba password prompt # Expects the standard Samba password prompt
'(?i)password for.*:': '{{ addc_admin_password }}' '(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # Hide sensitive data from logs no_log: true # Hide sensitive data from logs
- name: Verify Samba file server by listing local shares - name: "Verify Samba file server by listing local shares"
ansible.builtin.command: smbclient -L localhost -N ansible.builtin.command: smbclient -L localhost -N
register: smbclient_output register: smbclient_output
changed_when: false # This is a verification step, it doesn't change the host state changed_when: false # This is a verification step, it doesn't change the host state
- name: Report the results of the smbclient verification - name: "Report the results of the smbclient verification"
ansible.builtin.debug: ansible.builtin.debug:
msg: 'Samba Shares found: {{ smbclient_output.stdout }}' msg: 'Samba Shares found: {{ smbclient_output.stdout }}'
- name: Verify Samba AD authentication by accessing the netlogon share - name: "Verify Samba AD authentication by accessing the netlogon share"
community.general.expect: community.general.expect:
# Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls' # Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
# The -c 'ls' command lists files on the share. # The -c 'ls' command lists files on the share.
command: smbclient //localhost/netlogon -UAdministrator -c 'ls' command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
responses: responses:
# Use the (?i) flag for case-insensitive matching of the prompt. # Use the (?i) flag for case-insensitive matching of the prompt.
'(?i)password:': '{{ addc_admin_password }}' '(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # CRITICAL: Prevents the password from being logged no_log: true # CRITICAL: Prevents the password from being logged
register: auth_verification register: auth_verification
changed_when: false # This is a verification/check, not a change changed_when: false # This is a verification/check, not a change
- name: Verify LDAP Service Record (SRV _ldap._tcp) - name: "Verify LDAP Service Record (SRV _ldap._tcp)"
ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}. ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
register: ldap_srv_check register: ldap_srv_check
changed_when: false changed_when: false
failed_when: "'has SRV record' not in ldap_srv_check.stdout" failed_when: "'has SRV record' not in ldap_srv_check.stdout"
- name: Debug - Show LDAP SRV check result - name: "Debug - Show LDAP SRV check result"
ansible.builtin.debug: ansible.builtin.debug:
var: ldap_srv_check.stdout var: ldap_srv_check.stdout
- name: Verify Kerberos Service Record (SRV _kerberos._udp) - name: "Verify Kerberos Service Record (SRV _kerberos._udp)"
ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}. ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
register: kerberos_srv_check register: kerberos_srv_check
changed_when: false changed_when: false
failed_when: "'has SRV record' not in kerberos_srv_check.stdout" failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
- name: Debug - Show Kerberos SRV check result - name: "Debug - Show Kerberos SRV check result"
ansible.builtin.debug: ansible.builtin.debug:
var: kerberos_srv_check.stdout var: kerberos_srv_check.stdout
- name: Verify DC's A (Forward) Record - name: "Verify DC's A (Forward) Record"
ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}. ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
register: a_record_check register: a_record_check
changed_when: false changed_when: false
failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout' failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout'
- name: Debug - Show A Record check result - name: "Debug - Show A Record check result"
ansible.builtin.debug: ansible.builtin.debug:
var: a_record_check.stdout var: a_record_check.stdout
- name: Verify DC's PTR (Reverse) Record - name: "Verify DC's PTR (Reverse) Record"
ansible.builtin.command: host -t PTR {{ addc_ansible_host }} ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
register: ptr_record_check register: ptr_record_check
changed_when: false changed_when: false
# Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record # Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout" failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"
- name: Debug - Show PTR Record check result - name: "Debug - Show PTR Record check result"
ansible.builtin.debug: ansible.builtin.debug:
var: ptr_record_check.stdout var: ptr_record_check.stdout
- name: Verify Kerberos authentication using kinit - name: "Verify Kerberos authentication using kinit"
community.general.expect: community.general.expect:
# Command to run: kinit administrator # Command to run: kinit administrator
command: kinit administrator command: kinit administrator
responses: responses:
# Expects the standard Kerberos password prompt # Expects the standard Kerberos password prompt
# The (?i) flag ensures case-insensitive matching. # The (?i) flag ensures case-insensitive matching.
'(?i)password for administrator.*:': '{{ addc_admin_password }}' '(?i)password for administrator.*:': "{{ addc_admin_password }}"
no_log: true # CRITICAL: Prevents the password from being logged no_log: true # CRITICAL: Prevents the password from being logged
register: kinit_check register: kinit_check
changed_when: false # This is a verification/check, not a change changed_when: false # This is a verification/check, not a change
- name: Debug - Show kinit verification result (should be empty on success) - name: "Debug - Show kinit verification result (should be empty on success)"
ansible.builtin.debug: ansible.builtin.debug:
msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}' msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'
- name: Optional - Show the cached Kerberos ticket - name: "Optional - Show the cached Kerberos ticket"
ansible.builtin.command: klist ansible.builtin.command: klist
register: klist_output register: klist_output
changed_when: false changed_when: false
when: kinit_check is succeeded when: kinit_check is succeeded
- name: Debug - Show klist output - name: "Debug - Show klist output"
ansible.builtin.debug: ansible.builtin.debug:
var: klist_output.stdout var: klist_output.stdout
when: klist_check is defined when: klist_output is defined