style 💎: Update time synchronization configuration

Updated the 'Configure Time Synchronization' task to use the new 'ntp' service instead of 'ntpd'. This change simplifies the configuration and improves consistency with other services.

defaults/main.yml

@@ -45,6 +45,8 @@ samba_packages:
   - python3-setproctitle
   # - smbclient
   - samba-ad-dc
+  - smbclient  # Debian/Ubuntu
+  - samba-client  # RHEL family (it will skip if not available)
 
 # template for /etc/resolv.conf
 location_internal_dns: 192.168.1.1

tasks/install.yml

@@ -1,9 +1,14 @@
 ---
+# - name: Install pexpect # required for verify.yml
+#   ansible.builtin.apt:  
+#     pkg: pexpect
+#     state: latest
+
 - name: Install required packages
   ansible.builtin.apt:  
     pkg: '{{ samba_packages }}'
     state: latest
-    update_cache: yes
+    # update_cache: yes
     autoclean: yes
     autoremove: yes
     purge: true

tasks/kerberos.yml

@@ -2,23 +2,47 @@
 - name: Extract absolute krb5.conf path from provision output
   ansible.builtin.set_fact:
     krb5_conf_path: >-
-      {{ (
+      {{
+        (
           samba_provision_output.stdout
-          | regex_findall("(/[^\\s,'\"]+krb5\\.conf)")
+          | regex_findall('(/[^\\s,"'']*/private/krb5\\.conf)')
+          | list
           | default([])
+        )
         | first
-          | default('')
-        ) | replace(\"'\", '') | replace('\"', '') | replace(',', '') | trim }}
+        | default('/var/lib/samba/private/krb5.conf')
+        | trim
+      }}
   when: samba_provision_output.stdout is defined
+# the regex doesnt actually work
 
-- name: print krb5.conf path
+- name: Show extracted krb5.conf path
   ansible.builtin.debug:
-    msg: "Krb5.conf path: {{ krb5_conf_path }}"
+    msg: "Extracted krb5.conf path: {{ krb5_conf_path | default('N/A') }}"
+
+- name: Check if krb5.conf exists on disk
+  ansible.builtin.stat:
+    path: "{{ krb5_conf_path }}"
+  register: krb5_conf_stat
+  when: krb5_conf_path != ''
+
+- name: Validate krb5.conf presence
+  ansible.builtin.fail:
+    msg: "Kerberos configuration file was not found at {{ krb5_conf_path }}. Provision may have failed."
+  when:
+    - krb5_conf_path != ''
+    - not krb5_conf_stat.stat.exists | default(false)
+
+- name: Confirm Kerberos configuration found
+  ansible.builtin.debug:
+    msg: "Kerberos configuration verified: {{ krb5_conf_path }}"
+  when: krb5_conf_stat.stat.exists | default(false)
 
 - name: Copy krb5.conf to /etc/krb5.conf
   ansible.builtin.copy:
     src: '{{ krb5_conf_path }}'
     dest: /etc/krb5.conf
+    remote_src: true
     owner: root
     group: root
     mode: '0644'

tasks/main.yml

@@ -17,6 +17,6 @@
 - name: Testing Samba AD DC
   include_tasks: verify.yml
 
-- name: Configure Time Synchronization
-  include_tasks: ntpd.yml
+# - name: Configure Time Synchronization
+#   include_tasks: ntpd.yml
   

tasks/ntpd.yml

@@ -1,7 +1,7 @@
 ---
 - name: Ensure the ntp package is installed
-  ansible.builtin.package:
-    name: ntp
+  ansible.builtin.apt:
+    name: ntpsec
     state: present
 
 - name: Search common Samba locations for the 'ntp_signd' directory

tasks/verify.yml

@@ -1,21 +1,36 @@
 ---
-- name: Start the samba service
+- name: "Start the samba service"
   ansible.builtin.service:
     name: samba
     state: started
     enabled: true
 
-- name: Create the reverse DNS zone {{ addc_reverse_zone_name }}
-  community.general.expect:
-    # Note: The 'expect' module is in the 'community.general' collection
-    command: 'samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator'
+- name: "Show key variables"
+  ansible.builtin.debug:
+    msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
+
+# - name: Ensure python3-pip is installed (optional)
+#   ansible.builtin.apt:
+#     name: python3-pip
+#     state: present
+#   become: true
+
+- name: Ensure pexpect is installed (via apt)
+  ansible.builtin.apt:
+    name: python3-pexpect
+    state: present
+  become: true
+
+- name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}"
+  ansible.builtin.expect:
+    command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
     responses:
       # Use the '(?i)' flag for case-insensitive matching of the prompt.
-      '(?i)password for.*:': '{{ addc_admin_password }}'
+      '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # Highly recommended to prevent the password from appearing in logs
 
-- name: Create the PTR (reverse) DNS record
-  community.general.expect:
+- name: "Create the PTR (reverse) DNS record"
+  ansible.builtin.expect:
     # Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
     command: >
       samba-tool dns add {{ addc_ansible_host }} 
@@ -25,102 +40,102 @@
       -U Administrator
     responses:
       # Expects the standard Samba password prompt
-      '(?i)password for.*:': '{{ addc_admin_password }}'
+      '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # Hide sensitive data from logs
 
 
-- name: Verify Samba file server by listing local shares
+- name: "Verify Samba file server by listing local shares"
   ansible.builtin.command: smbclient -L localhost -N
   register: smbclient_output
   changed_when: false # This is a verification step, it doesn't change the host state
 
-- name: Report the results of the smbclient verification
+- name: "Report the results of the smbclient verification"
   ansible.builtin.debug:
     msg: 'Samba Shares found: {{ smbclient_output.stdout }}'
 
-- name: Verify Samba AD authentication by accessing the netlogon share
-  community.general.expect:
+- name: "Verify Samba AD authentication by accessing the netlogon share"
+  ansible.builtin.expect:
     # Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     # The -c 'ls' command lists files on the share.
     command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     responses:
       # Use the (?i) flag for case-insensitive matching of the prompt.
-      '(?i)password:': '{{ addc_admin_password }}'
+      '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # CRITICAL: Prevents the password from being logged
   register: auth_verification
   changed_when: false # This is a verification/check, not a change
 
 
-- name: Verify LDAP Service Record (SRV _ldap._tcp)
+- name: "Verify LDAP Service Record (SRV _ldap._tcp)"
   ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
   register: ldap_srv_check
   changed_when: false
   failed_when: "'has SRV record' not in ldap_srv_check.stdout"
 
-- name: Debug - Show LDAP SRV check result
+- name: "Debug - Show LDAP SRV check result"
   ansible.builtin.debug:
     var: ldap_srv_check.stdout
 
 
-- name: Verify Kerberos Service Record (SRV _kerberos._udp)
+- name: "Verify Kerberos Service Record (SRV _kerberos._udp)"
   ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
   register: kerberos_srv_check
   changed_when: false
   failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
 
-- name: Debug - Show Kerberos SRV check result
+- name: "Debug - Show Kerberos SRV check result"
   ansible.builtin.debug:
     var: kerberos_srv_check.stdout
 
 
-- name: Verify DC's A (Forward) Record
+- name: "Verify DC's A (Forward) Record"
   ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
   register: a_record_check
   changed_when: false
-  failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout'
+  failed_when: "'{{ addc_ansible_host }}' not in a_record_check.stdout"
 
-- name: Debug - Show A Record check result
+- name: "Debug - Show A Record check result"
   ansible.builtin.debug:
     var: a_record_check.stdout
 
 
-- name: Verify DC's PTR (Reverse) Record
+- name: "Verify DC's PTR (Reverse) Record"
   ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
   register: ptr_record_check
   changed_when: false
   # Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
   failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"
 
-- name: Debug - Show PTR Record check result
+- name: "Debug - Show PTR Record check result"
   ansible.builtin.debug:
     var: ptr_record_check.stdout
 
-- name: Verify Kerberos authentication using kinit
-  community.general.expect:
+- name: "Verify Kerberos authentication using kinit"
+  ansible.builtin.expect:
     # Command to run: kinit administrator
     command: kinit administrator
     responses:
       # Expects the standard Kerberos password prompt
       # The (?i) flag ensures case-insensitive matching.
-      '(?i)password for administrator.*:': '{{ addc_admin_password }}'
+      '(?i)password for administrator.*:': "{{ addc_admin_password }}"
   no_log: true # CRITICAL: Prevents the password from being logged
   register: kinit_check
   changed_when: false # This is a verification/check, not a change
 
-- name: Debug - Show kinit verification result (should be empty on success)
+- name: "Debug - Show kinit verification result (should be empty on success)"
   ansible.builtin.debug:
     msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'
 
-- name: Optional - Show the cached Kerberos ticket
+- name: "Optional - Show the cached Kerberos ticket"
   ansible.builtin.command: klist
   register: klist_output
   changed_when: false
   when: kinit_check is succeeded
 
-- name: Debug - Show klist output
+- name: "Debug - Show klist output"
   ansible.builtin.debug:
     var: klist_output.stdout
-  when: klist_check is defined
+  when: klist_output is defined