style 💎: Update time synchronization configuration

Updated the 'Configure Time Synchronization' task to use the new 'ntp' service instead of 'ntpd'. This change simplifies the configuration and improves consistency with other services.

defaults/main.yml

@@ -1,31 +1,31 @@
 # AD Provisioning details
 # Hostname = DC1
-addc_hostname: "DC1"
+addc_hostname: 'DC1'
 # DC local IP Address = 10.99.0.1
-addc_ansible_host: "10.99.0.1"
+addc_ansible_host: '10.99.0.1'
 # NetBIOS domain name (Workgroup).
-addc_netbios_domain: "SAMDOM"
+addc_netbios_domain: 'SAMDOM'
 # Top level Domain = EXAMPLE.COM
-addc_tld: "EXAMPLE.COM"
+addc_tld: 'EXAMPLE.COM'
 # Authentication Domain = SAMDOM.EXAMPLE.COM
-addc_auth_domain: "{{ addc_netbios_domain | upper }}.{{ addc_tld | upper }}"
+addc_auth_domain: '{{ addc_netbios_domain | upper }}.{{ addc_tld | upper }}'
 
-addc_admin_password: "Passw0rd"
-addc_dns_backend: "SAMBA_INTERNAL"
-addc_server_role: "dc"
+addc_admin_password: 'Passw0rd'
+addc_dns_backend: 'SAMBA_INTERNAL'
+addc_server_role: 'dc'
 
 addc_ip_network_prefix: "{{ addc_ansible_host.split('.')[:3] | join('.') }}"
 addc_ip_last_octet: "{{ addc_ansible_host.split('.')[-1] }}"
 addc_reverse_zone_name: "{{ addc_ip_network_prefix.split('.') | reverse | join('.') }}.in-addr.arpa"
 
 samba_domain_info:
-  realm: "{{ addc_auth_domain | upper }}"
-  domain: "{{ addc_netbios_domain | upper }}"
+  realm: '{{ addc_auth_domain | upper }}'
+  domain: '{{ addc_netbios_domain | upper }}'
   server_role: "{{ addc_server_role | default('dc') }}"
   dns_backend: "{{ addc_dns_backend | default('SAMBA_INTERNAL') }}"
-  adminpass: "{{ addc_admin_password }}"
+  adminpass: '{{ addc_admin_password }}'
   interfaces: "{{ samba_iface_list | join(' ') }}"
-  bind_interfaces_only: "yes"
+  bind_interfaces_only: 'yes'
 
 samba_iface_list:
   - lo
@@ -40,12 +40,16 @@ samba_packages:
   - libnss-winbind
   - krb5-config
   - krb5-user
-  - dnsutils
+  - bind9-dnsutils
+  # - dnsutils
   - python3-setproctitle
   # - smbclient
+  - samba-ad-dc
+  - smbclient  # Debian/Ubuntu
+  - samba-client  # RHEL family (it will skip if not available)
 
 # template for /etc/resolv.conf
 location_internal_dns: 192.168.1.1
 location_external_dns: 8.8.8.8
 
-backup_path: "/path/to/your/backup/directory"
+backup_path: '/path/to/your/backup/directory'

tasks/0backupcheck.yml

@@ -1,12 +1,12 @@
 ---
 - name: Check if backup directory exists
   stat:
-    path: "{{ backup_path }}"
+    path: '{{ backup_path }}'
   register: backup_dir_stat
 
 - name: Check if backup directory is not empty
   find:
-    paths: "{{ backup_path }}"
+    paths: '{{ backup_path }}'
     file_type: any
     recurse: false
   when: backup_dir_stat.stat.exists and backup_dir_stat.stat.isdir
@@ -15,8 +15,8 @@
 
 - name: Check if each required file exists
   stat:
-    path: "{{ dir_path }}/{{ item }}"
-  loop: "{{ backup_required_files }}"
+    path: '{{ dir_path }}/{{ item }}'
+  loop: '{{ backup_required_files }}'
   register: required_file_stats
 
 - name: Determine missing files
@@ -52,5 +52,5 @@
 
 - name: Debug - Show final result
   debug:
-    msg: "Backup directory exists and is not empty."
+    msg: 'Backup directory exists and is not empty.'
   when: backup_dir_valid | default(false)

tasks/install.yml

@@ -1,17 +1,128 @@
 ---
+# - name: Install pexpect # required for verify.yml
+#   ansible.builtin.apt:  
+#     pkg: pexpect
+#     state: latest
+
 - name: Install required packages
-  ansible.builtin.package:  
-    name: "{{ samba_packages }}"
+  ansible.builtin.apt:  
+    pkg: '{{ samba_packages }}'
     state: latest
+    # update_cache: yes
+    autoclean: yes
+    autoremove: yes
+    purge: true
 
-- name: Stop samba-ad-dc before provisioning (if running)
-  ansible.builtin.service:
-    name: samba-ad-dc
+# - name: Install required packages
+#   ansible.builtin.package:  
+#     name: '{{ samba_packages }}'
+#     state: latest
+
+# - name: Stop samba-ad-dc before provisioning (if running)
+#   ansible.builtin.service:
+#     name: samba-ad-dc
+#     state: stopped
+#     enabled: no
+#   ignore_errors: true
+
+# known regression in certain Samba 4.22.x builds
+
+# - name: Check installed Samba version
+#   ansible.builtin.command: samba --version
+#   register: samba_version
+#   changed_when: false
+#   failed_when: false
+
+# - name: Show installed Samba version
+#   ansible.builtin.debug:
+#     msg: "Samba version: {{ samba_version.stdout }}"
+
+# - name: Warn if Samba version is 4.22.4
+#   ansible.builtin.debug:
+#     msg: "⚠️ Detected buggy Samba version 4.22.4 — upgrade recommended!"
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian GPG key (modern method)
+#   ansible.builtin.get_url:
+#     # url: https://pkg.samba.org/keys/samba-pubkey.asc
+#     url: https://download.samba.org/pub/samba/samba-pubkey.asc
+#     dest: /usr/share/keyrings/samba-team-archive-keyring.gpg
+#     mode: '0644'
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian repository (modern method)
+#   ansible.builtin.apt_repository:
+#     # repo: "deb [signed-by=/usr/share/keyrings/samba-team-archive-keyring.gpg] http://pkg.samba.org/packages/debian {{ ansible_lsb.codename | default('bookworm') }} samba-422"
+#     repo: "deb [signed-by=/usr/share/keyrings/samba-team-archive-keyring.gpg] http://download.samba.org/pub/samba/packages/debian {{ ansible_distribution_release  }} samba-422"
+#     state: present
+#     filename: samba-team
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian GPG key (only if upgrade is needed)
+#   ansible.builtin.apt_key:
+#     url: https://pkg.samba.org/keys/samba-pubkey.asc
+#     state: present
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian repository (only if upgrade is needed)
+#   ansible.builtin.apt_repository:
+#     repo: "deb http://pkg.samba.org/packages/debian $(lsb_release -cs) samba-422"
+#     state: present
+#     filename: samba-team
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Update APT cache (only if upgrade is needed)
+#   ansible.builtin.apt:
+#     update_cache: yes
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Upgrade Samba packages if version is 4.22.4
+#   ansible.builtin.apt:
+#     name:
+#       - samba
+#       - samba-dsdb-modules
+#       - samba-common-bin
+#       - python3-samba
+#     state: latest
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Verify installed Samba version
+#   ansible.builtin.command: samba --version
+#   register: samba_version
+#   changed_when: false
+
+# - name: Display upgraded Samba version
+#   ansible.builtin.debug:
+#     msg: "✅ Samba version after upgrade: {{ samba_version.stdout }}"
+
+# - name: Stop Samba services before provisioning
+#   ansible.builtin.service:
+#     name: '{{ item }}'
+#     state: stopped
+#   ignore_errors: true
+#   loop:
+#     - samba-ad-dc
+#     - smbd
+#     - nmbd
+#     - winbind
+
+- name: Disable and stop regular Samba services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    enabled: false
     state: stopped
-    enabled: no
-  ignore_errors: yes
-
+    masked: true
+  loop:
+    - smbd
+    - nmbd
+    - winbind
 
+- name: Unmask and enable Samba AD/DC service (but do not start it)
+  ansible.builtin.systemd:
+    name: samba-ad-dc
+    masked: false
+    enabled: true
+    state: stopped
 
 
 
@@ -27,7 +138,7 @@
 # - name: Deploy smb.conf
 #   ansible.builtin.template:
 #     src: smb.conf.j2
-#     dest: "{{ samba_conf_path }}"
+#     dest: '{{ samba_conf_path }}'
 #     owner: root
 #     group: root
 #     mode: '0644'

tasks/kerberos.yml

@@ -1,15 +1,48 @@
 ---
-- name: Extract krb5.conf path from provision output
-  # The samba-tool output usually contains the path on a specific line.
-  # We extract the path using regex and the 'search' filter.
+- name: Extract absolute krb5.conf path from provision output
   ansible.builtin.set_fact:
-    krb5_conf_path: "{{ samba_provision_output.stdout | regex_search('krb5.conf file is located at (.*)', '\\1') | first }}"
+    krb5_conf_path: >-
+      {{
+        (
+          samba_provision_output.stdout
+          | regex_findall('(/[^\\s,"'']*/private/krb5\\.conf)')
+          | list
+          | default([])
+        )
+        | first
+        | default('/var/lib/samba/private/krb5.conf')
+        | trim
+      }}
   when: samba_provision_output.stdout is defined
+# the regex doesnt actually work
+
+- name: Show extracted krb5.conf path
+  ansible.builtin.debug:
+    msg: "Extracted krb5.conf path: {{ krb5_conf_path | default('N/A') }}"
+
+- name: Check if krb5.conf exists on disk
+  ansible.builtin.stat:
+    path: "{{ krb5_conf_path }}"
+  register: krb5_conf_stat
+  when: krb5_conf_path != ''
+
+- name: Validate krb5.conf presence
+  ansible.builtin.fail:
+    msg: "Kerberos configuration file was not found at {{ krb5_conf_path }}. Provision may have failed."
+  when:
+    - krb5_conf_path != ''
+    - not krb5_conf_stat.stat.exists | default(false)
+
+- name: Confirm Kerberos configuration found
+  ansible.builtin.debug:
+    msg: "Kerberos configuration verified: {{ krb5_conf_path }}"
+  when: krb5_conf_stat.stat.exists | default(false)
 
 - name: Copy krb5.conf to /etc/krb5.conf
   ansible.builtin.copy:
-    src: "{{ krb5_conf_path }}"
+    src: '{{ krb5_conf_path }}'
     dest: /etc/krb5.conf
+    remote_src: true
     owner: root
     group: root
     mode: '0644'

tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Prepare for Samba AD DC
   include_tasks: preparing.yml
 
@@ -18,6 +17,6 @@
 - name: Testing Samba AD DC
   include_tasks: verify.yml
 
-- name: Configure Time Synchronization
-  include_tasks: ntpd.yml
+# - name: Configure Time Synchronization
+#   include_tasks: ntpd.yml
   

tasks/ntpd.yml

@@ -1,7 +1,7 @@
 ---
 - name: Ensure the ntp package is installed
-  ansible.builtin.package:
-    name: ntp
+  ansible.builtin.apt:
+    name: ntpsec
     state: present
 
 - name: Search common Samba locations for the 'ntp_signd' directory
@@ -17,7 +17,7 @@
 
 - name: Set the path variable, failing if not found
   ansible.builtin.set_fact:
-    ntp_signd_path: "{{ find_ntp_signd.files[0].path }}"
+    ntp_signd_path: '{{ find_ntp_signd.files[0].path }}'
   # This conditional logic ensures the playbook stops if the directory is missing,
   # or if more than one directory named 'ntp_signd' is found (which is unlikely/undesirable).
   when: find_ntp_signd.matched == 1
@@ -25,7 +25,7 @@
   
 - name: Verify permissions on the detected 'ntp_signd' directory
   ansible.builtin.stat:
-    path: "{{ ntp_signd_path }}"
+    path: '{{ ntp_signd_path }}'
   register: ntp_signd_stats
 
 - name: Assert that the permissions allow read access
@@ -34,8 +34,8 @@
       # Check if the directory exists and has permissions that grant read/execute to 'other' (r-x)
       - ntp_signd_stats.stat.exists
       - ntp_signd_stats.stat.mode is search('[rwx-]{2}[rwx-]{2}[4-7]')
-    fail_msg: "FATAL: The detected ntp_signd directory ({{ ntp_signd_path }}) does not have necessary read permissions (mode: {{ ntp_signd_stats.stat.mode }})."
-    success_msg: "SUCCESS: Permissions on {{ ntp_signd_path }} are correctly configured."
+    fail_msg: 'FATAL: The detected ntp_signd directory ({{ ntp_signd_path }}) does not have necessary read permissions (mode: {{ ntp_signd_stats.stat.mode }}).'
+    success_msg: 'SUCCESS: Permissions on {{ ntp_signd_path }} are correctly configured.'
 
 - name: Configure ntp.conf for Active Directory Domain Controller (AD DC)
   ansible.builtin.template:

tasks/preparing.yml

@@ -48,7 +48,7 @@
 - name: Set /etc/hosts entry for Samba AD DC
   ansible.builtin.lineinfile:
     path: /etc/hosts
-    line: "{{ addc_ansible_host }} {{ addc_hostname | upper }}.{{ addc_tld | lower }} {{ addc_hostname | upper }}"
+    line: '{{ addc_ansible_host }} {{ addc_hostname | upper }}.{{ addc_tld | lower }} {{ addc_hostname | upper }}'
     state: present
     create: yes
 
@@ -68,22 +68,22 @@
 
 - name: Remove smb.conf using discovered path
   ansible.builtin.file:
-    path: "{{ smb_conf_path.stdout }}"
+    path: '{{ smb_conf_path.stdout }}'
     state: absent
 
 # Remove all Samba database files, such as *.tdb and *.ldb files
 - name: Get Samba directories from smbd -b
-  ansible.builtin.shell: smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | awk '{print $2}'
+  ansible.builtin.shell: smbd -b | egrep 'LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR' | awk '{print $2}'
   register: samba_dirs
   changed_when: false
   failed_when: samba_dirs.rc != 0
 
 - name: Filter existing directories
   ansible.builtin.find:
-    paths: "{{ item }}"
+    paths: '{{ item }}'
     file_type: directory
     recurse: no
-  loop: "{{ samba_dirs.stdout_lines }}"
+  loop: '{{ samba_dirs.stdout_lines }}'
   register: existing_dirs
 
 - name: Collect existing directories
@@ -92,21 +92,21 @@
 
 - name: Find *.tdb and *.ldb files
   ansible.builtin.find:
-    paths: "{{ item }}"
-    patterns: "*.tdb,*.ldb"
+    paths: '{{ item }}'
+    patterns: '*.tdb,*.ldb'
     recurse: yes
     use_regex: false
-  loop: "{{ valid_dirs }}"
+  loop: '{{ valid_dirs }}'
   register: db_files
 
 - name: Remove found tdb/ldb files
   ansible.builtin.file:
-    path: "{{ item.path }}"
+    path: '{{ item.path }}'
     state: absent
   loop: "{{ db_files.results | map(attribute='files') | sum(start=[]) }}"
   when: item.path is defined
 
 - name: Report removed files
   ansible.builtin.debug:
-    msg: "Removed: {{ item.path }}"
+    msg: 'Removed: {{ item.path }}'
   loop: "{{ db_files.results | map(attribute='files') | sum(start=[]) }}"

tasks/provision.yml

@@ -4,6 +4,16 @@
     path: /var/lib/samba/private/adsync.conf
   register: samba_provisioned
 
+- name: Remove smb.conf if server role conflicts
+  ansible.builtin.shell: |
+    if grep -q 'server role = standalone server' /etc/samba/smb.conf 2>/dev/null; then
+      mv /etc/samba/smb.conf /etc/samba/smb.conf.bak.$(date +%s)
+    fi
+  args:
+    executable: /bin/bash
+  changed_when: false
+  when: not samba_provisioned.stat.exists
+
 - name: Provision the Samba AD DC
   ansible.builtin.command: >
     samba-tool domain provision
@@ -12,12 +22,15 @@
     --domain={{ samba_domain_info.domain }}
     --server-role={{ samba_domain_info.server_role }}
     --dns-backend={{ samba_domain_info.dns_backend }}
-    --adminpass={{ samba_domain_info.adminpass }}
-    --option="interfaces={{ samba_domain_info.interfaces }}"
-    --option="bind interfaces only={{ samba_domain_info.bind_interfaces_only }}"
+    --adminpass='{{ addc_admin_password }}'
+    --option='interfaces={{ samba_domain_info.interfaces }}'
+    --option='bind interfaces only={{ samba_domain_info.bind_interfaces_only }}'
   when: not samba_provisioned.stat.exists
   register: samba_provision_output
   changed_when: samba_provision_output.rc == 0
   no_log: false  # You may toggle this if password should be hidden
 
+- name: print provision output
+  ansible.builtin.debug:
+    msg: "Provisioning output: {{samba_provision_output}}"
 

tasks/verify.yml

@@ -1,21 +1,36 @@
 ---
-- name: Start the samba service
+- name: "Start the samba service"
   ansible.builtin.service:
     name: samba
     state: started
     enabled: true
 
-- name: Create the reverse DNS zone {{ addc_reverse_zone_name }}
-  community.general.expect:
-    # Note: The 'expect' module is in the 'community.general' collection
+- name: "Show key variables"
+  ansible.builtin.debug:
+    msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"
+
+# - name: Ensure python3-pip is installed (optional)
+#   ansible.builtin.apt:
+#     name: python3-pip
+#     state: present
+#   become: true
+
+- name: Ensure pexpect is installed (via apt)
+  ansible.builtin.apt:
+    name: python3-pexpect
+    state: present
+  become: true
+
+- name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}"
+  ansible.builtin.expect:
     command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
     responses:
       # Use the '(?i)' flag for case-insensitive matching of the prompt.
       '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # Highly recommended to prevent the password from appearing in logs
 
-- name: Create the PTR (reverse) DNS record
-  community.general.expect:
+- name: "Create the PTR (reverse) DNS record"
+  ansible.builtin.expect:
     # Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
     command: >
       samba-tool dns add {{ addc_ansible_host }} 
@@ -29,74 +44,74 @@
   no_log: true # Hide sensitive data from logs
 
 
-- name: Verify Samba file server by listing local shares
+- name: "Verify Samba file server by listing local shares"
   ansible.builtin.command: smbclient -L localhost -N
   register: smbclient_output
   changed_when: false # This is a verification step, it doesn't change the host state
 
-- name: Report the results of the smbclient verification
+- name: "Report the results of the smbclient verification"
   ansible.builtin.debug:
-    msg: "Samba Shares found: {{ smbclient_output.stdout }}"
+    msg: 'Samba Shares found: {{ smbclient_output.stdout }}'
 
-- name: Verify Samba AD authentication by accessing the netlogon share
-  community.general.expect:
+- name: "Verify Samba AD authentication by accessing the netlogon share"
+  ansible.builtin.expect:
     # Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     # The -c 'ls' command lists files on the share.
     command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     responses:
       # Use the (?i) flag for case-insensitive matching of the prompt.
-      '(?i)password:': "{{ addc_admin_password }}"
+      '(?i)password for.*:': "{{ addc_admin_password }}"
   no_log: true # CRITICAL: Prevents the password from being logged
   register: auth_verification
   changed_when: false # This is a verification/check, not a change
 
 
-- name: Verify LDAP Service Record (SRV _ldap._tcp)
+- name: "Verify LDAP Service Record (SRV _ldap._tcp)"
   ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
   register: ldap_srv_check
   changed_when: false
   failed_when: "'has SRV record' not in ldap_srv_check.stdout"
 
-- name: Debug - Show LDAP SRV check result
+- name: "Debug - Show LDAP SRV check result"
   ansible.builtin.debug:
     var: ldap_srv_check.stdout
 
 
-- name: Verify Kerberos Service Record (SRV _kerberos._udp)
+- name: "Verify Kerberos Service Record (SRV _kerberos._udp)"
   ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
   register: kerberos_srv_check
   changed_when: false
   failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
 
-- name: Debug - Show Kerberos SRV check result
+- name: "Debug - Show Kerberos SRV check result"
   ansible.builtin.debug:
     var: kerberos_srv_check.stdout
 
 
-- name: Verify DC's A (Forward) Record
+- name: "Verify DC's A (Forward) Record"
   ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
   register: a_record_check
   changed_when: false
-  failed_when: "{{ addc_ansible_host }} not in a_record_check.stdout"
+  failed_when: "'{{ addc_ansible_host }}' not in a_record_check.stdout"
 
-- name: Debug - Show A Record check result
+- name: "Debug - Show A Record check result"
   ansible.builtin.debug:
     var: a_record_check.stdout
 
 
-- name: Verify DC's PTR (Reverse) Record
+- name: "Verify DC's PTR (Reverse) Record"
   ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
   register: ptr_record_check
   changed_when: false
   # Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
   failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"
 
-- name: Debug - Show PTR Record check result
+- name: "Debug - Show PTR Record check result"
   ansible.builtin.debug:
     var: ptr_record_check.stdout
 
-- name: Verify Kerberos authentication using kinit
-  community.general.expect:
+- name: "Verify Kerberos authentication using kinit"
+  ansible.builtin.expect:
     # Command to run: kinit administrator
     command: kinit administrator
     responses:
@@ -107,20 +122,20 @@
   register: kinit_check
   changed_when: false # This is a verification/check, not a change
 
-- name: Debug - Show kinit verification result (should be empty on success)
+- name: "Debug - Show kinit verification result (should be empty on success)"
   ansible.builtin.debug:
-    msg: "Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}"
+    msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'
 
-- name: Optional - Show the cached Kerberos ticket
+- name: "Optional - Show the cached Kerberos ticket"
   ansible.builtin.command: klist
   register: klist_output
   changed_when: false
   when: kinit_check is succeeded
 
-- name: Debug - Show klist output
+- name: "Debug - Show klist output"
   ansible.builtin.debug:
     var: klist_output.stdout
-  when: klist_check is defined
+  when: klist_output is defined
 
 
 
@@ -136,11 +151,11 @@
 # - name: Assert that the domain is provisioned
 #   assert:
 #     that:
-#       - "'Netbios name' in domain_info.stdout"
-#       - "'Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout"
+#       - ''Netbios name' in domain_info.stdout'
+#       - ''Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout'
 
 # - name: Attempt kinit with administrator
-#   command: echo "{{ samba_admin_password }}" | kinit administrator@{{ samba_realm }}
+#   command: echo '{{ samba_admin_password }}' | kinit administrator@{{ samba_realm }}
 #   register: kinit_result
 #   changed_when: false
 #   failed_when: kinit_result.rc != 0
@@ -153,7 +168,7 @@
 # - name: Assert Kerberos ticket exists
 #   assert:
 #     that:
-#       - "'krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout"
+#       - ''krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout'
 
 # - name: Check Samba AD DC service status
 #   service_facts:
@@ -161,5 +176,5 @@
 # - name: Assert samba-ad-dc service is active
 #   assert:
 #     that:
-#       - "'samba-ad-dc' in ansible_facts.services"
+#       - ''samba-ad-dc' in ansible_facts.services'
 #       - ansible_facts.services['samba-ad-dc'].state == 'running'