style 💎: Improve regex pattern for extracting krb5 conf path

Updated the regular expression to correctly extract the absolute path of the krb5.conf file from the samba provision output. This change ensures that the extracted path is properly formatted and can be used in subsequent tasks.

defaults/main.yml

@@ -1,31 +1,31 @@
 # AD Provisioning details
 # Hostname = DC1
-addc_hostname: "DC1"
+addc_hostname: 'DC1'
 # DC local IP Address = 10.99.0.1
-addc_ansible_host: "10.99.0.1"
+addc_ansible_host: '10.99.0.1'
 # NetBIOS domain name (Workgroup).
-addc_netbios_domain: "SAMDOM"
+addc_netbios_domain: 'SAMDOM'
 # Top level Domain = EXAMPLE.COM
-addc_tld: "EXAMPLE.COM"
+addc_tld: 'EXAMPLE.COM'
 # Authentication Domain = SAMDOM.EXAMPLE.COM
-addc_auth_domain: "{{ addc_netbios_domain | upper }}.{{ addc_tld | upper }}"
+addc_auth_domain: '{{ addc_netbios_domain | upper }}.{{ addc_tld | upper }}'
 
-addc_admin_password: "Passw0rd"
-addc_dns_backend: "SAMBA_INTERNAL"
-addc_server_role: "dc"
+addc_admin_password: 'Passw0rd'
+addc_dns_backend: 'SAMBA_INTERNAL'
+addc_server_role: 'dc'
 
 addc_ip_network_prefix: "{{ addc_ansible_host.split('.')[:3] | join('.') }}"
 addc_ip_last_octet: "{{ addc_ansible_host.split('.')[-1] }}"
 addc_reverse_zone_name: "{{ addc_ip_network_prefix.split('.') | reverse | join('.') }}.in-addr.arpa"
 
 samba_domain_info:
-  realm: "{{ addc_auth_domain | upper }}"
-  domain: "{{ addc_netbios_domain | upper }}"
+  realm: '{{ addc_auth_domain | upper }}'
+  domain: '{{ addc_netbios_domain | upper }}'
   server_role: "{{ addc_server_role | default('dc') }}"
   dns_backend: "{{ addc_dns_backend | default('SAMBA_INTERNAL') }}"
-  adminpass: "{{ addc_admin_password }}"
+  adminpass: '{{ addc_admin_password }}'
   interfaces: "{{ samba_iface_list | join(' ') }}"
-  bind_interfaces_only: "yes"
+  bind_interfaces_only: 'yes'
 
 samba_iface_list:
   - lo
@@ -40,12 +40,14 @@ samba_packages:
   - libnss-winbind
   - krb5-config
   - krb5-user
-  - dnsutils
+  - bind9-dnsutils
+  # - dnsutils
   - python3-setproctitle
   # - smbclient
+  - samba-ad-dc
 
 # template for /etc/resolv.conf
 location_internal_dns: 192.168.1.1
 location_external_dns: 8.8.8.8
 
-backup_path: "/path/to/your/backup/directory"
+backup_path: '/path/to/your/backup/directory'

tasks/0backupcheck.yml

@@ -1,12 +1,12 @@
 ---
 - name: Check if backup directory exists
   stat:
-    path: "{{ backup_path }}"
+    path: '{{ backup_path }}'
   register: backup_dir_stat
 
 - name: Check if backup directory is not empty
   find:
-    paths: "{{ backup_path }}"
+    paths: '{{ backup_path }}'
     file_type: any
     recurse: false
   when: backup_dir_stat.stat.exists and backup_dir_stat.stat.isdir
@@ -15,8 +15,8 @@
 
 - name: Check if each required file exists
   stat:
-    path: "{{ dir_path }}/{{ item }}"
-  loop: "{{ backup_required_files }}"
+    path: '{{ dir_path }}/{{ item }}'
+  loop: '{{ backup_required_files }}'
   register: required_file_stats
 
 - name: Determine missing files
@@ -52,5 +52,5 @@
 
 - name: Debug - Show final result
   debug:
-    msg: "Backup directory exists and is not empty."
+    msg: 'Backup directory exists and is not empty.'
   when: backup_dir_valid | default(false)

tasks/install.yml

@@ -1,17 +1,123 @@
 ---
 - name: Install required packages
-  ansible.builtin.package:  
-    name: "{{ samba_packages }}"
+  ansible.builtin.apt:  
+    pkg: '{{ samba_packages }}'
     state: latest
+    update_cache: yes
+    autoclean: yes
+    autoremove: yes
+    purge: true
 
-- name: Stop samba-ad-dc before provisioning (if running)
-  ansible.builtin.service:
-    name: samba-ad-dc
+# - name: Install required packages
+#   ansible.builtin.package:  
+#     name: '{{ samba_packages }}'
+#     state: latest
+
+# - name: Stop samba-ad-dc before provisioning (if running)
+#   ansible.builtin.service:
+#     name: samba-ad-dc
+#     state: stopped
+#     enabled: no
+#   ignore_errors: true
+
+# known regression in certain Samba 4.22.x builds
+
+# - name: Check installed Samba version
+#   ansible.builtin.command: samba --version
+#   register: samba_version
+#   changed_when: false
+#   failed_when: false
+
+# - name: Show installed Samba version
+#   ansible.builtin.debug:
+#     msg: "Samba version: {{ samba_version.stdout }}"
+
+# - name: Warn if Samba version is 4.22.4
+#   ansible.builtin.debug:
+#     msg: "⚠️ Detected buggy Samba version 4.22.4 — upgrade recommended!"
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian GPG key (modern method)
+#   ansible.builtin.get_url:
+#     # url: https://pkg.samba.org/keys/samba-pubkey.asc
+#     url: https://download.samba.org/pub/samba/samba-pubkey.asc
+#     dest: /usr/share/keyrings/samba-team-archive-keyring.gpg
+#     mode: '0644'
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian repository (modern method)
+#   ansible.builtin.apt_repository:
+#     # repo: "deb [signed-by=/usr/share/keyrings/samba-team-archive-keyring.gpg] http://pkg.samba.org/packages/debian {{ ansible_lsb.codename | default('bookworm') }} samba-422"
+#     repo: "deb [signed-by=/usr/share/keyrings/samba-team-archive-keyring.gpg] http://download.samba.org/pub/samba/packages/debian {{ ansible_distribution_release  }} samba-422"
+#     state: present
+#     filename: samba-team
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian GPG key (only if upgrade is needed)
+#   ansible.builtin.apt_key:
+#     url: https://pkg.samba.org/keys/samba-pubkey.asc
+#     state: present
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Add Samba Team Debian repository (only if upgrade is needed)
+#   ansible.builtin.apt_repository:
+#     repo: "deb http://pkg.samba.org/packages/debian $(lsb_release -cs) samba-422"
+#     state: present
+#     filename: samba-team
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Update APT cache (only if upgrade is needed)
+#   ansible.builtin.apt:
+#     update_cache: yes
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Upgrade Samba packages if version is 4.22.4
+#   ansible.builtin.apt:
+#     name:
+#       - samba
+#       - samba-dsdb-modules
+#       - samba-common-bin
+#       - python3-samba
+#     state: latest
+#   when: "'4.22.4' in samba_version.stdout"
+
+# - name: Verify installed Samba version
+#   ansible.builtin.command: samba --version
+#   register: samba_version
+#   changed_when: false
+
+# - name: Display upgraded Samba version
+#   ansible.builtin.debug:
+#     msg: "✅ Samba version after upgrade: {{ samba_version.stdout }}"
+
+# - name: Stop Samba services before provisioning
+#   ansible.builtin.service:
+#     name: '{{ item }}'
+#     state: stopped
+#   ignore_errors: true
+#   loop:
+#     - samba-ad-dc
+#     - smbd
+#     - nmbd
+#     - winbind
+
+- name: Disable and stop regular Samba services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    enabled: false
     state: stopped
-    enabled: no
-  ignore_errors: yes
-
+    masked: true
+  loop:
+    - smbd
+    - nmbd
+    - winbind
 
+- name: Unmask and enable Samba AD/DC service (but do not start it)
+  ansible.builtin.systemd:
+    name: samba-ad-dc
+    masked: false
+    enabled: true
+    state: stopped
 
 
 
@@ -27,7 +133,7 @@
 # - name: Deploy smb.conf
 #   ansible.builtin.template:
 #     src: smb.conf.j2
-#     dest: "{{ samba_conf_path }}"
+#     dest: '{{ samba_conf_path }}'
 #     owner: root
 #     group: root
 #     mode: '0644'

tasks/kerberos.yml

@@ -1,14 +1,23 @@
 ---
-- name: Extract krb5.conf path from provision output
-  # The samba-tool output usually contains the path on a specific line.
-  # We extract the path using regex and the 'search' filter.
+- name: Extract absolute krb5.conf path from provision output
   ansible.builtin.set_fact:
-    krb5_conf_path: "{{ samba_provision_output.stdout | regex_search('krb5.conf file is located at (.*)', '\\1') | first }}"
+    krb5_conf_path: >-
+      {{ (
+          samba_provision_output.stdout
+          | regex_findall("(/[^\\s,'\"]+krb5\\.conf)")
+          | default([])
+          | first
+          | default('')
+        ) | replace(\"'\", '') | replace('\"', '') | replace(',', '') | trim }}
   when: samba_provision_output.stdout is defined
 
+- name: print krb5.conf path
+  ansible.builtin.debug:
+    msg: "Krb5.conf path: {{ krb5_conf_path }}"
+
 - name: Copy krb5.conf to /etc/krb5.conf
   ansible.builtin.copy:
-    src: "{{ krb5_conf_path }}"
+    src: '{{ krb5_conf_path }}'
     dest: /etc/krb5.conf
     owner: root
     group: root

tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Prepare for Samba AD DC
   include_tasks: preparing.yml
 

tasks/ntpd.yml

@@ -17,7 +17,7 @@
 
 - name: Set the path variable, failing if not found
   ansible.builtin.set_fact:
-    ntp_signd_path: "{{ find_ntp_signd.files[0].path }}"
+    ntp_signd_path: '{{ find_ntp_signd.files[0].path }}'
   # This conditional logic ensures the playbook stops if the directory is missing,
   # or if more than one directory named 'ntp_signd' is found (which is unlikely/undesirable).
   when: find_ntp_signd.matched == 1
@@ -25,7 +25,7 @@
   
 - name: Verify permissions on the detected 'ntp_signd' directory
   ansible.builtin.stat:
-    path: "{{ ntp_signd_path }}"
+    path: '{{ ntp_signd_path }}'
   register: ntp_signd_stats
 
 - name: Assert that the permissions allow read access
@@ -34,8 +34,8 @@
       # Check if the directory exists and has permissions that grant read/execute to 'other' (r-x)
       - ntp_signd_stats.stat.exists
       - ntp_signd_stats.stat.mode is search('[rwx-]{2}[rwx-]{2}[4-7]')
-    fail_msg: "FATAL: The detected ntp_signd directory ({{ ntp_signd_path }}) does not have necessary read permissions (mode: {{ ntp_signd_stats.stat.mode }})."
-    success_msg: "SUCCESS: Permissions on {{ ntp_signd_path }} are correctly configured."
+    fail_msg: 'FATAL: The detected ntp_signd directory ({{ ntp_signd_path }}) does not have necessary read permissions (mode: {{ ntp_signd_stats.stat.mode }}).'
+    success_msg: 'SUCCESS: Permissions on {{ ntp_signd_path }} are correctly configured.'
 
 - name: Configure ntp.conf for Active Directory Domain Controller (AD DC)
   ansible.builtin.template:

tasks/preparing.yml

@@ -48,7 +48,7 @@
 - name: Set /etc/hosts entry for Samba AD DC
   ansible.builtin.lineinfile:
     path: /etc/hosts
-    line: "{{ addc_ansible_host }} {{ addc_hostname | upper }}.{{ addc_tld | lower }} {{ addc_hostname | upper }}"
+    line: '{{ addc_ansible_host }} {{ addc_hostname | upper }}.{{ addc_tld | lower }} {{ addc_hostname | upper }}'
     state: present
     create: yes
 
@@ -68,22 +68,22 @@
 
 - name: Remove smb.conf using discovered path
   ansible.builtin.file:
-    path: "{{ smb_conf_path.stdout }}"
+    path: '{{ smb_conf_path.stdout }}'
     state: absent
 
 # Remove all Samba database files, such as *.tdb and *.ldb files
 - name: Get Samba directories from smbd -b
-  ansible.builtin.shell: smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | awk '{print $2}'
+  ansible.builtin.shell: smbd -b | egrep 'LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR' | awk '{print $2}'
   register: samba_dirs
   changed_when: false
   failed_when: samba_dirs.rc != 0
 
 - name: Filter existing directories
   ansible.builtin.find:
-    paths: "{{ item }}"
+    paths: '{{ item }}'
     file_type: directory
     recurse: no
-  loop: "{{ samba_dirs.stdout_lines }}"
+  loop: '{{ samba_dirs.stdout_lines }}'
   register: existing_dirs
 
 - name: Collect existing directories
@@ -92,21 +92,21 @@
 
 - name: Find *.tdb and *.ldb files
   ansible.builtin.find:
-    paths: "{{ item }}"
-    patterns: "*.tdb,*.ldb"
+    paths: '{{ item }}'
+    patterns: '*.tdb,*.ldb'
     recurse: yes
     use_regex: false
-  loop: "{{ valid_dirs }}"
+  loop: '{{ valid_dirs }}'
   register: db_files
 
 - name: Remove found tdb/ldb files
   ansible.builtin.file:
-    path: "{{ item.path }}"
+    path: '{{ item.path }}'
     state: absent
   loop: "{{ db_files.results | map(attribute='files') | sum(start=[]) }}"
   when: item.path is defined
 
 - name: Report removed files
   ansible.builtin.debug:
-    msg: "Removed: {{ item.path }}"
+    msg: 'Removed: {{ item.path }}'
   loop: "{{ db_files.results | map(attribute='files') | sum(start=[]) }}"

tasks/provision.yml

@@ -4,6 +4,16 @@
     path: /var/lib/samba/private/adsync.conf
   register: samba_provisioned
 
+- name: Remove smb.conf if server role conflicts
+  ansible.builtin.shell: |
+    if grep -q 'server role = standalone server' /etc/samba/smb.conf 2>/dev/null; then
+      mv /etc/samba/smb.conf /etc/samba/smb.conf.bak.$(date +%s)
+    fi
+  args:
+    executable: /bin/bash
+  changed_when: false
+  when: not samba_provisioned.stat.exists
+
 - name: Provision the Samba AD DC
   ansible.builtin.command: >
     samba-tool domain provision
@@ -12,12 +22,15 @@
     --domain={{ samba_domain_info.domain }}
     --server-role={{ samba_domain_info.server_role }}
     --dns-backend={{ samba_domain_info.dns_backend }}
-    --adminpass={{ samba_domain_info.adminpass }}
-    --option="interfaces={{ samba_domain_info.interfaces }}"
-    --option="bind interfaces only={{ samba_domain_info.bind_interfaces_only }}"
+    --adminpass='{{ addc_admin_password }}'
+    --option='interfaces={{ samba_domain_info.interfaces }}'
+    --option='bind interfaces only={{ samba_domain_info.bind_interfaces_only }}'
   when: not samba_provisioned.stat.exists
   register: samba_provision_output
   changed_when: samba_provision_output.rc == 0
   no_log: false  # You may toggle this if password should be hidden
 
+- name: print provision output
+  ansible.builtin.debug:
+    msg: "Provisioning output: {{samba_provision_output}}"
 

tasks/verify.yml

@@ -8,10 +8,10 @@
 - name: Create the reverse DNS zone {{ addc_reverse_zone_name }}
   community.general.expect:
     # Note: The 'expect' module is in the 'community.general' collection
-    command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
+    command: 'samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator'
     responses:
       # Use the '(?i)' flag for case-insensitive matching of the prompt.
-      '(?i)password for.*:': "{{ addc_admin_password }}"
+      '(?i)password for.*:': '{{ addc_admin_password }}'
   no_log: true # Highly recommended to prevent the password from appearing in logs
 
 - name: Create the PTR (reverse) DNS record
@@ -25,7 +25,7 @@
       -U Administrator
     responses:
       # Expects the standard Samba password prompt
-      '(?i)password for.*:': "{{ addc_admin_password }}"
+      '(?i)password for.*:': '{{ addc_admin_password }}'
   no_log: true # Hide sensitive data from logs
 
 
@@ -36,7 +36,7 @@
 
 - name: Report the results of the smbclient verification
   ansible.builtin.debug:
-    msg: "Samba Shares found: {{ smbclient_output.stdout }}"
+    msg: 'Samba Shares found: {{ smbclient_output.stdout }}'
 
 - name: Verify Samba AD authentication by accessing the netlogon share
   community.general.expect:
@@ -45,7 +45,7 @@
     command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
     responses:
       # Use the (?i) flag for case-insensitive matching of the prompt.
-      '(?i)password:': "{{ addc_admin_password }}"
+      '(?i)password:': '{{ addc_admin_password }}'
   no_log: true # CRITICAL: Prevents the password from being logged
   register: auth_verification
   changed_when: false # This is a verification/check, not a change
@@ -77,7 +77,7 @@
   ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
   register: a_record_check
   changed_when: false
-  failed_when: "{{ addc_ansible_host }} not in a_record_check.stdout"
+  failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout'
 
 - name: Debug - Show A Record check result
   ansible.builtin.debug:
@@ -102,14 +102,14 @@
     responses:
       # Expects the standard Kerberos password prompt
       # The (?i) flag ensures case-insensitive matching.
-      '(?i)password for administrator.*:': "{{ addc_admin_password }}"
+      '(?i)password for administrator.*:': '{{ addc_admin_password }}'
   no_log: true # CRITICAL: Prevents the password from being logged
   register: kinit_check
   changed_when: false # This is a verification/check, not a change
 
 - name: Debug - Show kinit verification result (should be empty on success)
   ansible.builtin.debug:
-    msg: "Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}"
+    msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'
 
 - name: Optional - Show the cached Kerberos ticket
   ansible.builtin.command: klist
@@ -136,11 +136,11 @@
 # - name: Assert that the domain is provisioned
 #   assert:
 #     that:
-#       - "'Netbios name' in domain_info.stdout"
-#       - "'Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout"
+#       - ''Netbios name' in domain_info.stdout'
+#       - ''Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout'
 
 # - name: Attempt kinit with administrator
-#   command: echo "{{ samba_admin_password }}" | kinit administrator@{{ samba_realm }}
+#   command: echo '{{ samba_admin_password }}' | kinit administrator@{{ samba_realm }}
 #   register: kinit_result
 #   changed_when: false
 #   failed_when: kinit_result.rc != 0
@@ -153,7 +153,7 @@
 # - name: Assert Kerberos ticket exists
 #   assert:
 #     that:
-#       - "'krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout"
+#       - ''krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout'
 
 # - name: Check Samba AD DC service status
 #   service_facts:
@@ -161,5 +161,5 @@
 # - name: Assert samba-ad-dc service is active
 #   assert:
 #     that:
-#       - "'samba-ad-dc' in ansible_facts.services"
+#       - ''samba-ad-dc' in ansible_facts.services'
 #       - ansible_facts.services['samba-ad-dc'].state == 'running'