--- - name: "Start the samba service" ansible.builtin.service: name: samba state: started enabled: true - name: "Show key variables" ansible.builtin.debug: msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}" - name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}" community.general.expect: command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator" responses: # Use the '(?i)' flag for case-insensitive matching of the prompt. '(?i)password for.*:': "{{ addc_admin_password }}" no_log: true # Highly recommended to prevent the password from appearing in logs - name: "Create the PTR (reverse) DNS record" community.general.expect: # Command syntax: samba-tool dns add PTR command: > samba-tool dns add {{ addc_ansible_host }} {{ addc_reverse_zone_name }} {{ addc_ip_last_octet }} PTR {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }} -U Administrator responses: # Expects the standard Samba password prompt '(?i)password for.*:': "{{ addc_admin_password }}" no_log: true # Hide sensitive data from logs - name: "Verify Samba file server by listing local shares" ansible.builtin.command: smbclient -L localhost -N register: smbclient_output changed_when: false # This is a verification step, it doesn't change the host state - name: "Report the results of the smbclient verification" ansible.builtin.debug: msg: 'Samba Shares found: {{ smbclient_output.stdout }}' - name: "Verify Samba AD authentication by accessing the netlogon share" community.general.expect: # Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls' # The -c 'ls' command lists files on the share. command: smbclient //localhost/netlogon -UAdministrator -c 'ls' responses: # Use the (?i) flag for case-insensitive matching of the prompt. '(?i)password for.*:': "{{ addc_admin_password }}" no_log: true # CRITICAL: Prevents the password from being logged register: auth_verification changed_when: false # This is a verification/check, not a change - name: "Verify LDAP Service Record (SRV _ldap._tcp)" ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}. register: ldap_srv_check changed_when: false failed_when: "'has SRV record' not in ldap_srv_check.stdout" - name: "Debug - Show LDAP SRV check result" ansible.builtin.debug: var: ldap_srv_check.stdout - name: "Verify Kerberos Service Record (SRV _kerberos._udp)" ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}. register: kerberos_srv_check changed_when: false failed_when: "'has SRV record' not in kerberos_srv_check.stdout" - name: "Debug - Show Kerberos SRV check result" ansible.builtin.debug: var: kerberos_srv_check.stdout - name: "Verify DC's A (Forward) Record" ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}. register: a_record_check changed_when: false failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout' - name: "Debug - Show A Record check result" ansible.builtin.debug: var: a_record_check.stdout - name: "Verify DC's PTR (Reverse) Record" ansible.builtin.command: host -t PTR {{ addc_ansible_host }} register: ptr_record_check changed_when: false # Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout" - name: "Debug - Show PTR Record check result" ansible.builtin.debug: var: ptr_record_check.stdout - name: "Verify Kerberos authentication using kinit" community.general.expect: # Command to run: kinit administrator command: kinit administrator responses: # Expects the standard Kerberos password prompt # The (?i) flag ensures case-insensitive matching. '(?i)password for administrator.*:': "{{ addc_admin_password }}" no_log: true # CRITICAL: Prevents the password from being logged register: kinit_check changed_when: false # This is a verification/check, not a change - name: "Debug - Show kinit verification result (should be empty on success)" ansible.builtin.debug: msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}' - name: "Optional - Show the cached Kerberos ticket" ansible.builtin.command: klist register: klist_output changed_when: false when: kinit_check is succeeded - name: "Debug - Show klist output" ansible.builtin.debug: var: klist_output.stdout when: klist_output is defined # - name: Run 'samba-tool domain info' # command: samba-tool domain info 127.0.0.1 # register: domain_info # changed_when: false # - name: Assert that the domain is provisioned # assert: # that: # - ''Netbios name' in domain_info.stdout' # - ''Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout' # - name: Attempt kinit with administrator # command: echo '{{ samba_admin_password }}' | kinit administrator@{{ samba_realm }} # register: kinit_result # changed_when: false # failed_when: kinit_result.rc != 0 # - name: Check Kerberos ticket # command: klist # register: klist_result # changed_when: false # - name: Assert Kerberos ticket exists # assert: # that: # - ''krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout' # - name: Check Samba AD DC service status # service_facts: # - name: Assert samba-ad-dc service is active # assert: # that: # - ''samba-ad-dc' in ansible_facts.services' # - ansible_facts.services['samba-ad-dc'].state == 'running'