ansible_samba_ad_dc/tasks/verify.yml

---
- name: "Start the samba service"
  ansible.builtin.service:
    name: samba
    state: started
    enabled: true

- name: "Show key variables"
  ansible.builtin.debug:
    msg: "{{ addc_reverse_zone_name }} {{ addc_ansible_host }} {{ addc_admin_password }} {{ addc_ip_last_octet }} {{ addc_hostname }} {{ addc_auth_domain }}"

- name: "Create the reverse DNS zone {{ addc_reverse_zone_name }}"
  ansible.builtin.expect:
    command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
    responses:
      # Use the '(?i)' flag for case-insensitive matching of the prompt.
      '(?i)password for.*:': "{{ addc_admin_password }}"
  no_log: true # Highly recommended to prevent the password from appearing in logs

- name: "Create the PTR (reverse) DNS record"
  ansible.builtin.expect:
    # Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
    command: >
      samba-tool dns add {{ addc_ansible_host }} 
      {{ addc_reverse_zone_name }} 
      {{ addc_ip_last_octet }} PTR 
      {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}
      -U Administrator
    responses:
      # Expects the standard Samba password prompt
      '(?i)password for.*:': "{{ addc_admin_password }}"
  no_log: true # Hide sensitive data from logs


- name: "Verify Samba file server by listing local shares"
  ansible.builtin.command: smbclient -L localhost -N
  register: smbclient_output
  changed_when: false # This is a verification step, it doesn't change the host state

- name: "Report the results of the smbclient verification"
  ansible.builtin.debug:
    msg: 'Samba Shares found: {{ smbclient_output.stdout }}'

- name: "Verify Samba AD authentication by accessing the netlogon share"
  ansible.builtin.expect:
    # Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
    # The -c 'ls' command lists files on the share.
    command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
    responses:
      # Use the (?i) flag for case-insensitive matching of the prompt.
      '(?i)password for.*:': "{{ addc_admin_password }}"
  no_log: true # CRITICAL: Prevents the password from being logged
  register: auth_verification
  changed_when: false # This is a verification/check, not a change


- name: "Verify LDAP Service Record (SRV _ldap._tcp)"
  ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
  register: ldap_srv_check
  changed_when: false
  failed_when: "'has SRV record' not in ldap_srv_check.stdout"

- name: "Debug - Show LDAP SRV check result"
  ansible.builtin.debug:
    var: ldap_srv_check.stdout


- name: "Verify Kerberos Service Record (SRV _kerberos._udp)"
  ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
  register: kerberos_srv_check
  changed_when: false
  failed_when: "'has SRV record' not in kerberos_srv_check.stdout"

- name: "Debug - Show Kerberos SRV check result"
  ansible.builtin.debug:
    var: kerberos_srv_check.stdout


- name: "Verify DC's A (Forward) Record"
  ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
  register: a_record_check
  changed_when: false
  failed_when: '{{ addc_ansible_host }} not in a_record_check.stdout'

- name: "Debug - Show A Record check result"
  ansible.builtin.debug:
    var: a_record_check.stdout


- name: "Verify DC's PTR (Reverse) Record"
  ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
  register: ptr_record_check
  changed_when: false
  # Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
  failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"

- name: "Debug - Show PTR Record check result"
  ansible.builtin.debug:
    var: ptr_record_check.stdout

- name: "Verify Kerberos authentication using kinit"
  ansible.builtin.expect:
    # Command to run: kinit administrator
    command: kinit administrator
    responses:
      # Expects the standard Kerberos password prompt
      # The (?i) flag ensures case-insensitive matching.
      '(?i)password for administrator.*:': "{{ addc_admin_password }}"
  no_log: true # CRITICAL: Prevents the password from being logged
  register: kinit_check
  changed_when: false # This is a verification/check, not a change

- name: "Debug - Show kinit verification result (should be empty on success)"
  ansible.builtin.debug:
    msg: 'Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}'

- name: "Optional - Show the cached Kerberos ticket"
  ansible.builtin.command: klist
  register: klist_output
  changed_when: false
  when: kinit_check is succeeded

- name: "Debug - Show klist output"
  ansible.builtin.debug:
    var: klist_output.stdout
  when: klist_output is defined







# - name: Run 'samba-tool domain info'
#   command: samba-tool domain info 127.0.0.1
#   register: domain_info
#   changed_when: false

# - name: Assert that the domain is provisioned
#   assert:
#     that:
#       - ''Netbios name' in domain_info.stdout'
#       - ''Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout'

# - name: Attempt kinit with administrator
#   command: echo '{{ samba_admin_password }}' | kinit administrator@{{ samba_realm }}
#   register: kinit_result
#   changed_when: false
#   failed_when: kinit_result.rc != 0

# - name: Check Kerberos ticket
#   command: klist
#   register: klist_result
#   changed_when: false

# - name: Assert Kerberos ticket exists
#   assert:
#     that:
#       - ''krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout'

# - name: Check Samba AD DC service status
#   service_facts:

# - name: Assert samba-ad-dc service is active
#   assert:
#     that:
#       - ''samba-ad-dc' in ansible_facts.services'
#       - ansible_facts.services['samba-ad-dc'].state == 'running'