Jose/ansible_samba_ad_dc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e7c8a4b2dcfe38a99072b4450e0176de95aacf0
ansible_samba_ad_dc/tasks/verify.yml
Jose 8406e1eab6 feat : Added optional command to show cached Kerberos ticket 
Updated verify.yml to include an optional command to display the cached Kerberos ticket, utilizing the 'klist' command and registering its output. This change enhances the flexibility of the verification process.
2025-11-02 19:50:44 +01:00

166 lines
5.6 KiB
YAML
Raw Blame History

---
- name: Start the samba service
ansible.builtin.service:
name: samba
state: started
enabled: true
- name: Create the reverse DNS zone {{ addc_reverse_zone_name }}
community.general.expect:
# Note: The 'expect' module is in the 'community.general' collection
command: "samba-tool dns zonecreate {{ addc_ansible_host }} {{ addc_reverse_zone_name }} -U Administrator"
responses:
# Use the '(?i)' flag for case-insensitive matching of the prompt.
'(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # Highly recommended to prevent the password from appearing in logs
- name: Create the PTR (reverse) DNS record
community.general.expect:
# Command syntax: samba-tool dns add <server> <zone> <record_name> PTR <target_fqdn>
command: >
samba-tool dns add {{ addc_ansible_host }}
{{ addc_reverse_zone_name }}
{{ addc_ip_last_octet }} PTR
{{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}
-U Administrator
responses:
# Expects the standard Samba password prompt
'(?i)password for.*:': "{{ addc_admin_password }}"
no_log: true # Hide sensitive data from logs
- name: Verify Samba file server by listing local shares
ansible.builtin.command: smbclient -L localhost -N
register: smbclient_output
changed_when: false # This is a verification step, it doesn't change the host state
- name: Report the results of the smbclient verification
ansible.builtin.debug:
msg: "Samba Shares found: {{ smbclient_output.stdout }}"
- name: Verify Samba AD authentication by accessing the netlogon share
community.general.expect:
# Command to run: smbclient //localhost/netlogon -UAdministrator -c 'ls'
# The -c 'ls' command lists files on the share.
command: smbclient //localhost/netlogon -UAdministrator -c 'ls'
responses:
# Use the (?i) flag for case-insensitive matching of the prompt.
'(?i)password:': "{{ addc_admin_password }}"
no_log: true # CRITICAL: Prevents the password from being logged
register: auth_verification
changed_when: false # This is a verification/check, not a change
- name: Verify LDAP Service Record (SRV _ldap._tcp)
ansible.builtin.command: host -t SRV _ldap._tcp.{{ addc_auth_domain | lower }}.
register: ldap_srv_check
changed_when: false
failed_when: "'has SRV record' not in ldap_srv_check.stdout"
- name: Debug - Show LDAP SRV check result
ansible.builtin.debug:
var: ldap_srv_check.stdout
- name: Verify Kerberos Service Record (SRV _kerberos._udp)
ansible.builtin.command: host -t SRV _kerberos._udp.{{ addc_auth_domain | lower }}.
register: kerberos_srv_check
changed_when: false
failed_when: "'has SRV record' not in kerberos_srv_check.stdout"
- name: Debug - Show Kerberos SRV check result
ansible.builtin.debug:
var: kerberos_srv_check.stdout
- name: Verify DC's A (Forward) Record
ansible.builtin.command: host -t A {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}.
register: a_record_check
changed_when: false
failed_when: "{{ addc_ansible_host }} not in a_record_check.stdout"
- name: Debug - Show A Record check result
ansible.builtin.debug:
var: a_record_check.stdout
- name: Verify DC's PTR (Reverse) Record
ansible.builtin.command: host -t PTR {{ addc_ansible_host }}
register: ptr_record_check
changed_when: false
# Assuming dc1.{{ addc_auth_domain }} is the expected output for the reverse record
failed_when: "'domain name pointer {{ addc_hostname | lower }}.{{ addc_auth_domain | lower }}' not in ptr_record_check.stdout"
- name: Debug - Show PTR Record check result
ansible.builtin.debug:
var: ptr_record_check.stdout
- name: Verify Kerberos authentication using kinit
community.general.expect:
# Command to run: kinit administrator
command: kinit administrator
responses:
# Expects the standard Kerberos password prompt
# The (?i) flag ensures case-insensitive matching.
'(?i)password for administrator.*:': "{{ addc_admin_password }}"
no_log: true # CRITICAL: Prevents the password from being logged
register: kinit_check
changed_when: false # This is a verification/check, not a change
- name: Debug - Show kinit verification result (should be empty on success)
ansible.builtin.debug:
msg: "Kerberos kinit verification successful. Output: {{ kinit_check.stdout }}"
- name: Optional - Show the cached Kerberos ticket
ansible.builtin.command: klist
register: klist_output
changed_when: false
when: kinit_check is succeeded
- name: Debug - Show klist output
ansible.builtin.debug:
var: klist_output.stdout
when: klist_check is defined
# - name: Run 'samba-tool domain info'
# command: samba-tool domain info 127.0.0.1
# register: domain_info
# changed_when: false
# - name: Assert that the domain is provisioned
# assert:
# that:
# - "'Netbios name' in domain_info.stdout"
# - "'Server Role: ACTIVE DIRECTORY DOMAIN CONTROLLER' in domain_info.stdout"
# - name: Attempt kinit with administrator
# command: echo "{{ samba_admin_password }}" | kinit administrator@{{ samba_realm }}
# register: kinit_result
# changed_when: false
# failed_when: kinit_result.rc != 0
# - name: Check Kerberos ticket
# command: klist
# register: klist_result
# changed_when: false
# - name: Assert Kerberos ticket exists
# assert:
# that:
# - "'krbtgt/{{ samba_realm }}@{{ samba_realm }}' in klist_result.stdout"
# - name: Check Samba AD DC service status
# service_facts:
# - name: Assert samba-ad-dc service is active
# assert:
# that:
# - "'samba-ad-dc' in ansible_facts.services"
# - ansible_facts.services['samba-ad-dc'].state == 'running'
Reference in New Issue View Git Blame Copy Permalink