# Provisioning of Samba. Samba is able to serve as an Active Directory (AD) domain controller (DC).
# The entire process of setting up a Samba domain controller consists of 5 steps which are relatively straight forward. These steps are as follows:
# 1. Installation of Samba and associated packages
# 2. Deletion of pre-configured Samba and Kerberos placeholder configuration files
# 3. Provisioning of Samba using the automatic provisioning tool
# 4. Editing of the smb.conf as needed (enabling of Group Policy and/or other features as needed) see Group Policy for more information
# 5. Any environmental configuration based on Unix/Linux Distribution
# 
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance
# https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netvalidatename
# 
# Check local login with
# smbclient -L //localhost -U Administrator
# apt install ldb-tools
#
# samba-tool domain provision --use-rfc2307 --interactive 

- name: Gather installed packages
  package_facts:

- name: Check if metadata.tdb exists and is not empty
  stat:
    path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
  register: metadata_tdb

- name: Register domain existence
  set_fact:
    domain_exists: >-
      {{
        ('samba-ad-provision' in ansible_facts.packages or
        'samba-ad-dc' in ansible_facts.packages) and
        (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0)
      }}

# If we want to go 4.21
#- name: Add Debian backports repository
#  apt_repository:
#    repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main"
#    state: present

#- name: Update apt cache
#  apt:
#    update_cache: yes

- when: "not domain_exists"
  block:
  - name: Install adSamba packages
    package:
      name: "{{ dcsamba_base_packages }}"
      # default_release: bookworm-backports # If we want to go 4.21
      state: latest
  
  - name: Add adsamba host to hosts file
    blockinfile:
      path: /etc/hosts
      marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY"
      block: |
        {{ ip_serverad | default(ansible_default_ipv4.address) }}  {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }}
  
  - name: Force remove smb.conf file
    file:
      path: /etc/samba/smb.conf
      state: absent
      force: yes
  
  - name: Disable Samba client services and mask them
    systemd:
      name: "{{ item }}"
      state: stopped
      enabled: no
      masked: yes
    loop: "{{ samba_client_services }}"
  
  - name: Join domain 
    command:
      cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307
    register: domain_join

  - name: Show the domain join output with Administrator password
    debug:
      msg: "{{ domain_join.stderr_lines[-6:] }}"

  - name: Copy Kerberos configuration
    copy:
      src: /var/lib/samba/private/krb5.conf
      dest: /etc/krb5.conf
      remote_src: true
      owner: root
      group: root
      mode: '0644'
    when: domain_join.changed

  - name: Enable and start Samba AD DC service
    systemd:
      name: samba-ad-dc
      state: started
      enabled: yes
    when: domain_join.changed
  
  # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho.
  # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho.
  # Bloque de inizialización del dominio ## Hecho.
  # Revisar la condicion de domain_join ## Hecho.
  # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho.

- name: Perform a DNS query to get the IP of google.es
  command: "dig @{{ main_dns_server }} google.es +short"
  register: dns_exists

- name: Show the result of the DNS query
  debug:
    var: dns_exists.stdout

- when: dns_exists
  block:

  - name: Extracting variables
    no_log: true
    set_fact:
      passwords: "{{ lookup(passbolt, 'rndc.key', folder_parent_id=passbolt_folder).password }}"

  - name: Add A record to DNS
    nsupdate:
      key_name: '{{ key_name }}'
      key_secret: '{{ passwords }}'
      key_algorithm: '{{ key_algorithm }}'
      server: "{{ main_dns_server }}"
      zone: '{{ resolv_domain }}'
      ttl: '{{ ttl }}'
      type: 'A'
      record: '{{ name_ad }}.{{ realm }}.'
      value: '{{ ip_serverad }}'
      state: present


  - name: Add NS record to DNS
    nsupdate:
      key_name: '{{ key_name }}'
      key_secret: '{{ passwords }}'
      key_algorithm: '{{ key_algorithm }}'
      server: '{{ main_dns_server }}'
      zone: '{{ resolv_domain }}'
      ttl: '{{ ttl }}'
      type: 'NS'
      record: '{{ realm }}.'
      value: '{{ name_ad }}.{{ realm }}.'
      state: present