- name: Install packages
  package:
    name:
      - adcli
      - python3-pexpect
      - samba
      - sssd
      - sssd-tools
      - winbind

- name: Configure sssd
  template:
    dest: /etc/sssd/sssd.conf
    src: sssd.conf.j2
    mode: 0600
  notify: restart sssd

- name: Configure samba
  template:
    dest: /etc/samba/smb.conf
    src: smb.conf.j2
    mode: 0600
  notify: reload smbd

- name: Enable pam_mkhomedir
  lineinfile: # pam-auth-update doesn’t do shit for noninteractive sessions so do it manually
    path: /etc/pam.d/common-session-noninteractive
    line: session optional pam_mkhomedir.so

- name: Check domain membership
  command: 'net ads testjoin'
  changed_when: false
  failed_when: false
  register: ad_join

- name: Join host to AD domain
  when: ad_join.rc != 0
  block:
    - pause:
        prompt: 'AD username'
      register: ad_user

    - pause:
        prompt: 'AD password'
        echo: no
      register: ad_pass

    # work around https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52
    - name: Get and store domain SID
      expect:
        command: net -U {{ ad_user.user_input }} rpc getsid -S {{ domain }} -D {{ domain }}
        responses:
          'Password for': '{{ ad_pass.user_input }}'

    # work around https://bugzilla.redhat.com/show_bug.cgi?id=1665794
    - name: Set missing keys in secrets.tdb
      command: tdbtool /var/lib/samba/private/secrets.tdb store {{ item }}/{{ domain | upper | split('.') | first }} '\0'
      loop:
        - SECRETS/MACHINE_LAST_CHANGE_TIME
        - SECRETS/MACHINE_PASSWORD
        - SECRETS/MACHINE_PASSWORD.PREV

    - name: Join AD with adcli
      expect:
        command: adcli join -v -U {{ ad_user.user_input | upper }} -D {{ domain | upper }} --add-samba-data
        responses:
          'Password for': '{{ ad_pass.user_input }}'

- name: Enable services
  service:
    name: '{{ item }}'
    enabled: true
    state: started
  loop:
    - smbd
    - sssd
    - winbind