---
- block: 
# Configure system keytab
#
  - name: About krb5_keytab_flush
    debug:
      msg: "If you want to flush /etc/krb5.keytab, set krb5_keytab_flush=true to flush it"

  - name: Display krb5_keytab_flush
    debug:
      msg: "{{ krb5_keytab_flush|d(false) }}"

  - name: Stat /etc/krb5.keytab
    stat:
      path: /etc/krb5.keytab
    register: krb5_keytab_result_stat

  - name: Flush /etc/krb5.keytab and all SPNs for host
    command: "net ads keytab flush"
    when: krb5_keytab_result_stat.stat.exists and krb5_keytab_flush|d(false)
    register: krb5_keytab_result_flush

  - name: Add canary SPN/principal so that floowing commands succeed
    command: "net ads keytab add_update_ads host/{{ samba_netbios_name|lower }}"
    changed_when: false
    when: krb5_keytab_result_flush.changed

  - name: Delete SPNs
    command: "net ads setspn delete {{ item.spn }}"
    changed_when: krb5_keytab_result_setspn_delete.rc == 0 and krb5_keytab_result_setspn_delete.stdout|regex_search('Unregistering SPN', multiline=True)
    failed_when: krb5_keytab_result_setspn_add.rc not in [0, 255] and not krb5_keytab_result_setspn_delete.stdout|regex_search('Updated object', multiline=True)
    when: item.state|d('present') == 'absent'
    loop: "{{ krb5_keytab_var_spns | flatten }}"
    register: krb5_keytab_result_setspn_delete

  - name: Add extra SPNs
    command: "net ads setspn add {{ item.spn }}"
    changed_when: krb5_keytab_result_setspn_add.rc == 0 and krb5_keytab_result_setspn_add.stdout|regex_search('Registering SPN', multiline=True)
    failed_when: krb5_keytab_result_setspn_add.rc not in [0, 255] and not krb5_keytab_result_setspn_add.stdout|regex_search('Registering SPN', multiline=True) and not krb5_keytab_result_setspn_add.stdout|regex_search('Duplicate SPN', multiline=True)
    when: item.state|d('present') == 'present'
    loop: "{{ krb5_keytab_var_spns | flatten }}"
    register: krb5_keytab_result_setspn_add

  - name: Build machines keytab
    command: net ads keytab create -d 1
    changed_when: false

  - name: Cleanup canary SPN
    command: "net ads setspn delete host/{{ samba_netbios_name|lower }}"
    changed_when: false
    when: krb5_keytab_result_flush.changed

  - name: Replace canary SPN
    command: "net ads setspn add HOST/{{ samba_netbios_name|upper }}"
    changed_when: false
    when: krb5_keytab_result_flush.changed

  - name: Add system kerberos keytab group for accessing keytab
    group:
      name: "{{ krb5_keytab_group }}"
      system: yes
      state: present

  - name: Set up /etc/krb5.keytab group and permissions
    file:
      path: /etc/krb5.keytab
      owner: root
      group: "{{ krb5_keytab_group }}"
      mode: 0640

  - name: Add system users to kerberos group
    user:
      name: '{{ item }}'
      groups: "{{ krb5_keytab_group }}"
      append: yes
    loop: "{{ krb5_keytab_group_members }}"

  - name: Add extra kerberos principals with SPN
    command: "net ads keytab add_update_ads {{ item }}"
    changed_when: false
    loop: "{{ krb5_keytab_principals_with_spn }}"

  - name: Add extra pure kerberos principals
    command: "net ads keytab add {{ item }}"
    changed_when: false
    loop: "{{ krb5_keytab_principals }}"

  tags:
    - always
...