From 099317fe9cbcab4925dcce8c84fafb573550101d Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 25 Mar 2019 16:49:44 +0100
Subject: [PATCH] New ipaclient_setup_krb5: Use ipaclient_setup_krb5 instead of
ipa-krb5 role
The advantage of this is that the krb5 configuration is created in the same
way as in the normal installers. The same functionality as in the normal
installers is used in ipaclient_setup_krb5. There is no need to adapt the
ipa-krb5 role or the the ask file for changes in how the krb5 configuration
is done. Additionally ipaclient_force is now a supported parameter as
it is in the normal installer.
New config option:
ipaclient_force
The variable has been added to ipaclient/defaults/main.yml.
---
roles/ipaclient/defaults/main.yml | 2 +-
.../ipaclient/library/ipaclient_setup_krb5.py | 129 ++++++++++++++++++
roles/ipaclient/tasks/install.yml | 37 ++---
3 files changed, 142 insertions(+), 26 deletions(-)
create mode 100644 roles/ipaclient/library/ipaclient_setup_krb5.py
diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index 892fac42..90a34634 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -14,7 +14,7 @@ ipaclient_no_ssh: no
ipaclient_no_sshd: no
ipaclient_no_sudo: no
#ipaclient_no_dns_sshfp: no
-#ipaclient_force: no
+ipaclient_force: no
ipaclient_force_ntpd: no
ipaclient_no_nisdomain: no
ipaclient_configure_firefox: no
diff --git a/roles/ipaclient/library/ipaclient_setup_krb5.py b/roles/ipaclient/library/ipaclient_setup_krb5.py
new file mode 100644
index 00000000..8ad5590f
--- /dev/null
+++ b/roles/ipaclient/library/ipaclient_setup_krb5.py
@@ -0,0 +1,129 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-client-install code
+#
+# Copyright (C) 2018 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {
+ 'metadata_version': '1.0',
+ 'supported_by': 'community',
+ 'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipaclient_setup_krb5
+short description: Setup krb5 for IPA client
+description:
+ Setup krb5 for IPA client
+options:
+ server:
+ domain:
+ realm:
+ hostname:
+ description: The hostname of the machine to join (FQDN).
+ required: true
+author:
+ - Thomas Woerner
+'''
+
+EXAMPLES = '''
+# Backup and set hostname
+- name: Backup and set hostname
+ ipaclient_setup_krb5:
+ server:
+ domain:
+ realm:
+ hostname: client1.example.com
+'''
+
+RETURN = '''
+'''
+
+import os
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_client import *
+
+def main():
+ module = AnsibleModule(
+ argument_spec = dict(
+ domain=dict(required=False, default=None),
+ servers=dict(required=False, type='list', default=None),
+ realm=dict(required=False, default=None),
+ hostname=dict(required=False, default=None),
+ kdc=dict(required=False, default=None),
+ dnsok=dict(required=False, type='bool', default=False),
+ client_domain=dict(required=False, default=None),
+ sssd=dict(required=False, type='bool', default=False),
+ force=dict(required=False, type='bool', default=False),
+ #on_master=dict(required=False, type='bool', default=False),
+ ),
+ supports_check_mode = True,
+ )
+
+ module._ansible_debug = True
+ servers = module.params.get('servers')
+ domain = module.params.get('domain')
+ realm = module.params.get('realm')
+ hostname = module.params.get('hostname')
+ kdc = module.params.get('kdc')
+ dnsok = module.params.get('dnsok')
+ client_domain = module.params.get('client_domain')
+ sssd = module.params.get('sssd')
+ force = module.params.get('force')
+ #on_master = module.params.get('on_master')
+
+ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+
+ #if options.on_master:
+ # # If on master assume kerberos is already configured properly.
+ # # Get the host TGT.
+ # try:
+ # kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
+ # attempts=options.kinit_attempts)
+ # os.environ['KRB5CCNAME'] = CCACHE_FILE
+ # except gssapi.exceptions.GSSError as e:
+ # logger.error("Failed to obtain host TGT: %s", e)
+ # raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+ #else:
+
+ # Configure krb5.conf
+ fstore.backup_file(paths.KRB5_CONF)
+ configure_krb5_conf(
+ cli_realm=realm,
+ cli_domain=domain,
+ cli_server=servers,
+ cli_kdc=kdc,
+ dnsok=dnsok,
+ filename=paths.KRB5_CONF,
+ client_domain=client_domain,
+ client_hostname=hostname,
+ configure_sssd=sssd,
+ force=force)
+
+ logger.info(
+ "Configured /etc/krb5.conf for IPA realm %s", realm)
+
+ module.exit_json(changed=True)
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index d89646a6..03c39107 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -226,31 +226,18 @@
preserve_sssd: "{{ ipassd_preserve_sssd }}"
no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
- - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} <= 4.4"
- include_role:
- name: ipa-krb5
- vars:
- krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
- krb5_realm: "{{ result_ipaclient_test.realm }}"
- krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
- krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
- krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
- krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
- when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version <= 40400
-
- - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} > 4.4"
- include_role:
- name: ipa-krb5
- vars:
- krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
- krb5_realm: "{{ result_ipaclient_test.realm }}"
- krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
- krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
- krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
- krb5_dns_canonicalize_hostname: "false"
- krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
- krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
- when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version > 40400
+ - name: Install - Configure krb5 for IPA realm
+ ipaclient_setup_krb5:
+ realm: "{{ result_ipaclient_test.realm }}"
+ domain: "{{ result_ipaclient_test.domain }}"
+ servers: "{{ result_ipaclient_test.servers }}"
+ kdc: "{{ result_ipaclient_test.kdc }}"
+ dnsok: "{{ result_ipaclient_test.dnsok }}"
+ client_domain: "{{ result_ipaclient_test.client_domain }}"
+ hostname: "{{ result_ipaclient_test.hostname }}"
+ sssd: "{{ result_ipaclient_test.sssd }}"
+ force: "{{ ipaclient_force }}"
+ #on_master: "{{ ipaclient_on_master }}"
- name: Install - IPA API calls for remaining enrollment parts
ipaclient_api:
--
GitLab