New ipaclient_setup_krb5: Use ipaclient_setup_krb5 instead of ipa-krb5 role

The advantage of this is that the krb5 configuration is created in the same way as in the normal installers. The same functionality as in the normal installers is used in ipaclient_setup_krb5. There is no need to adapt the ipa-krb5 role or the the ask file for changes in how the krb5 configuration is done. Additionally ipaclient_force is now a supported parameter as it is in the normal installer. New config option: ipaclient_force The variable has been added to ipaclient/defaults/main.yml.

New ipaclient_setup_krb5: Use ipaclient_setup_krb5 instead of ipa-krb5 role
099317fe · Thomas Woerner · b9426617 · 099317fe · 099317fe · 099317fe
Commit 099317fe authored Mar 25, 2019 by Thomas Woerner
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -14,7 +14,7 @@ ipaclient_no_ssh: no
 ipaclient_no_sshd: no
 ipaclient_no_sudo: no
 #ipaclient_no_dns_sshfp: no
-#ipaclient_force: no
+ipaclient_force: no
 ipaclient_force_ntpd: no
 ipaclient_no_nisdomain: no
 ipaclient_configure_firefox: no

--- a/roles/ipaclient/library/ipaclient_setup_krb5.py
+++ b/roles/ipaclient/library/ipaclient_setup_krb5.py
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-client-install code
+#
+# Copyright (C) 2018  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipaclient_setup_krb5
+short description: Setup krb5 for IPA client
+description:
+  Setup krb5 for IPA client
+options:
+  server:
+  domain:
+  realm:
+  hostname:
+    description: The hostname of the machine to join (FQDN).
+    required: true
+author:
+    - Thomas Woerner
+'''
+
+EXAMPLES = '''
+# Backup and set hostname
+- name: Backup and set hostname
+  ipaclient_setup_krb5:
+    server:
+    domain:
+    realm:
+    hostname: client1.example.com
+'''
+
+RETURN = '''
+'''
+
+import os
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_client import *
+
+def main():
+    module = AnsibleModule(
+        argument_spec = dict(
+            domain=dict(required=False, default=None),
+            servers=dict(required=False, type='list', default=None),
+            realm=dict(required=False, default=None),
+            hostname=dict(required=False, default=None),
+            kdc=dict(required=False, default=None),
+            dnsok=dict(required=False, type='bool', default=False),
+            client_domain=dict(required=False, default=None),
+            sssd=dict(required=False, type='bool', default=False),
+            force=dict(required=False, type='bool', default=False),
+            #on_master=dict(required=False, type='bool', default=False),
+        ),
+        supports_check_mode = True,
+    )
+
+    module._ansible_debug = True
+    servers = module.params.get('servers')
+    domain = module.params.get('domain')
+    realm = module.params.get('realm')
+    hostname = module.params.get('hostname')
+    kdc = module.params.get('kdc')
+    dnsok = module.params.get('dnsok')
+    client_domain = module.params.get('client_domain')
+    sssd = module.params.get('sssd')
+    force = module.params.get('force')
+    #on_master = module.params.get('on_master')
+
+    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+
+    #if options.on_master:
+    #    # If on master assume kerberos is already configured properly.
+    #    # Get the host TGT.
+    #    try:
+    #        kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
+    #                     attempts=options.kinit_attempts)
+    #        os.environ['KRB5CCNAME'] = CCACHE_FILE
+    #    except gssapi.exceptions.GSSError as e:
+    #        logger.error("Failed to obtain host TGT: %s", e)
+    #        raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+    #else:
+
+    # Configure krb5.conf
+    fstore.backup_file(paths.KRB5_CONF)
+    configure_krb5_conf(
+        cli_realm=realm,
+        cli_domain=domain,
+        cli_server=servers,
+        cli_kdc=kdc,
+        dnsok=dnsok,
+        filename=paths.KRB5_CONF,
+        client_domain=client_domain,
+        client_hostname=hostname,
+        configure_sssd=sssd,
+        force=force)
+
+    logger.info(
+        "Configured /etc/krb5.conf for IPA realm %s", realm)
+
+    module.exit_json(changed=True)
+
+if __name__ == '__main__':
+    main()
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -226,31 +226,18 @@
      preserve_sssd: "{{ ipassd_preserve_sssd }}"
      no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"

-  - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} <= 4.4"
-    include_role:
-      name: ipa-krb5
-    vars:
-      krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
-      krb5_realm: "{{ result_ipaclient_test.realm }}"
-      krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
-      krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
-    when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version <= 40400
-
-  - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} > 4.4"
-    include_role:
-      name: ipa-krb5
-    vars:
-      krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
-      krb5_realm: "{{ result_ipaclient_test.realm }}"
-      krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
-      krb5_dns_canonicalize_hostname: "false"
-      krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
-      krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
-    when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version > 40400
+  - name: Install - Configure krb5 for IPA realm
+    ipaclient_setup_krb5:
+      realm: "{{ result_ipaclient_test.realm }}"
+      domain: "{{ result_ipaclient_test.domain }}"
+      servers: "{{ result_ipaclient_test.servers }}"
+      kdc: "{{ result_ipaclient_test.kdc }}"
+      dnsok: "{{ result_ipaclient_test.dnsok }}"
+      client_domain: "{{ result_ipaclient_test.client_domain }}"
+      hostname: "{{ result_ipaclient_test.hostname }}"
+      sssd: "{{ result_ipaclient_test.sssd }}"
+      force: "{{ ipaclient_force }}"
+      #on_master: "{{ ipaclient_on_master }}"

  - name: Install - IPA API calls for remaining enrollment parts
    ipaclient_api: