From 09ab29b4e70649155d43e8fe8c0f511b7ff1f1fc Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 12 Aug 2019 19:12:33 +0200
Subject: [PATCH] ansible_freeipa_module: Add support for GSSAPI

The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.

For KRB5CCNAME it is needed to create a ccache file

  kinit admin@TEST.LOCAL -c /root/admin.ccache

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5CCNAME: /root/admin.ccache

For KRB5_CLIENT_KTNAME a admin keytab has to be generated

  ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
  /root/admin.keytab

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5_CLIENT_KTNAME: /root/admin.keytab

It will be needed to set ipaadmin_principal if the admin principal is not
admin.

The management modules can be used without a password in this case.
---
 .../module_utils/ansible_freeipa_module.py    | 34 +++++++++++++++++--
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py
index c54a1cc0..28f82e23 100644
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -22,16 +22,18 @@
 
 
 import os
+import uuid
 import tempfile
 import shutil
+import gssapi
 from datetime import datetime
 from ipalib import api
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG, LDAP_GENERALIZED_TIME_FORMAT
 try:
-    from ipalib.install.kinit import kinit_password
+    from ipalib.install.kinit import kinit_password, kinit_keytab
 except ImportError:
-    from ipapython.ipautil import kinit_password
+    from ipapython.ipautil import kinit_password, kinit_keytab
 from ipapython.ipautil import run
 from ipaplatform.paths import paths
 from ipalib.krb_utils import get_credentials_if_valid
@@ -39,8 +41,34 @@ from ipalib.krb_utils import get_credentials_if_valid
 
 def valid_creds(module, principal):
     """
-    Get valid credintials matching the princial
+    Get valid credintials matching the princial, try GSSAPI first
     """
+    if "KRB5CCNAME" in os.environ:
+        module.debug('KRB5CCNAME set to %s' %
+                     os.environ.get('KRB5CCNAME', None))
+        try:
+            cred = gssapi.creds.Credentials()
+        except gssapi.raw.misc.GSSError as e:
+            module.fail_json(msg='Failed to find default ccache: %s' % e)
+        else:
+            module.debug("Using principal %s" % str(cred.name))
+            return True
+
+    elif "KRB5_CLIENT_KTNAME" in os.environ:
+        keytab = os.environ.get('KRB5_CLIENT_KTNAME', None)
+        module.debug('KRB5_CLIENT_KTNAME set to %s' % keytab)
+
+        ccache_name = "MEMORY:%s" % str(uuid.uuid4())
+        os.environ["KRB5CCNAME"] = ccache_name
+
+        try:
+            cred = kinit_keytab(principal, keytab, ccache_name)
+        except gssapi.raw.misc.GSSError as e:
+            module.fail_json(msg='Kerberos authentication failed : %s' % e)
+        else:
+            module.debug("Using principal %s" % str(cred.name))
+            return True
+
     creds = get_credentials_if_valid()
     if creds and \
        creds.lifetime > 0 and \
-- 
GitLab