ansible_freeipa_module: Add support for GSSAPI

The GSSAPI can be enabled in the management modules with either the KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable. For KRB5CCNAME it is needed to create a ccache file kinit admin@TEST.LOCAL -c /root/admin.ccache that is transferred to the nodes (here into /root) and activated in the playbook with environment: KRB5CCNAME: /root/admin.ccache For KRB5_CLIENT_KTNAME a admin keytab has to be generated ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \ /root/admin.keytab that is transferred to the nodes (here into /root) and activated in the playbook with environment: KRB5_CLIENT_KTNAME: /root/admin.keytab It will be needed to set ipaadmin_principal if the admin principal is not admin. The management modules can be used without a password in this case.

ansible_freeipa_module: Add support for GSSAPI
09ab29b4 · Thomas Woerner · c69d0bc5 · 09ab29b4
Commit 09ab29b4 authored Aug 12, 2019 by Thomas Woerner
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -22,16 +22,18 @@


 import os
+import uuid
 import tempfile
 import shutil
+import gssapi
 from datetime import datetime
 from ipalib import api
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG, LDAP_GENERALIZED_TIME_FORMAT
 try:
-    from ipalib.install.kinit import kinit_password
+    from ipalib.install.kinit import kinit_password, kinit_keytab
 except ImportError:
-    from ipapython.ipautil import kinit_password
+    from ipapython.ipautil import kinit_password, kinit_keytab
 from ipapython.ipautil import run
 from ipaplatform.paths import paths
 from ipalib.krb_utils import get_credentials_if_valid
@@ -39,8 +41,34 @@ from ipalib.krb_utils import get_credentials_if_valid

 def valid_creds(module, principal):
    """
-    Get valid credintials matching the princial
+    Get valid credintials matching the princial, try GSSAPI first
    """
+    if "KRB5CCNAME" in os.environ:
+        module.debug('KRB5CCNAME set to %s' %
+                     os.environ.get('KRB5CCNAME', None))
+        try:
+            cred = gssapi.creds.Credentials()
+        except gssapi.raw.misc.GSSError as e:
+            module.fail_json(msg='Failed to find default ccache: %s' % e)
+        else:
+            module.debug("Using principal %s" % str(cred.name))
+            return True
+
+    elif "KRB5_CLIENT_KTNAME" in os.environ:
+        keytab = os.environ.get('KRB5_CLIENT_KTNAME', None)
+        module.debug('KRB5_CLIENT_KTNAME set to %s' % keytab)
+
+        ccache_name = "MEMORY:%s" % str(uuid.uuid4())
+        os.environ["KRB5CCNAME"] = ccache_name
+
+        try:
+            cred = kinit_keytab(principal, keytab, ccache_name)
+        except gssapi.raw.misc.GSSError as e:
+            module.fail_json(msg='Kerberos authentication failed : %s' % e)
+        else:
+            module.debug("Using principal %s" % str(cred.name))
+            return True
+
    creds = get_credentials_if_valid()
    if creds and \
       creds.lifetime > 0 and \