diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 446c3efd26badcad22bc283666e78335ee6c6b25..b0a37d0c39dbe6df00a5e378ccbd7bdbf7e43287 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -81,7 +81,7 @@
#dns_updates: no
#all_ip_addresses: no
-- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }}"
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
include_role:
name: krb5
vars:
@@ -90,6 +90,22 @@
krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+ krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
+ when: ipadiscovery.ipa_python_version <= 40400
+
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
+ include_role:
+ name: krb5
+ vars:
+ krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+ krb5_realm: "{{ ipadiscovery.realm }}"
+ krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+ krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+ krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+ krb5_dns_canonicalize_hostname: "false"
+ krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
+ krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
+ when: ipadiscovery.ipa_python_version > 40400
- name: Install - IPA API calls for remaining enrollment parts
ipaapi:
diff --git a/roles/krb5/defaults/main.yml b/roles/krb5/defaults/main.yml
index dfdec757427b57d9a66cd923f6369defe7f4e797..dfac2e909e4255f78d6498e7653c7c9f5151cace 100644
--- a/roles/krb5/defaults/main.yml
+++ b/roles/krb5/defaults/main.yml
@@ -1,8 +1,8 @@
---
-krb5_conf: /etc/krb5.conf
-krb5_conf_d: /etc/krb5.conf.d/ #paths.COMMON_KRB5_CONF_DIR
-krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ #paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
krb5_packages: krb5-workstation
+krb5_conf: /etc/krb5.conf
+krb5_conf_d: /etc/krb5.conf.d/ # paths.COMMON_KRB5_CONF_DIR
+krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ # paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
krb5_realm:
krb5_servers:
@@ -10,6 +10,3 @@ krb5_dns_lookup_realm: "false"
krb5_dns_lookup_kdc: "false"
krb5_no_default_domain: "false"
krb5_default_ccache_name: KEYRING:persistent:%{uid}
-
-krb5_pkinit_anchors: FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
-krb5_pkinit_pool: FILE:/var/lib/ipa-client/pki/ca-bundle.pem
diff --git a/roles/krb5/tasks/main.yml b/roles/krb5/tasks/main.yml
index 4fb7876fc535c09c73a8436060360d7b436e3f15..014ac93cd7f28b4ac9f872fe0b188c5e50b63380 100644
--- a/roles/krb5/tasks/main.yml
+++ b/roles/krb5/tasks/main.yml
@@ -15,4 +15,4 @@
owner: root
group: root
mode: 0644
- force: yes
\ No newline at end of file
+ force: yes
diff --git a/roles/krb5/templates/krb5.conf.j2 b/roles/krb5/templates/krb5.conf.j2
index 55671e51989475a99a0a78ca4ea305c99ed0f311..a52e9548dfdbd02c32f8f8c3c7a60816c9634c51 100644
--- a/roles/krb5/templates/krb5.conf.j2
+++ b/roles/krb5/templates/krb5.conf.j2
@@ -6,7 +6,9 @@ includedir {{ krb5_include_d }}
dns_lookup_realm = {{ krb5_dns_lookup_realm }}
dns_lookup_kdc = {{ krb5_dns_lookup_kdc }}
rdns = false
- dns_canonicalize_hostname = false
+{% if krb5_dns_canonicalize_hostname is defined %}
+ dns_canonicalize_hostname = {{ krb5_dns_canonicalize_hostname }}
+{% endif %}
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
@@ -23,8 +25,12 @@ includedir {{ krb5_include_d }}
{% if krb5_no_default_domain | bool %}
default_domain = {{ krb5_realm | lower }}
{% endif %}
+{% if krb5_pkinit_anchors is defined %}
pkinit_anchors = {{ krb5_pkinit_anchors }}
+{% endif %}
+{% if krb5_pkinit_pool is defined %}
pkinit_pool = {{ krb5_pkinit_pool }}
+{% endif %}
}
[domain_realm]