From 0b4aec7b6aa93305b7f759e07349675b51cb8287 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 14 Sep 2017 14:02:16 +0200
Subject: [PATCH] roles/krb5: Compatibility for ipa 4.4 and later

New variables have been added (undefined by default):
  krb5_dns_canonicalize_hostname
  krb5_pkinit_anchors
  krb5_pkinit_pool

These are set according to the ipa version requirements. See
roles/ipaclient/tasks/install.yml
---
 roles/ipaclient/tasks/install.yml | 18 +++++++++++++++++-
 roles/krb5/defaults/main.yml      |  9 +++------
 roles/krb5/tasks/main.yml         |  2 +-
 roles/krb5/templates/krb5.conf.j2 |  8 +++++++-
 4 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 446c3efd..b0a37d0c 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -81,7 +81,7 @@
     #dns_updates: no
     #all_ip_addresses: no
 
-- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }}"
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
   include_role:
     name: krb5
   vars:
@@ -90,6 +90,22 @@
     krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
     krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
     krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+    krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
+  when: ipadiscovery.ipa_python_version <= 40400
+
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
+  include_role:
+    name: krb5
+  vars:
+    krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+    krb5_realm: "{{ ipadiscovery.realm }}"
+    krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+    krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+    krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+    krb5_dns_canonicalize_hostname: "false"
+    krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
+    krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
+  when: ipadiscovery.ipa_python_version > 40400
 
 - name: Install - IPA API calls for remaining enrollment parts
   ipaapi:
diff --git a/roles/krb5/defaults/main.yml b/roles/krb5/defaults/main.yml
index dfdec757..dfac2e90 100644
--- a/roles/krb5/defaults/main.yml
+++ b/roles/krb5/defaults/main.yml
@@ -1,8 +1,8 @@
 ---
-krb5_conf: /etc/krb5.conf
-krb5_conf_d: /etc/krb5.conf.d/ #paths.COMMON_KRB5_CONF_DIR
-krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ #paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
 krb5_packages: krb5-workstation
+krb5_conf: /etc/krb5.conf
+krb5_conf_d: /etc/krb5.conf.d/ # paths.COMMON_KRB5_CONF_DIR
+krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ # paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
 
 krb5_realm:
 krb5_servers:
@@ -10,6 +10,3 @@ krb5_dns_lookup_realm: "false"
 krb5_dns_lookup_kdc: "false"
 krb5_no_default_domain: "false"
 krb5_default_ccache_name: KEYRING:persistent:%{uid}
-
-krb5_pkinit_anchors: FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
-krb5_pkinit_pool: FILE:/var/lib/ipa-client/pki/ca-bundle.pem
diff --git a/roles/krb5/tasks/main.yml b/roles/krb5/tasks/main.yml
index 4fb7876f..014ac93c 100644
--- a/roles/krb5/tasks/main.yml
+++ b/roles/krb5/tasks/main.yml
@@ -15,4 +15,4 @@
     owner: root
     group: root
     mode: 0644
-    force: yes
\ No newline at end of file
+    force: yes
diff --git a/roles/krb5/templates/krb5.conf.j2 b/roles/krb5/templates/krb5.conf.j2
index 55671e51..a52e9548 100644
--- a/roles/krb5/templates/krb5.conf.j2
+++ b/roles/krb5/templates/krb5.conf.j2
@@ -6,7 +6,9 @@ includedir {{ krb5_include_d }}
   dns_lookup_realm = {{ krb5_dns_lookup_realm }}
   dns_lookup_kdc = {{ krb5_dns_lookup_kdc }}
   rdns = false
-  dns_canonicalize_hostname = false
+{% if krb5_dns_canonicalize_hostname is defined %}
+  dns_canonicalize_hostname = {{ krb5_dns_canonicalize_hostname }}
+{% endif %}
   ticket_lifetime = 24h
   forwardable = true
   udp_preference_limit = 0
@@ -23,8 +25,12 @@ includedir {{ krb5_include_d }}
 {% if krb5_no_default_domain | bool %}
     default_domain = {{ krb5_realm | lower }}
 {% endif %}
+{% if krb5_pkinit_anchors is defined %}
     pkinit_anchors = {{ krb5_pkinit_anchors }}
+{% endif %}
+{% if krb5_pkinit_pool is defined %}
     pkinit_pool = {{ krb5_pkinit_pool }}
+{% endif %}
   }
 
 [domain_realm]
-- 
GitLab