roles/krb5: Compatibility for ipa 4.4 and later

New variables have been added (undefined by default): krb5_dns_canonicalize_hostname krb5_pkinit_anchors krb5_pkinit_pool These are set according to the ipa version requirements. See roles/ipaclient/tasks/install.yml

roles/krb5: Compatibility for ipa 4.4 and later
0b4aec7b · Thomas Woerner · a5fb2956 · 0b4aec7b · 0b4aec7b · 0b4aec7b
Commit 0b4aec7b authored Sep 14, 2017 by Thomas Woerner
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -81,7 +81,7 @@
    #dns_updates: no
    #all_ip_addresses: no

- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }}"
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
  include_role:
    name: krb5
  vars:
@@ -90,6 +90,22 @@
    krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
    krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
    krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+    krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
+  when: ipadiscovery.ipa_python_version <= 40400
+
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
+  include_role:
+    name: krb5
+  vars:
+    krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+    krb5_realm: "{{ ipadiscovery.realm }}"
+    krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+    krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+    krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+    krb5_dns_canonicalize_hostname: "false"
+    krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
+    krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
+  when: ipadiscovery.ipa_python_version > 40400

 - name: Install - IPA API calls for remaining enrollment parts
  ipaapi:

--- a/roles/krb5/defaults/main.yml
+++ b/roles/krb5/defaults/main.yml
 ---
+krb5_packages: krb5-workstation
 krb5_conf: /etc/krb5.conf
 krb5_conf_d: /etc/krb5.conf.d/ # paths.COMMON_KRB5_CONF_DIR
 krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ # paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
-krb5_packages: krb5-workstation

 krb5_realm:
 krb5_servers:
@@ -10,6 +10,3 @@ krb5_dns_lookup_realm: "false"
 krb5_dns_lookup_kdc: "false"
 krb5_no_default_domain: "false"
 krb5_default_ccache_name: KEYRING:persistent:%{uid}
-
-krb5_pkinit_anchors: FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
-krb5_pkinit_pool: FILE:/var/lib/ipa-client/pki/ca-bundle.pem
--- a/roles/krb5/tasks/main.yml
+++ b/roles/krb5/tasks/main.yml
--- a/roles/krb5/templates/krb5.conf.j2
+++ b/roles/krb5/templates/krb5.conf.j2
@@ -6,7 +6,9 @@ includedir {{ krb5_include_d }}
  dns_lookup_realm = {{ krb5_dns_lookup_realm }}
  dns_lookup_kdc = {{ krb5_dns_lookup_kdc }}
  rdns = false
-  dns_canonicalize_hostname = false
+{% if krb5_dns_canonicalize_hostname is defined %}
+  dns_canonicalize_hostname = {{ krb5_dns_canonicalize_hostname }}
+{% endif %}
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
@@ -23,8 +25,12 @@ includedir {{ krb5_include_d }}
 {% if krb5_no_default_domain | bool %}
    default_domain = {{ krb5_realm | lower }}
 {% endif %}
+{% if krb5_pkinit_anchors is defined %}
    pkinit_anchors = {{ krb5_pkinit_anchors }}
+{% endif %}
+{% if krb5_pkinit_pool is defined %}
    pkinit_pool = {{ krb5_pkinit_pool }}
+{% endif %}
  }

 [domain_realm]