From 10d072a8c42e6aa91485661d02b31f79bcc89fc0 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 24 Mar 2023 12:40:32 +0100
Subject: [PATCH] ipaclient: ipaclient_fix_ca also needs krb_name parameter

With the fix to defer creating the final krb5.conf on clients a bug has
been introduced with ipaclient_fix_ca: The krb_name parameter that
points to the temporary krb5 configuration was not added to the module

Without this the server affinity is broken for allow_repair and additionally
ipaclient_fix_ca could fail if krb5 configuration needs to be repraied
and also CA needs to be fixed.

The krb_name parameter has been added to ipaclient_fix_ca and is also
properly set in tasks/install.yml.
---
 roles/ipaclient/library/ipaclient_fix_ca.py | 8 ++++++++
 roles/ipaclient/tasks/install.yml           | 1 +
 2 files changed, 9 insertions(+)

diff --git a/roles/ipaclient/library/ipaclient_fix_ca.py b/roles/ipaclient/library/ipaclient_fix_ca.py
index 238b3163..ede8d56d 100644
--- a/roles/ipaclient/library/ipaclient_fix_ca.py
+++ b/roles/ipaclient/library/ipaclient_fix_ca.py
@@ -54,6 +54,10 @@ options:
       the host entry will not be changed on the server
     type: bool
     required: yes
+  krb_name:
+    description: The krb5 config file name
+    type: str
+    required: yes
 author:
     - Thomas Woerner (@t-woerner)
 '''
@@ -65,6 +69,7 @@ EXAMPLES = '''
     realm: EXAMPLE.COM
     basedn: dc=example,dc=com
     allow_repair: yes
+    krb_name: /tmp/tmpkrb5.conf
 '''
 
 RETURN = '''
@@ -87,6 +92,7 @@ def main():
             realm=dict(required=True, type='str'),
             basedn=dict(required=True, type='str'),
             allow_repair=dict(required=True, type='bool'),
+            krb_name=dict(required=True, type='str'),
         ),
     )
 
@@ -98,6 +104,8 @@ def main():
     realm = module.params.get('realm')
     basedn = module.params.get('basedn')
     allow_repair = module.params.get('allow_repair')
+    krb_name = module.params.get('krb_name')
+    os.environ['KRB5_CONFIG'] = krb_name
 
     env = {'PATH': SECURE_PATH}
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 1dc6fdf1..7ff2c39a 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -346,6 +346,7 @@
         realm: "{{ result_ipaclient_test.realm }}"
         basedn: "{{ result_ipaclient_test.basedn }}"
         allow_repair: "{{ ipaclient_allow_repair }}"
+        krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
       when: not ipaclient_on_master | bool and
             result_ipaclient_test_keytab.krb5_keytab_ok and
             not result_ipaclient_test_keytab.ca_crt_exists
-- 
GitLab