From 397acc01dba7314f37f5e1906ccfe7d05b8a3a6f Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 18 May 2018 14:52:58 +0200
Subject: [PATCH] ipaclient: Make krb5 DNS lookup possible in cluster
 environments

krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.

The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.

Two new settings have been added:

ipaclient_no_dns_lookup (bool, default: no)
  Set to 'yes' to use groups.ipaserver in cluster environments as servers
  for the clients. This deactivates DNS lookup in krb5.

ipaclient_servers (list of strings, default: undefined)
  Manually override list of servers for example in a cluster environment on
  a per client basis. The list of servers is normally taken from from
  groups.ipaserver in cluster environments.
---
 CLIENT.md                         |  9 +++++++++
 roles/ipaclient/defaults/main.yml |  1 +
 roles/ipaclient/tasks/install.yml | 12 +++++++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/CLIENT.md b/CLIENT.md
index a4b2779f..273ea891 100644
--- a/CLIENT.md
+++ b/CLIENT.md
@@ -109,6 +109,15 @@ Variables
 **ipaclient_mkhomedir** - Set to yes to configure PAM to create a users home directory if it does not exist.
  (string, optional)
 
+Cluster Specific Variables
+--------------------------
+
+**ipaclient_no_dns_lookup** - Set to 'yes' to use groups.ipaserver in cluster environments as servers for the clients. This deactivates DNS lookup in krb5.
+ (bool, optional, default: 'no')
+
+**ipaclient_servers** - Manually override list of servers for example in a cluster environment on a per client basis. The list of servers is normally taken from from groups.ipaserver in cluster environments.
+ (list of strings, optional)
+
 Requirements
 ------------
 
diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index ddc54978..a7aedf97 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -9,3 +9,4 @@ ipaclient_use_otp: no
 ipaclient_allow_repair: no
 ipaclient_on_master: no
 ipaclient_no_ntp: no
+ipaclient_no_dns_lookup: no
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index e846b2e7..78724c7c 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -11,10 +11,20 @@
   include: "{{role_path}}/tasks/python_2_3_test.yml"
   static: yes
 
+- name: Install - Set ipaclient_servers
+  set_fact:
+    ipaclient_servers: "{{ groups['ipaservers'] | list }}"
+  when: groups.ipaservers is defined and ipaclient_servers is not defined
+
+- name: Install - Set ipaclient_servers from cluster inventory
+  set_fact:
+    ipaclient_servers: "{{ groups['ipaserver'] | list }}"
+  when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and ipaclient_servers is not defined
+
 - name: Install - IPA discovery
   ipadiscovery:
     domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
-    servers: "{{ groups.ipaserver | default(groups.ipaservers) | default(omit) }}"
+    servers: "{{ ipaclient_servers | default(omit) }}"
     realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
     hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
     ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
-- 
GitLab