diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 3df5cff9e41cebde5c039162b31b95aa3a943c63..e846b2e744965a49c3f77bf18e9df9fc4f185c1e 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -168,10 +168,10 @@
include_role:
name: krb5
vars:
- krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+ krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
krb5_realm: "{{ ipadiscovery.realm }}"
- krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
- krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+ krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
+ krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
@@ -180,10 +180,10 @@
include_role:
name: krb5
vars:
- krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+ krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
krb5_realm: "{{ ipadiscovery.realm }}"
- krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
- krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+ krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
+ krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_dns_canonicalize_hostname: "false"
krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"