From 3e9568e39ed853fd3db0a949644185ce6e12bda7 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 18 May 2018 14:17:30 +0200
Subject: [PATCH] ipaclient: Fix krb5 DNS lookup and servers

The krb5 DNS lookup settings krb5_dns_lookup_realm and krb5_dns_lookup_kdc
ans also the servers have not been set properly set if no server has been
specified and discovery succeeded. This has been fixed.

This fixes issue #23.
---
 roles/ipaclient/tasks/install.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 3df5cff9..e846b2e7 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -168,10 +168,10 @@
     include_role:
       name: krb5
     vars:
-      krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+      krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
       krb5_realm: "{{ ipadiscovery.realm }}"
-      krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
-      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+      krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
+      krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
       krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
       krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
     when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
@@ -180,10 +180,10 @@
     include_role:
       name: krb5
     vars:
-      krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+      krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
       krb5_realm: "{{ ipadiscovery.realm }}"
-      krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
-      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+      krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
+      krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
       krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
       krb5_dns_canonicalize_hostname: "false"
       krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
-- 
GitLab