ipaclient: Fix krb5 DNS lookup and servers

The krb5 DNS lookup settings krb5_dns_lookup_realm and krb5_dns_lookup_kdc ans also the servers have not been set properly set if no server has been specified and discovery succeeded. This has been fixed. This fixes issue #23.

ipaclient: Fix krb5 DNS lookup and servers
3e9568e3 · Thomas Woerner · a4b2401e · 3e9568e3
Commit 3e9568e3 authored 7 years ago by Thomas Woerner
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -168,10 +168,10 @@
    include_role:
      name: krb5
    vars:
-      krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+      krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
      krb5_realm: "{{ ipadiscovery.realm }}"
-      krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+      krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
-      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+      krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
      krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
      krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
@@ -180,10 +180,10 @@
    include_role:
      name: krb5
    vars:
-      krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+      krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
      krb5_realm: "{{ ipadiscovery.realm }}"
-      krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+      krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
-      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+      krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
      krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
      krb5_dns_canonicalize_hostname: "false"
      krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"