diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index a875d6d5b2a77101f3b5e994e869dc3c46621f50..d93b568696d42fa84cbde329c5aad0e0b628c917 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -182,6 +182,9 @@ options:
skip_conncheck:
description: Skip connection check to remote master
required: yes
+ sid_generation_always:
+ description: Enable SID generation always
+ required: yes
author:
- Thomas Woerner
'''
@@ -275,6 +278,8 @@ def main():
# additional
server=dict(required=True),
skip_conncheck=dict(required=False, type='bool'),
+ sid_generation_always=dict(required=False, type='bool',
+ default=False),
),
supports_check_mode=True,
)
@@ -350,6 +355,7 @@ def main():
# '_hostname_overridden')
options.server = ansible_module.params.get('server')
options.skip_conncheck = ansible_module.params.get('skip_conncheck')
+ sid_generation_always = ansible_module.params.get('sid_generation_always')
# random serial numbers are master_only, therefore setting to False
options.random_serial_numbers = False
@@ -761,7 +767,7 @@ def main():
ansible_log.debug("-- CHECK ADTRUST --")
- if options.setup_adtrust:
+ if options.setup_adtrust or sid_generation_always:
adtrust.install_check(False, options, remote_api)
except errors.ACIError:
diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py
index 0c99a28587648e844d1b50cb00589f04b19adcbf..3532bb1a12d12d6276e80393bfd74f5cd2423dbe 100644
--- a/roles/ipareplica/library/ipareplica_setup_adtrust.py
+++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py
@@ -71,6 +71,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: no
+ setup_adtrust:
+ description: Configure AD trust capability
+ required: yes
config_master_host_name:
description: The config master_host_name setting
required: no
@@ -112,6 +115,7 @@ def main():
ccache=dict(required=True),
_top_dir=dict(required=True),
setup_ca=dict(required=True, type='bool'),
+ setup_adtrust=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
),
supports_check_mode=True,
@@ -140,6 +144,7 @@ def main():
os.environ['KRB5CCNAME'] = ccache
options._top_dir = ansible_module.params.get('_top_dir')
options.setup_ca = ansible_module.params.get('setup_ca')
+ options.setup_adtrust = ansible_module.params.get('setup_adtrust')
config_master_host_name = ansible_module.params.get(
'config_master_host_name')
adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')
diff --git a/roles/ipareplica/library/ipareplica_test.py b/roles/ipareplica/library/ipareplica_test.py
index 7ec6fb1617703c88c81fe052c24f571024ee7c8a..f34f3ed7a04b6dfa4c2e7dd2fa76ca144345a6c2 100644
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -143,7 +143,7 @@ from ansible.module_utils.ansible_ipa_replica import (
ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
- IPA_PYTHON_VERSION, getargspec
+ IPA_PYTHON_VERSION, getargspec, adtrustinstance
)
@@ -270,6 +270,14 @@ def main():
# # options.setup_adtrust = False
# # ansible_module.warn(msg="adtrust is not supported, disabling")
+ sid_generation_always = False
+ if not options.setup_adtrust:
+ # pylint: disable=deprecated-method
+ argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+ # pylint: enable=deprecated-method
+ if "fulltrust" in argspec.args:
+ sid_generation_always = True
+
# if options.setup_kra and not kra_imported:
# # if "kra" not in options._allow_missing:
# ansible_module.fail_json(msg="kra can not be imported")
@@ -471,6 +479,7 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
+ sid_generation_always=sid_generation_always
)
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index 5b6872316c1d4240afc58dae683fa5acf711677e..0e4e7388ebd030de2659b2e8740d7fade374b8ef 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
"common_check", "current_domain_level",
"check_domain_level_is_supported", "promotion_check_ipa_domain",
"SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
- "dnsname", "kernel_keyring", "krbinstance", "getargspec"]
+ "dnsname", "kernel_keyring", "krbinstance", "getargspec",
+ "adtrustinstance"]
import sys
@@ -127,6 +128,7 @@ else:
adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance,
otpdinstance, custodiainstance, service, upgradeinstance)
+ from ipaserver.install import adtrustinstance
try:
from ipaserver.masters import (
find_providing_servers, find_providing_server)
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 0a9d7e9daf94353445be5a02e9b0e9ad2bfac71b..0e5f840ef2f0d17147566b73f2070090d671ad30 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -749,13 +749,15 @@
ccache: "{{ result_ipareplica_prepare.ccache }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
config_master_host_name:
"{{ result_ipareplica_prepare.config_master_host_name }}"
adtrust_netbios_name:
"{{ result_ipareplica_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
- when: result_ipareplica_test.setup_adtrust
+ when: result_ipareplica_test.setup_adtrust or
+ result_ipareplica_test.sid_generation_always
- name: Install - Enable IPA
ipareplica_enable_ipa:
diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index e75b6858a5d08fab3fdf76552978806bd5438301..b3795005df72d6664773e9998559d82820326b4b 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -141,6 +141,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: yes
+ sid_generation_always:
+ description: Enable SID generation always
+ required: yes
_hostname_overridden:
description: The installer _hostname_overridden setting
required: yes
@@ -215,6 +218,8 @@ def main():
setup_ca=dict(required=False, type='bool', default=False),
random_serial_numbers=dict(required=False, type='bool',
default=False),
+ sid_generation_always=dict(required=False, type='bool',
+ default=False),
_hostname_overridden=dict(required=False, type='bool',
default=False),
),
@@ -285,6 +290,7 @@ def main():
'random_serial_numbers')
options._host_name_overridden = ansible_module.params.get(
'_hostname_overridden')
+ sid_generation_always = ansible_module.params.get('sid_generation_always')
options.kasp_db_file = None
# init ##################################################################
@@ -377,7 +383,7 @@ def main():
logger.debug('Starting Directory Server')
services.knownservices.dirsrv.start(instance_name)
- if options.setup_adtrust:
+ if options.setup_adtrust or sid_generation_always:
with redirect_stdout(ansible_log):
adtrust.install_check(False, options, api)
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index d619add0ef5ae1e2e7620cc6ccbd9071c585f959..db108b7786cc45d617f0d795c326ba6d325adba8 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -225,7 +225,7 @@ from ansible.module_utils.ansible_ipa_server import (
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
- encode_certificate, check_available_memory, getargspec
+ encode_certificate, check_available_memory, getargspec, adtrustinstance
)
from ansible.module_utils import six
@@ -394,12 +394,16 @@ def main():
# version specific ######################################################
- if options.setup_adtrust and not adtrust_imported:
- # if "adtrust" not in options._allow_missing:
- ansible_module.fail_json(msg="adtrust can not be imported")
- # else:
- # options.setup_adtrust = False
- # ansible_module.warn(msg="adtrust is not supported, disabling")
+ sid_generation_always = False
+ if not options.setup_adtrust:
+ # pylint: disable=deprecated-method
+ argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+ # pylint: enable=deprecated-method
+ if "fulltrust" in argspec.args:
+ sid_generation_always = True
+ else:
+ if not adtrust_imported:
+ ansible_module.fail_json(msg="adtrust can not be imported")
if options.setup_kra and not kra_imported:
# if "kra" not in options._allow_missing:
@@ -521,7 +525,8 @@ def main():
"You cannot specify an --enable-compat option without the "
"--setup-adtrust option")
- if self.netbios_name:
+ # Deactivate test for new IPA SID generation
+ if self.netbios_name and not sid_generation_always:
raise RuntimeError(
"You cannot specify a --netbios-name option without the "
"--setup-adtrust option")
@@ -1078,7 +1083,8 @@ def main():
ntp_pool=options.ntp_pool,
# additional
_installation_cleanup=_installation_cleanup,
- domainlevel=options.domainlevel)
+ domainlevel=options.domainlevel,
+ sid_generation_always=sid_generation_always)
if __name__ == '__main__':
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 8bd808d4e6bc026dac2595ec713af4a8d25d8269..70ca4b6d68148468a83ef3e1adaad06d19654014 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -191,6 +191,7 @@
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
### additional ###
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+ sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}"
random_serial_numbers: no
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
register: result_ipaserver_prepare
@@ -394,7 +395,8 @@
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
- when: result_ipaserver_test.setup_adtrust
+ when: result_ipaserver_test.setup_adtrust or
+ result_ipaserver_test.sid_generation_always
- name: Install - Set DS password
ipaserver_set_ds_password: