From 703ee1c9cdba6fd20a81c7bd98196a497c65d84c Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 4 May 2020 15:35:15 -0300
Subject: [PATCH] Fixes usage of Kerberos credentials on Vault module.

Even after obtaining Kerberos TGT with temp_kinit(), when connecting to
the IPA API with context `ansible-freeipa`, the API commands complained
that Kerberos credentials were not available. This patch fixes this
behavior.
---
 plugins/modules/ipavault.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index d102202e..f662a97c 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -463,6 +463,9 @@ def main():
         if not valid_creds(ansible_module, ipaadmin_principal):
             ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
                                                  ipaadmin_password)
+            # Need to set krb5 ccache name, due to context='ansible-freeipa'
+            if ccache_name is not None:
+                os.environ["KRB5CCNAME"] = ccache_name
 
         api_connect(context='ansible-freeipa')
 
-- 
GitLab