Skip to content
Snippets Groups Projects
Commit 92b824d8 authored by Thomas Woerner's avatar Thomas Woerner
Browse files

roles/ipaclient/tasks/install.yml: ccache cleanup, new always clause

Add big block has been added that contains all steps where the ccache is
created an used. With the block it is possible to add an always clause to
remove the ccachae also in the error case. The cleanup of the ccache is
also done in the beginning to make sure that no ccache leftover will be
used.
parent 895a8877
No related branches found
No related tags found
No related merge requests found
...@@ -21,6 +21,11 @@ ...@@ -21,6 +21,11 @@
ipaadmin_principal: admin ipaadmin_principal: admin
when: ipaadmin_principal is undefined and ipaclient_keytab is undefined when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
- name: Install - Cleanup leftover ccache
file:
path: "/etc/ipa/.dns_ccache"
state: absent
- block: - block:
- name: Install - Test if IPA client has working krb5.keytab - name: Install - Test if IPA client has working krb5.keytab
ipatest: ipatest:
...@@ -38,163 +43,171 @@ ...@@ -38,163 +43,171 @@
ipaclient_use_otp: "no" ipaclient_use_otp: "no"
when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok
# The following block is executed when using OTP to enroll IPA client
# ie when ipaclient_use_otp is set. # The following block is executed when using OTP to enroll IPA client
# It connects to ipaserver and add the host with --random option in order # ie when ipaclient_use_otp is set.
# to create a OneTime Password # It connects to ipaserver and add the host with --random option in order
# If a keytab is specified in the hostent, then the hostent will be disabled # to create a OneTime Password
# if ipaclient_use_otp is set. # If a keytab is specified in the hostent, then the hostent will be disabled
- block: # if ipaclient_use_otp is set.
- name: Install - Get a One-Time Password for client enrollment - block:
no_log: yes - name: Install - Get a One-Time Password for client enrollment
ipahost: no_log: yes
state: present ipahost:
principal: "{{ ipaadmin_principal | default('admin') }}" state: present
principal: "{{ ipaadmin_principal | default('admin') }}"
password: "{{ ipaadmin_password | default(omit) }}"
keytab: "{{ ipaadmin_keytab | default(omit) }}"
fqdn: "{{ ansible_fqdn }}"
lifetime: "{{ ipaclient_lifetime | default(omit) }}"
random: True
register: ipahost_output
# If the host is already enrolled, this command will exit on error
# The error can be ignored
failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg
delegate_to: "{{ ipadiscovery.servers[0] }}"
- name: Install - Store the previously obtained OTP
no_log: yes
set_fact:
ipaadmin_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
when: ipaclient_use_otp | bool
- name: Install - Check if principal and keytab are set
fail: msg="Principal and keytab cannot be used together"
when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
- name: Install - Check if one of password and keytab are set
fail: msg="At least one of password or keytab must be specified"
when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
- name: Install - Purge {{ ipadiscovery.realm }} from host keytab
command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
register: iparmkeytab
# Do not fail on error codes 3 and 5:
# 3 - Unable to open keytab
# 5 - Principal name or realm not found in keytab
failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
when: ipaclient_use_otp | bool or ipaclient_force_join | bool
- name: Install - Join IPA
ipajoin:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
kdc: "{{ ipadiscovery.kdc }}"
basedn: "{{ ipadiscovery.basedn }}"
hostname: "{{ ipadiscovery.hostname }}"
force_join: "{{ ipaclient_force_join | default(omit) }}"
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}"
password: "{{ ipaadmin_password | default(omit) }}" password: "{{ ipaadmin_password | default(omit) }}"
keytab: "{{ ipaadmin_keytab | default(omit) }}" keytab: "{{ ipaclient_keytab | default(omit) }}"
fqdn: "{{ ansible_fqdn }}" #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
lifetime: "{{ ipaclient_lifetime | default(omit) }}" kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
random: True register: ipajoin
register: ipahost_output when: not ipatest.krb5_keytab_ok or ipaclient_force_join
# If the host is already enrolled, this command will exit on error
# The error can be ignored - block:
failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg - name: Install - End playbook processing
delegate_to: "{{ ipadiscovery.servers[0] }}" file:
path: "/etc/ipa/.dns_ccache"
- name: Install - Store the previously obtained OTP state: absent
no_log: yes - meta: end_play
set_fact: when: not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
ipaadmin_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
- name: Install - Configure IPA default.conf
when: ipaclient_use_otp | bool include_role:
name: ipaconf
- name: Install - Check if principal and keytab are set vars:
fail: msg="Principal and keytab cannot be used together" ipaconf_server: "{{ ipadiscovery.servers[0] }}"
when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != "" ipaconf_domain: "{{ ipadiscovery.domain }}"
ipaconf_realm: "{{ ipadiscovery.realm }}"
- name: Install - Check if one of password and keytab are set ipaconf_hostname: "{{ ipadiscovery.hostname }}"
fail: msg="At least one of password or keytab must be specified" ipaconf_basedn: "{{ ipadiscovery.basedn }}"
when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
- name: Install - Configure SSSD
- name: Install - Purge {{ ipadiscovery.realm }} from host keytab ipasssd:
command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}" servers: "{{ ipadiscovery.servers }}"
register: iparmkeytab domain: "{{ ipadiscovery.domain }}"
# Do not fail on error codes 3 and 5: realm: "{{ ipadiscovery.realm }}"
# 3 - Unable to open keytab hostname: "{{ ipadiscovery.hostname }}"
# 5 - Principal name or realm not found in keytab services: ["ssh", "sudo"]
failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5 krb5_offline_passwords: yes
when: ipaclient_use_otp | bool or ipaclient_force_join | bool #on_master: no
#primary: no
- name: Install - Join IPA #permit: no
ipajoin: #dns_updates: no
servers: "{{ ipadiscovery.servers }}" #all_ip_addresses: no
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}" - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
kdc: "{{ ipadiscovery.kdc }}" include_role:
basedn: "{{ ipadiscovery.basedn }}" name: krb5
hostname: "{{ ipadiscovery.hostname }}" vars:
force_join: "{{ ipaclient_force_join | default(omit) }}" krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}" krb5_realm: "{{ ipadiscovery.realm }}"
password: "{{ ipaadmin_password | default(omit) }}" krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
keytab: "{{ ipaclient_keytab | default(omit) }}" krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}" krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}" krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
register: ipajoin when: ipadiscovery.ipa_python_version <= 40400
when: not ipatest.krb5_keytab_ok or ipaclient_force_join
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
include_role:
name: krb5
vars:
krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
krb5_realm: "{{ ipadiscovery.realm }}"
krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_dns_canonicalize_hostname: "false"
krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
when: ipadiscovery.ipa_python_version > 40400
- name: Install - IPA API calls for remaining enrollment parts
ipaapi:
servers: "{{ ipadiscovery.servers }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
#debug: yes
register: ipaapi
- block: - name: Install - Create IPA NSS database
- name: Install - Cleanup ccache, end playbook processing ipanss:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
basedn: "{{ ipadiscovery.basedn }}"
hostname: "{{ ipadiscovery.hostname }}"
subject_base: "{{ ipaapi.subject_base }}"
principal: "{{ ipaadmin_principal | default(omit) }}"
mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
#on_master: no
- name: Install - IPA extras configuration
ipaextras:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
ntp_servers: "{{ ipadiscovery.ntp_servers }}"
ntp: "{{ ipaclient_ntp | default(omit) }}"
#force_ntpd: no
#sssd: yes
#ssh: yes
#trust_sshfp: yes
#sshd: yes
#automount_location:
#firefox: no
#firefox_dir:
#no_nisdomain: no
#nisdomain:
#on_master: no
always:
- name: Cleanup leftover ccache
file: file:
path: "/etc/ipa/.dns_ccache" path: "/etc/ipa/.dns_ccache"
state: absent state: absent
- meta: end_play
when: not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
- name: Install - Configure IPA default.conf
include_role:
name: ipaconf
vars:
ipaconf_server: "{{ ipadiscovery.servers[0] }}"
ipaconf_domain: "{{ ipadiscovery.domain }}"
ipaconf_realm: "{{ ipadiscovery.realm }}"
ipaconf_hostname: "{{ ipadiscovery.hostname }}"
ipaconf_basedn: "{{ ipadiscovery.basedn }}"
- name: Install - Configure SSSD
ipasssd:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
services: ["ssh", "sudo"]
krb5_offline_passwords: yes
#on_master: no
#primary: no
#permit: no
#dns_updates: no
#all_ip_addresses: no
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
include_role:
name: krb5
vars:
krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
krb5_realm: "{{ ipadiscovery.realm }}"
krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
when: ipadiscovery.ipa_python_version <= 40400
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
include_role:
name: krb5
vars:
krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
krb5_realm: "{{ ipadiscovery.realm }}"
krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_dns_canonicalize_hostname: "false"
krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
when: ipadiscovery.ipa_python_version > 40400
- name: Install - IPA API calls for remaining enrollment parts
ipaapi:
servers: "{{ ipadiscovery.servers }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
#debug: yes
register: ipaapi
- name: Install - Create IPA NSS database
ipanss:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
basedn: "{{ ipadiscovery.basedn }}"
hostname: "{{ ipadiscovery.hostname }}"
subject_base: "{{ ipaapi.subject_base }}"
principal: "{{ ipaadmin_principal | default(omit) }}"
mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
#on_master: no
- name: Install - IPA extras configuration
ipaextras:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
ntp_servers: "{{ ipadiscovery.ntp_servers }}"
ntp: "{{ ipaclient_ntp | default(omit) }}"
#force_ntpd: no
#sssd: yes
#ssh: yes
#trust_sshfp: yes
#sshd: yes
#automount_location:
#firefox: no
#firefox_dir:
#no_nisdomain: no
#nisdomain:
#on_master: no
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment