These roles will most likely not work in the common case. Therefore the roles
have been renamed.

The ipa-krpb5 role is used by ipcalient, but the ipa-sssd role is currently
not used.

The paths.GETENT compat check was using "KDESTROY" instead of "GETENT".

The python3 bindings should be required and not the python2 bindings as a
default.

As the action plugin is used with the default python interpreter and
the change to python3 for FreeIPA, the use of OTP was not working anymore.

The ansible_python_interpreter is not automatically used for the module
part of the action plugin. Therefore ansible_python_interpreter needed to
be added to the action plugin call as a new var to make sure that the
module part is used with the proper python version.

Also a new import for the Python2/3 import test has been added to discover
of the server is supporting python2 or python3. The old
ansible_python_interpreter setting is saved before doing this and restored
after the one-time password has been generated on the server.

With IPA 4.7 bigger changes have been introduced

Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- A new option ntp_pool has been introduced.

With 4.6.90 pre versions have been introduced. The version parsing in
ipa_facts broke with this as it did not know about pre versions so far.

paths.KDESTROY instead of "kdestroy" and paths.GETENT instead of "getent"

Affected modules:
  roles/ipaclient/library/ipahost.py
  roles/ipaclient/library/ipajoin.py
  roles/ipaclient/library/ipanss.py

The directories library and action_plugins do only contain ipaclient specific
modules and plugins. Therefore these directories should be located in the
ipaclient role directory.

krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.

The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.

Two new settings have been added:

ipaclient_no_dns_lookup (bool, default: no)
  Set to 'yes' to use groups.ipaserver in cluster environments as servers
  for the clients. This deactivates DNS lookup in krb5.

ipaclient_servers (list of strings, default: undefined)
  Manually override list of servers for example in a cluster environment on
  a per client basis. The list of servers is normally taken from from
  groups.ipaserver in cluster environments.

The krb5 DNS lookup settings krb5_dns_lookup_realm and krb5_dns_lookup_kdc
ans also the servers have not been set properly set if no server has been
specified and discovery succeeded. This has been fixed.

This fixes issue #23.

- Do not register a change in the playbook run when registering the
  variable checking for whether or not Python 3 imports work

Signed-off-by: Kellin <kellin@retromud.org>

The client role is used also while installing the server. There has been an
issue where the server installation has not been complete because of a
playbook termination in the client.

This has been fixed and the client and also the server are fully configured
in the server installation.

The relative import of the distribution specific vars files requires to use
is not working. {{ role_path }} needs to be used to force the load of the
proper files.

The server role has different setting names:

- groups.ipaserver: groups.ipaservers
- ipaserver_domain: ipaclient_domain
- ipaserver_realm: ipaclient_realm

Both need to be supported to be able to sue the client role within the server
role, but also standalone.

Attempt to sync time if on_master is not set and no_ntp is not set: At
first with given or dicovered time servers. If no ntp servers have been
given or discovered, then with the ipa server.

New parameters:
  on_master:
    description: IPA client installation on IPA server
    required: false
    default: false
    type: bool
    default: no
  ntp_servers:
    description: List of NTP servers to use
    required: false
    type: list
    default: []
  no_ntp:
    description: Do not sync time and do not detect time servers
    required: false
    default: false
    type: bool
    default: no

The ntp_servers output parameter is now always an empty list if on_master
or no_ntp is set.

This is needed to be able to use ipaclient role in the server role

ipaclient_hostname needs to be specified in the inventory file for the hosts
where the name needs to get changed.

Example:
192.168.1.1 ipaclient_hostname=ipaclient1.mine.local

The option should not be specified in [ipaclients:vars] as all hosts would
get the same name.

With ansible 2.3.1 it is possible to have one place as an additional utils
module to do all the needed steps to be able to generate the environment for
new and older ipa versions.

The library modules are now a lot smaller.

The minimal ansible version has been increased to 2.3.1.

In the future it might now also be possible to have a special
ansible_ipa_client version for ipa < 4.4 in this utils module.

The failed test result in ipahost will not be seen because of the no_log
setting to hide the generated password.

The use of ansible_fqdn could result in a failure if DNS hostname and IP
do not match.

The additional client test is needed to make sure that the client is
installed for python3 usage. The ipalib test has not been sufficient.

Currently ipaclient role is using the module ipaclient only for uninstallation,
and this module contains a lot of unused code.
It is simpler to directly call the command-line
   ipa-client-install --uninstall -U
and remove the ipaclient module.

When the client already has a working keytab, use_otp is disabled. This creates
an issue when ipaclient_force_join is set, because the join module is called
with ipaadmin_principal and ipaadmin_password, but these variables may be
undefined if ipaadmin_keytab is used instead.
We should not disable OTP when force-join is specified.

With the test it is not needed to pin down the python interpreter for ansible
modules. It is therefore possible to use a Python2 version on Fedora-27 and
a Python3 version on Fedora-26.

In the client krb5.conf setup, a pkinit_anchors entry
was being added for pki-ca-bundle.  This should instead
be kdc-ca-bundle.

Signed-off-by: Scott Poore <spoore@redhat.com>

The principal is not used and needed in the module, therefore it got removed.

This is done right ipanss is used as this is failing without the ca.crt file.

The new results from ipatest (krb5_conf_ok and ipa_test_ok) are now used for
additional fails to suggest to enable allow_repair.

The playbook is not ended anymore if ipajoin changed something.

The rename was needed to be able to have more than one package in the list
of required packages.

For RHEL-7.3 it has been needed to add ipa-admintools to have /usr/bin/ipa
available. libselinux-python has been added for all.

Add big block has been added that contains all steps where the ccache is
created an used. With the block it is possible to add an always clause to
remove the ccachae also in the error case. The cleanup of the ccache is
also done in the beginning to make sure that no ccache leftover will be
used.