When allow_repair is enabled, then the playbook will continue for an
already joined host. The remaining steps ipaconf, ipasssd, krb5, ipaapi,
ipanss and ipaextras will be redone.

If allow_repair is disabled, then the meta module will be
used with the end_play option to stop the processing of the playbook
without an error.

If a working krb5.keytab has been detected on the host then use_otp will be
disabled and join will not be called. This is done to preserve the keytab
entry in the host entry on the server.

Enforcing the creation of a one-time-password will result in a host-disable
call for the host entry. This will remove an existing keytab and password from
the entry.

The use od ipaclient_keytab for ipahost is not correct as the admin keytab
needs to be used here.

For force_join it is also needed to purge the realm information from the
keytab, otherwise new entries will be added with every join.

If a otp has bene generated it is needed to purge the realm from an exising
host keytab. If there is no host keytab or if the keytab is not containing
information about the realm, ipa-rmkeytab will fail and these two errors are
ignored.

With otp usage the user supplied principal may not be used for join.

If use_otp is not enabled, then the principal will be set to "admin" after
the discovery has been done. If use_otp is enabled, then the princial will
be set to "admin" after the join has been done - as admin will not match
with the otp.

The use of otp can be forced to not transfer the admin password while setting
up the ipa client. Only the one-time-password will be transferred to the
client machine.

ipaclient_password will be overwritten by the otp password.

Also: Add ipaclient_kinit_attempts default value to
roles/ipaclient/defaults/main.yml

New variables have been added (undefined by default):
  krb5_dns_canonicalize_hostname
  krb5_pkinit_anchors
  krb5_pkinit_pool

These are set according to the ipa version requirements. See
roles/ipaclient/tasks/install.yml

- Backup ipa default conf
- Backup krb5.conf

This is needed to be able to use defined and undefined checks.

The sssd role has been deactivated in favor of the new sssd module, because the module is able to adapt an existing configuration.

Documentation for domain, principal, keytab, ca_cert_file and kinit_attempts
has been added.

ca_certs_file has been renamed to ca_cert_file as it is used in
ipa-client-install.

The module is doing the important part of the code in ipa-client-install
to be able to use ipa-join on the client. get_ca_certs* from client.py are
used as a temporary solution.

IPA client imports are needed for discovery

The module is doing the same discovery that ipa-client-install is doing
internally. The results are saved into a structure named ipadiscovery for
the ansible module.

The discovery module is needed to be able to not depend on the definition
of the ipaservers group for example to get otp passwords, to be able to
join and to configure sssd and other services corretly.

More than one server could be specified