With the test it is not needed to pin down the python interpreter for ansible
modules. It is therefore possible to use a Python2 version on Fedora-27 and
a Python3 version on Fedora-26.

change pkinit_anchors to kdc-ca-bundle

In the client krb5.conf setup, a pkinit_anchors entry
was being added for pki-ca-bundle.  This should instead
be kdc-ca-bundle.

Signed-off-by: Scott Poore <spoore@redhat.com>

The principal is not used and needed in the module, therefore it got removed.

This is done right ipanss is used as this is failing without the ca.crt file.

The new results from ipatest (krb5_conf_ok and ipa_test_ok) are now used for
additional fails to suggest to enable allow_repair.

The playbook is not ended anymore if ipajoin changed something.

The rename was needed to be able to have more than one package in the list
of required packages.

For RHEL-7.3 it has been needed to add ipa-admintools to have /usr/bin/ipa
available. libselinux-python has been added for all.

The first validation test of the krb5.keytab is now done using the system
krb5.conf file. If this test failed, then the validation will be done with
the temporary krb5.conf file.

An additionally IPA test has been added. For now this is "ipa ping" as there
seems not to be a more comprehensive validation test for proper IPA
configuration.

create_db is requiring an additional argument for IPA version 4.4.4 still.

This will provide information if the ca.crt file exists. This will be needed
to be able to decide what needs to be fixed later on.

Add big block has been added that contains all steps where the ccache is
created an used. With the block it is possible to add an always clause to
remove the ccachae also in the error case. The cleanup of the ccache is
also done in the beginning to make sure that no ccache leftover will be
used.

Add configuration for F-26, F-27 and RHEL-7 to be Python2 based

ipajoin is not called always and therefore we can no depend on the subject
base gathered from the certificate output of the join call.

The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server - done in ipaapi as we are authenticaed there already
to use the api.

The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server.

subject_base has been added as a new return value.

Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of
guessed value from ipadiscovery.

It is not possible to restore a missing krb5.keytab using the admin
credential. Therefore the only way is to fail in this case.

This has been done to make clear that these are admin settings and to make
these settings consistent to ipaadmin_keytab.

When allow_repair is enabled, then the playbook will continue for an
already joined host. The remaining steps ipaconf, ipasssd, krb5, ipaapi,
ipanss and ipaextras will be redone.

If allow_repair is disabled, then the meta module will be
used with the end_play option to stop the processing of the playbook
without an error.

If a working krb5.keytab has been detected on the host then use_otp will be
disabled and join will not be called. This is done to preserve the keytab
entry in the host entry on the server.

Enforcing the creation of a one-time-password will result in a host-disable
call for the host entry. This will remove an existing keytab and password from
the entry.

The choined tag is only set if changes have been done with the join.

already_joined is set if the ipa-join command is filing with error 13
(already joined). The module is not calling fail_json in this case anymore.