It is not possible to restore a missing krb5.keytab using the admin
credential. Therefore the only way is to fail in this case.

The choined tag is only set if changes have been done with the join.

already_joined is set if the ipa-join command is filing with error 13
(already joined). The module is not calling fail_json in this case anymore.

mutually_exclusive and required_one_of are only able to check if the parameters
are defined, but not if they are set to "".

Test if the krb5.keytab on the machine is valid and can be used.

options:
  servers:
    description: The FQDN of the IPA servers to connect to.
    required: true
  domain:
    description: The primary DNS domain of an existing IPA deployment.
    required: true
  realm:
    description: The Kerberos realm of an existing IPA deployment.
    required: true
  hostname:
    description: The hostname of the machine to join (FQDN).
    required: true
  kdc:
    description: The name or address of the host running the KDC.
    required: true
  principal:
    description: The authorized kerberos principal used to join the IPA realm.
    required: false
  kinit_attempts:
    description: Repeat the request for host Kerberos ticket X times.
    required: false
    default: 5

returns:
  krb5_keytab_ok:
    description: The flag describes if krb5.keytab on the host is usable.
    returned: always
    type: bool

With otp usage the user supplied principal may not be used for join.

When ipahost is run to generate an OTP and the host is already existing,
the OTP is properly generated but ipa-join will fail if the host is
already enrolled (ie when it has a keytab).
Add a step calling ipa host-disable to erase OTP and keytab before
requesting an OTP.

Also: Add ipaclient_kinit_attempts default value to
roles/ipaclient/defaults/main.yml

The one_of check was using a tuple instead of a list, the check for principal
or keytab has been removed, a new mutually exclusive check for password
xor keytab has been added.

For ipa versions prior to 4.5 it is needed to use ipa-client-install script
as a source for functions. But the script contains a global finally clause
in which the generated ccache file gets removed. Threfore the script is
temporarily copied to ipa_client_install.py and the global finally clause
gets removed from the copy. All this is done in a temporary directory, which
gets removed right after the import has been done.

For ipa versions prior to 4.5 it is needed to use ipa-client-install script
as a source for functions. But the script contains a global finally clause
in which the generated ccache file gets removed. Threfore the script is
temporarily copied to ipa_client_install.py and the global finally clause
gets removed from the copy. All this is done in a temporary directory, which
gets removed right after the import has been done.

A Object called options is generated as ipa-client-install and also
ipaclient/install/client.py functions are using this object.

inspect.argspec is used on configure_krb5_conf to find out if the function
requires configure_sssd as an optional argument or in the options object.

freeipa 4.4 is the first version that supports all needed functions.
Therefore a check has been added to make sure that ipadiscovery fails for
versions before 4.4.

The python bindings of ipa versions before 4.6 are having a different
structure.

ipa_python_version is the version gathered from ipapython.version.NUM_VERSION.
For ipa versions before 3.2.1, the version is generated from
ipapython.version.VERSION because NUM_VERSION changed the format two times
before 3.2.1.

The discovery was not working if a server has been specified. The domain has
been needed additionally. The domain is now gathered from the server name if
it is missing in this case.

- Backup ipa default conf
- Backup krb5.conf

The advantage of the use of SSSDConfig is that an existing configuration could be changed and not simply overwritten.

New documentation for incoming and outgoing arguments. Copied check from
library/ipaclient.py to do conflict checks if the check argument is set.

Documentation for domain, principal, keytab, ca_cert_file and kinit_attempts
has been added.

ca_certs_file has been renamed to ca_cert_file as it is used in
ipa-client-install.

The module is doing the important part of the code in ipa-client-install
to be able to use ipa-join on the client. get_ca_certs* from client.py are
used as a temporary solution.

The module is doing the same discovery that ipa-client-install is doing
internally. The results are saved into a structure named ipadiscovery for
the ansible module.

The discovery module is needed to be able to not depend on the definition
of the ipaservers group for example to get otp passwords, to be able to
join and to configure sssd and other services corretly.

More than one server could be specified