- Sep 18, 2017
-
-
Thomas Woerner authored
-
Thomas Woerner authored
mutually_exclusive and required_one_of are only able to check if the parameters are defined, but not if they are set to "".
-
Thomas Woerner authored
Test if the krb5.keytab on the machine is valid and can be used. options: servers: description: The FQDN of the IPA servers to connect to. required: true domain: description: The primary DNS domain of an existing IPA deployment. required: true realm: description: The Kerberos realm of an existing IPA deployment. required: true hostname: description: The hostname of the machine to join (FQDN). required: true kdc: description: The name or address of the host running the KDC. required: true principal: description: The authorized kerberos principal used to join the IPA realm. required: false kinit_attempts: description: Repeat the request for host Kerberos ticket X times. required: false default: 5 returns: krb5_keytab_ok: description: The flag describes if krb5.keytab on the host is usable. returned: always type: bool
-
- Sep 15, 2017
-
-
Thomas Woerner authored
-
Thomas Woerner authored
The use od ipaclient_keytab for ipahost is not correct as the admin keytab needs to be used here.
-
Thomas Woerner authored
For force_join it is also needed to purge the realm information from the keytab, otherwise new entries will be added with every join.
-
Thomas Woerner authored
If a otp has bene generated it is needed to purge the realm from an exising host keytab. If there is no host keytab or if the keytab is not containing information about the realm, ipa-rmkeytab will fail and these two errors are ignored.
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
With otp usage the user supplied principal may not be used for join.
-
Florence Blanc-Renaud authored
When ipahost is run to generate an OTP and the host is already existing, the OTP is properly generated but ipa-join will fail if the host is already enrolled (ie when it has a keytab). Add a step calling ipa host-disable to erase OTP and keytab before requesting an OTP.
-
Thomas Woerner authored
-
Thomas Woerner authored
If use_otp is not enabled, then the principal will be set to "admin" after the discovery has been done. If use_otp is enabled, then the princial will be set to "admin" after the join has been done - as admin will not match with the otp.
-
Thomas Woerner authored
-
Thomas Woerner authored
The use of otp can be forced to not transfer the admin password while setting up the ipa client. Only the one-time-password will be transferred to the client machine. ipaclient_password will be overwritten by the otp password.
-
Thomas Woerner authored
Also: Add ipaclient_kinit_attempts default value to roles/ipaclient/defaults/main.yml
-
Thomas Woerner authored
The one_of check was using a tuple instead of a list, the check for principal or keytab has been removed, a new mutually exclusive check for password xor keytab has been added.
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
New variables have been added (undefined by default): krb5_dns_canonicalize_hostname krb5_pkinit_anchors krb5_pkinit_pool These are set according to the ipa version requirements. See roles/ipaclient/tasks/install.yml
-
Thomas Woerner authored
For ipa versions prior to 4.5 it is needed to use ipa-client-install script as a source for functions. But the script contains a global finally clause in which the generated ccache file gets removed. Threfore the script is temporarily copied to ipa_client_install.py and the global finally clause gets removed from the copy. All this is done in a temporary directory, which gets removed right after the import has been done.
-
Thomas Woerner authored
-
Thomas Woerner authored
For ipa versions prior to 4.5 it is needed to use ipa-client-install script as a source for functions. But the script contains a global finally clause in which the generated ccache file gets removed. Threfore the script is temporarily copied to ipa_client_install.py and the global finally clause gets removed from the copy. All this is done in a temporary directory, which gets removed right after the import has been done. A Object called options is generated as ipa-client-install and also ipaclient/install/client.py functions are using this object. inspect.argspec is used on configure_krb5_conf to find out if the function requires configure_sssd as an optional argument or in the options object.
-
Thomas Woerner authored
-
Thomas Woerner authored
freeipa 4.4 is the first version that supports all needed functions. Therefore a check has been added to make sure that ipadiscovery fails for versions before 4.4. The python bindings of ipa versions before 4.6 are having a different structure.
-
Thomas Woerner authored
ipa_python_version is the version gathered from ipapython.version.NUM_VERSION. For ipa versions before 3.2.1, the version is generated from ipapython.version.VERSION because NUM_VERSION changed the format two times before 3.2.1.
-
Thomas Woerner authored
-
Thomas Woerner authored
The discovery was not working if a server has been specified. The domain has been needed additionally. The domain is now gathered from the server name if it is missing in this case.
-
Thomas Woerner authored
-
- Aug 31, 2017
-
-
Thomas Woerner authored
- Backup ipa default conf - Backup krb5.conf
-
Thomas Woerner authored
This is needed to be able to use defined and undefined checks.
-
Thomas Woerner authored
-
Thomas Woerner authored
-
Thomas Woerner authored
-
- Aug 30, 2017
-
-
Thomas Woerner authored
-
Thomas Woerner authored
-