Attempt to sync time if on_master is not set and no_ntp is not set: At
first with given or dicovered time servers. If no ntp servers have been
given or discovered, then with the ipa server.

New parameters:
  on_master:
    description: IPA client installation on IPA server
    required: false
    default: false
    type: bool
    default: no
  ntp_servers:
    description: List of NTP servers to use
    required: false
    type: list
    default: []
  no_ntp:
    description: Do not sync time and do not detect time servers
    required: false
    default: false
    type: bool
    default: no

The ntp_servers output parameter is now always an empty list if on_master
or no_ntp is set.

With ansible 2.3.1 it is possible to have one place as an additional utils
module to do all the needed steps to be able to generate the environment for
new and older ipa versions.

The library modules are now a lot smaller.

The minimal ansible version has been increased to 2.3.1.

In the future it might now also be possible to have a special
ansible_ipa_client version for ipa < 4.4 in this utils module.

The module had unused imports preventing execution with an IPA 4.4 server.
The commit removes unneeded imports, and adds documentation details.

If the client name is not resolvable, the call of client_dns will internally
result in a logger.error call for the failed update of the DNS records.

The call to standard_logging_setup is fixing the behaviour to bremore like
a debug call.

Currently ipaclient role is using the module ipaclient only for uninstallation,
and this module contains a lot of unused code.
It is simpler to directly call the command-line
   ipa-client-install --uninstall -U
and remove the ipaclient module.

The principal is not used and needed in the module, therefore it got removed.

This is done right ipanss is used as this is failing without the ca.crt file.

The first validation test of the krb5.keytab is now done using the system
krb5.conf file. If this test failed, then the validation will be done with
the temporary krb5.conf file.

An additionally IPA test has been added. For now this is "ipa ping" as there
seems not to be a more comprehensive validation test for proper IPA
configuration.

create_db is requiring an additional argument for IPA version 4.4.4 still.

This will provide information if the ca.crt file exists. This will be needed
to be able to decide what needs to be fixed later on.

ipajoin is not called always and therefore we can no depend on the subject
base gathered from the certificate output of the join call.

The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server - done in ipaapi as we are authenticaed there already
to use the api.

The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server.

subject_base has been added as a new return value.

Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of
guessed value from ipadiscovery.

It is not possible to restore a missing krb5.keytab using the admin
credential. Therefore the only way is to fail in this case.

The choined tag is only set if changes have been done with the join.

already_joined is set if the ipa-join command is filing with error 13
(already joined). The module is not calling fail_json in this case anymore.

mutually_exclusive and required_one_of are only able to check if the parameters
are defined, but not if they are set to "".

Test if the krb5.keytab on the machine is valid and can be used.

options:
  servers:
    description: The FQDN of the IPA servers to connect to.
    required: true
  domain:
    description: The primary DNS domain of an existing IPA deployment.
    required: true
  realm:
    description: The Kerberos realm of an existing IPA deployment.
    required: true
  hostname:
    description: The hostname of the machine to join (FQDN).
    required: true
  kdc:
    description: The name or address of the host running the KDC.
    required: true
  principal:
    description: The authorized kerberos principal used to join the IPA realm.
    required: false
  kinit_attempts:
    description: Repeat the request for host Kerberos ticket X times.
    required: false
    default: 5

returns:
  krb5_keytab_ok:
    description: The flag describes if krb5.keytab on the host is usable.
    returned: always
    type: bool

With otp usage the user supplied principal may not be used for join.

When ipahost is run to generate an OTP and the host is already existing,
the OTP is properly generated but ipa-join will fail if the host is
already enrolled (ie when it has a keytab).
Add a step calling ipa host-disable to erase OTP and keytab before
requesting an OTP.

Also: Add ipaclient_kinit_attempts default value to
roles/ipaclient/defaults/main.yml

The one_of check was using a tuple instead of a list, the check for principal
or keytab has been removed, a new mutually exclusive check for password
xor keytab has been added.