roles/krb5: Compatibility for ipa 4.4 and later

New variables have been added (undefined by default): krb5_dns_canonicalize_hostname krb5_pkinit_anchors krb5_pkinit_pool These are set according to the ipa version requirements. See roles/ipaclient/tasks/install.yml
2026-05-14 21:42:17 +00:00 · 2017-09-14 14:02:16 +02:00
parent a5fb29566f
commit 0b4aec7b6a
4 changed files with 28 additions and 9 deletions
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -81,7 +81,7 @@
    #dns_updates: no
    #all_ip_addresses: no

- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }}"
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
  include_role:
    name: krb5
  vars:
@@ -90,6 +90,22 @@
    krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
    krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
    krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+    krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
+  when: ipadiscovery.ipa_python_version <= 40400
+
+- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
+  include_role:
+    name: krb5
+  vars:
+    krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
+    krb5_realm: "{{ ipadiscovery.realm }}"
+    krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+    krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
+    krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
+    krb5_dns_canonicalize_hostname: "false"
+    krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
+    krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/pki-ca-bundle.pem"
+  when: ipadiscovery.ipa_python_version > 40400

 - name: Install - IPA API calls for remaining enrollment parts
  ipaapi: