ipaclient: ipaclient_fix_ca also needs krb_name parameter

With the fix to defer creating the final krb5.conf on clients a bug has been introduced with ipaclient_fix_ca: The krb_name parameter that points to the temporary krb5 configuration was not added to the module Without this the server affinity is broken for allow_repair and additionally ipaclient_fix_ca could fail if krb5 configuration needs to be repraied and also CA needs to be fixed. The krb_name parameter has been added to ipaclient_fix_ca and is also properly set in tasks/install.yml.
2026-05-06 13:23:14 +00:00 · 2023-03-24 12:40:32 +01:00
parent 0ec89eb53c
commit 10d072a8c4
2 changed files with 9 additions and 0 deletions
--- a/roles/ipaclient/library/ipaclient_fix_ca.py
+++ b/roles/ipaclient/library/ipaclient_fix_ca.py
@@ -54,6 +54,10 @@ options:
      the host entry will not be changed on the server
    type: bool
    required: yes
+  krb_name:
+    description: The krb5 config file name
+    type: str
+    required: yes
 author:
    - Thomas Woerner (@t-woerner)
 '''
@@ -65,6 +69,7 @@ EXAMPLES = '''
    realm: EXAMPLE.COM
    basedn: dc=example,dc=com
    allow_repair: yes
+    krb_name: /tmp/tmpkrb5.conf
 '''

 RETURN = '''
@@ -87,6 +92,7 @@ def main():
            realm=dict(required=True, type='str'),
            basedn=dict(required=True, type='str'),
            allow_repair=dict(required=True, type='bool'),
+            krb_name=dict(required=True, type='str'),
        ),
    )

@@ -98,6 +104,8 @@ def main():
    realm = module.params.get('realm')
    basedn = module.params.get('basedn')
    allow_repair = module.params.get('allow_repair')
+    krb_name = module.params.get('krb_name')
+    os.environ['KRB5_CONFIG'] = krb_name

    env = {'PATH': SECURE_PATH}
    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -346,6 +346,7 @@
        realm: "{{ result_ipaclient_test.realm }}"
        basedn: "{{ result_ipaclient_test.basedn }}"
        allow_repair: "{{ ipaclient_allow_repair }}"
+        krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
      when: not ipaclient_on_master | bool and
            result_ipaclient_test_keytab.krb5_keytab_ok and
            not result_ipaclient_test_keytab.ca_crt_exists