Merge branch 'master' of https://github.com/freeipa/ansible-freeipa

Change-Id: Id2a58b8ab918ecbc77a92f8ce8dd8d0531312947

roles/ipaclient/library/ipaclient_setup_nss.py

@@ -129,9 +129,6 @@ def main():
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
-    standard_logging_setup(
-        paths.IPACLIENT_INSTALL_LOG, verbose=True, debug=False,
-        filemode='a', console_format='%(message)s')
 
     os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
     

roles/ipaclient/library/ipaclient_setup_ntp.py

@@ -115,11 +115,11 @@ def main():
     cli_domain = module.params.get('domain')
 
     options.conf_ntp = not options.no_ntp
+    options.debug = False
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
 
-    ntp_servers = [ ]
     synced_ntp = False
     if sync_time is not None:
         if options.conf_ntp:
@@ -133,40 +133,43 @@ def main():
         else:
             logger.info("Skipping chrony configuration")
 
-    elif not options.on_master and options.conf_ntp:
-        # Attempt to sync time with IPA server.
-        # If we're skipping NTP configuration, we also skip the time sync here.
-        # We assume that NTP servers are discoverable through SRV records
-        # in the DNS.
-        # If that fails, we try to sync directly with IPA server,
-        # assuming it runs NTP
-        if not options.ntp_servers:
-            # Detect NTP servers
+    else:
+        ntp_srv_servers = [ ]
+        if not options.on_master and options.conf_ntp:
+            # Attempt to sync time with IPA server.
+            # If we're skipping NTP configuration, we also skip the time sync here.
+            # We assume that NTP servers are discoverable through SRV records
+            # in the DNS.
+            # If that fails, we try to sync directly with IPA server,
+            # assuming it runs NTP
+            logger.info('Synchronizing time with KDC...')
             ds = ipadiscovery.IPADiscovery()
-            ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp',
-                                               None, break_on_first=False)
-        else:
-            ntp_servers = options.ntp_servers
+            ntp_srv_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp',
+                                                   None, break_on_first=False)
+            synced_ntp = False
+            ntp_servers = ntp_srv_servers
 
-        # Attempt to sync time:
-        # At first with given or dicovered time servers. If no ntp
-        # servers have been given or discovered, then with the ipa
-        # server.
-        module.log('Synchronizing time ...')
-        synced_ntp = False
-        # use user specified NTP servers if there are any
-        for s in ntp_servers:
-            synced_ntp = timeconf.synconce_ntp(s, False)
-            if synced_ntp:
-                break
-        if not synced_ntp and not ntp_servers:
-            synced_ntp = timeconf.synconce_ntp(cli_server[0], False)
-        if not synced_ntp:
-            module.warn("Unable to sync time with NTP server")
+            # use user specified NTP servers if there are any
+            if options.ntp_servers:
+                ntp_servers = options.ntp_servers
+
+            for s in ntp_servers:
+                synced_ntp = ntpconf.synconce_ntp(s, options.debug)
+                if synced_ntp:
+                    break
+
+            if not synced_ntp and not options.ntp_servers:
+                synced_ntp = timeconf.synconce_ntp(cli_server[0], options.debug)
+            if not synced_ntp:
+                module.warn(
+                    "Unable to sync time with NTP "
+                    "server, assuming the time is in sync. Please check "
+                    "that 123 UDP port is opened.")
+        else:
+            logger.info('Skipping synchronizing time with NTP server.')
 
     # Done
-    module.exit_json(changed=True,
-                     synced_ntp=synced_ntp)
+    module.exit_json(changed=synced_ntp)
 
 if __name__ == '__main__':
     main()

roles/ipaclient/module_utils/ansible_ipa_client.py

@@ -225,6 +225,9 @@ if NUM_VERSION >= 40400:
         sssd_enable_ifp = None
 
     logger = logging.getLogger("ipa-client-install")
+    standard_logging_setup(
+        paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=False,
+        filemode='a', console_format='%(message)s')
     root_logger = logger
 
 else:

roles/ipaclient/tasks/install.yml

@@ -35,7 +35,7 @@
     domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
     servers: "{{ ipaclient_servers | default(omit) }}"
     realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
-    hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipaclient_hostname | default(omit) }}"
     ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
     ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
     no_ntp: "{{ ipaclient_no_ntp }}"
@@ -53,20 +53,12 @@
     enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
   register: result_ipaclient_test
 
-- meta: end_play
-  when: result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool
-
-- name: Install - Set default principal if no keytab is given
-  set_fact:
-    ipaadmin_principal: admin
-  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
-
-- name: Install - Cleanup leftover ccache
-  file:
-    path: "/etc/ipa/.dns_ccache"
-    state: absent
-
 - block:
+  - name: Install - Cleanup leftover ccache
+    file:
+      path: "/etc/ipa/.dns_ccache"
+      state: absent
+
   - name: Install - Configure NTP
     ipaclient_setup_ntp:
       ### basic ###
@@ -143,6 +135,14 @@
     when: ipaclient_use_otp | bool
 
   - block:
+    # This block is executed only when
+    # not (not ipaclient_on_master | bool and
+    #      not result_ipaclient_join.changed and
+    #      not ipaclient_allow_repair | bool and
+    #      (result_ipaclient_test_keytab.krb5_keytab_ok or
+    #       (result_ipaclient_join.already_joined is defined and
+    #        result_ipaclient_join.already_joined)))
+
     - name: Install - Check if principal and keytab are set
       fail: msg="Principal and keytab cannot be used together"
       when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
@@ -166,8 +166,8 @@
 
   - name: Install - Backup and set hostname
     ipaclient_set_hostname:
-      hostname: "{{ result_ipaclient_test.hostname }}"
-    when: not ipaclient_on_master | bool
+      hostname: "{{ ipaclient_hostname }}"
+    when: not ipaclient_on_master | bool and ipaclient_hostname is defined
 
   - name: Install - Join IPA
     ipaclient_join:
@@ -187,10 +187,6 @@
     when: not ipaclient_on_master | bool and (not result_ipaclient_test_keytab.krb5_keytab_ok or ipaclient_force_join)
 
   - block:
-    - name: Install - End playbook processing
-      file:
-        path: "/etc/ipa/.dns_ccache"
-        state: absent
     - fail:
         msg: "The krb5 configuration is not correct, please enable allow_repair to fix this."
       when: not result_ipaclient_test_keytab.krb5_conf_ok
@@ -200,104 +196,106 @@
     - fail:
         msg: "The ca.crt file is missing, please enable allow_repair to fix this."
       when: not result_ipaclient_test_keytab.ca_crt_exists
-    - meta: end_play
     when: not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined))
 
-  - name: Install - Configure IPA default.conf
-    ipaclient_ipa_conf:
-      servers: "{{ result_ipaclient_test.servers }}"
-      domain: "{{ result_ipaclient_test.domain }}"
-      realm: "{{ result_ipaclient_test.realm }}"
-      hostname: "{{ result_ipaclient_test.hostname }}"
-      basedn: "{{ result_ipaclient_test.basedn }}"
-    when: not ipaclient_on_master | bool
+  - block:
+    - name: Install - Configure IPA default.conf
+      ipaclient_ipa_conf:
+        servers: "{{ result_ipaclient_test.servers }}"
+        domain: "{{ result_ipaclient_test.domain }}"
+        realm: "{{ result_ipaclient_test.realm }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        basedn: "{{ result_ipaclient_test.basedn }}"
+      when: not ipaclient_on_master | bool
 
-  - name: Install - Configure SSSD
-    ipaclient_setup_sssd:
-      servers: "{{ result_ipaclient_test.servers }}"
-      domain: "{{ result_ipaclient_test.domain }}"
-      realm: "{{ result_ipaclient_test.realm }}"
-      hostname: "{{ result_ipaclient_test.hostname }}"
-      on_master: "{{ ipaclient_on_master }}"
-      no_ssh: "{{ ipaclient_no_ssh }}"
-      no_sshd: "{{ ipaclient_no_sshd }}"
-      no_sudo: "{{ ipaclient_no_sudo }}"
-      all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
-      fixed_primary: "{{ ipassd_fixed_primary }}"
-      permit: "{{ ipassd_permit }}"
-      enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
-      preserve_sssd: "{{ ipassd_preserve_sssd }}"
-      no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
+    - name: Install - Configure SSSD
+      ipaclient_setup_sssd:
+        servers: "{{ result_ipaclient_test.servers }}"
+        domain: "{{ result_ipaclient_test.domain }}"
+        realm: "{{ result_ipaclient_test.realm }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        on_master: "{{ ipaclient_on_master }}"
+        no_ssh: "{{ ipaclient_no_ssh }}"
+        no_sshd: "{{ ipaclient_no_sshd }}"
+        no_sudo: "{{ ipaclient_no_sudo }}"
+        all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
+        fixed_primary: "{{ ipassd_fixed_primary }}"
+        permit: "{{ ipassd_permit }}"
+        enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
+        preserve_sssd: "{{ ipassd_preserve_sssd }}"
+        no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
 
-  - name: Install - Configure krb5 for IPA realm
-    ipaclient_setup_krb5:
-      realm: "{{ result_ipaclient_test.realm }}"
-      domain: "{{ result_ipaclient_test.domain }}"
-      servers: "{{ result_ipaclient_test.servers }}"
-      kdc: "{{ result_ipaclient_test.kdc }}"
-      dnsok: "{{ result_ipaclient_test.dnsok }}"
-      client_domain: "{{ result_ipaclient_test.client_domain }}"
-      hostname: "{{ result_ipaclient_test.hostname }}"
-      sssd: "{{ result_ipaclient_test.sssd }}"
-      force: "{{ ipaclient_force }}"
-      #on_master: "{{ ipaclient_on_master }}"
-    when: not ipaclient_on_master | bool
+    - name: Install - Configure krb5 for IPA realm
+      ipaclient_setup_krb5:
+        realm: "{{ result_ipaclient_test.realm }}"
+        domain: "{{ result_ipaclient_test.domain }}"
+        servers: "{{ result_ipaclient_test.servers }}"
+        kdc: "{{ result_ipaclient_test.kdc }}"
+        dnsok: "{{ result_ipaclient_test.dnsok }}"
+        client_domain: "{{ result_ipaclient_test.client_domain }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        sssd: "{{ result_ipaclient_test.sssd }}"
+        force: "{{ ipaclient_force }}"
+        #on_master: "{{ ipaclient_on_master }}"
+      when: not ipaclient_on_master | bool
 
-  - name: Install - IPA API calls for remaining enrollment parts
-    ipaclient_api:
-      servers: "{{ result_ipaclient_test.servers }}"
-      realm: "{{ result_ipaclient_test.realm }}"
-      hostname: "{{ result_ipaclient_test.hostname }}"
-      #debug: yes
-    register: result_ipaclient_api
+    - name: Install - IPA API calls for remaining enrollment parts
+      ipaclient_api:
+        servers: "{{ result_ipaclient_test.servers }}"
+        realm: "{{ result_ipaclient_test.realm }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        #debug: yes
+      register: result_ipaclient_api
 
-  - name: Install - Fix IPA ca
-    ipaclient_fix_ca:
-      servers: "{{ result_ipaclient_test.servers }}"
-      realm: "{{ result_ipaclient_test.realm }}"
-      basedn: "{{ result_ipaclient_test.basedn }}"
-      allow_repair: "{{ ipaclient_allow_repair }}"
-    when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists
+    - name: Install - Fix IPA ca
+      ipaclient_fix_ca:
+        servers: "{{ result_ipaclient_test.servers }}"
+        realm: "{{ result_ipaclient_test.realm }}"
+        basedn: "{{ result_ipaclient_test.basedn }}"
+        allow_repair: "{{ ipaclient_allow_repair }}"
+      when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists
 
-  - name: Install - Create IPA NSS database
-    ipaclient_setup_nss:
-      servers: "{{ result_ipaclient_test.servers }}"
-      domain: "{{ result_ipaclient_test.domain }}"
-      realm: "{{ result_ipaclient_test.realm }}"
-      basedn: "{{ result_ipaclient_test.basedn }}"
-      hostname: "{{ result_ipaclient_test.hostname }}"
-      subject_base: "{{ result_ipaclient_api.subject_base }}"
-      principal: "{{ ipaadmin_principal | default(omit) }}"
-      mkhomedir: "{{ ipaclient_mkhomedir }}"
-      ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
-      on_master: "{{ ipaclient_on_master }}"
+    - name: Install - Create IPA NSS database
+      ipaclient_setup_nss:
+        servers: "{{ result_ipaclient_test.servers }}"
+        domain: "{{ result_ipaclient_test.domain }}"
+        realm: "{{ result_ipaclient_test.realm }}"
+        basedn: "{{ result_ipaclient_test.basedn }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        subject_base: "{{ result_ipaclient_api.subject_base }}"
+        principal: "{{ ipaadmin_principal | default(omit) }}"
+        mkhomedir: "{{ ipaclient_mkhomedir }}"
+        ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
+        on_master: "{{ ipaclient_on_master }}"
 
-  - name: Install - Configure SSH and SSHD
-    ipaclient_setup_ssh:
-      servers: "{{ result_ipaclient_test.servers }}"
-      sssd: "{{ result_ipaclient_test.sssd }}"
-      no_ssh: "{{ ipaclient_no_ssh }}"
-      ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
-      no_sshd: "{{ ipaclient_no_sshd }}"
+    - name: Install - Configure SSH and SSHD
+      ipaclient_setup_ssh:
+        servers: "{{ result_ipaclient_test.servers }}"
+        sssd: "{{ result_ipaclient_test.sssd }}"
+        no_ssh: "{{ ipaclient_no_ssh }}"
+        ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
+        no_sshd: "{{ ipaclient_no_sshd }}"
 
-  - name: Install - Configure automount
-    ipaclient_setup_automount:
-      servers: "{{ result_ipaclient_test.servers }}"
-      sssd: "{{ result_ipaclient_test.sssd }}"
-      automount_location: "{{ ipaautomount_location | default(omit) }}"
+    - name: Install - Configure automount
+      ipaclient_setup_automount:
+        servers: "{{ result_ipaclient_test.servers }}"
+        sssd: "{{ result_ipaclient_test.sssd }}"
+        automount_location: "{{ ipaautomount_location | default(omit) }}"
 
-  - name: Install - Configure firefox
-    ipaclient_setup_firefox:
-      firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}"
-    when: ipaclient_configure_firefox | bool
+    - name: Install - Configure firefox
+      ipaclient_setup_firefox:
+        firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}"
+      when: ipaclient_configure_firefox | bool
 
-  - name: Install - Configure NIS
-    ipaclient_setup_nis:
-      domain: "{{ result_ipaclient_test.domain }}"
-      nisdomain: "{{ ipaclient_nisdomain | default(omit)}}"
-    when: not ipaclient_no_nisdomain | bool
+    - name: Install - Configure NIS
+      ipaclient_setup_nis:
+        domain: "{{ result_ipaclient_test.domain }}"
+        nisdomain: "{{ ipaclient_nisdomain | default(omit)}}"
+      when: not ipaclient_no_nisdomain | bool
 
-  when: not ansible_check_mode
+    when: not (not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined)))
+
+  when: not ansible_check_mode and not (result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
 
   always:
   - name: Cleanup leftover ccache

roles/ipareplica/defaults/main.yml

@@ -30,8 +30,6 @@ ipareplica_no_forwarders: no
 ipareplica_auto_forwarders: no
 ipareplica_no_dnssec_validation: no
 ### ad trust ###
-ipareplica_add_sids: no
-ipareplica_add_agents: no
 ipareplica_enable_compat: no
 ### uninstall ###
 ipareplica_ignore_topology_disconnect: no

roles/ipareplica/library/ipareplica_prepare.py

@@ -184,6 +184,11 @@ def main():
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
             ### ad trust ###
+            enable_compat=dict(required=False, type='bool', default=False),
+            netbios_name=dict(required=False),
+            rid_base=dict(required=False, type='int', default=1000),
+            secondary_rid_base=dict(required=False, type='int',
+                                    default=100000000),
             ### additional ###
             server=dict(required=True),
             skip_conncheck=dict(required=False, type='bool'),
@@ -243,6 +248,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validationdnssec_validation')
+    ### ad trust ###
+    options.enable_compat = ansible_module.params.get('enable_compat')
+    options.netbios_name = ansible_module.params.get('netbios_name')
+    options.rid_base = ansible_module.params.get('rid_base')
+    options.secondary_rid_base = ansible_module.params.get('secondary_rid_base')
 
     ### additional ###
     #options._host_name_overridden = ansible_module.params.get(
@@ -701,7 +711,12 @@ def main():
                              config_setup_ca=config.setup_ca,
                              config_master_host_name=config.master_host_name,
                              config_ca_host_name=config.ca_host_name,
-                             config_ips=[ str(ip) for ip in config.ips ])
+                             config_ips=[ str(ip) for ip in config.ips ],
+                             ### ad trust ###
+                             rid_base=options.rid_base,
+                             secondary_rid_base=options.secondary_rid_base,
+                             adtrust_netbios_name=adtrust.netbios_name,
+                             adtrust_reset_netbios_name=adtrust.reset_netbios_name)
 
 if __name__ == '__main__':
     main()

roles/ipareplica/library/ipareplica_setup_adtrust.py

@@ -37,9 +37,6 @@ short description: Setup adtrust
 description:
   Setup adtrust
 options:
-  setup_adtrust:
-    description: 
-    required: yes
   setup_kra:
     description: 
     required: yes
@@ -75,10 +72,16 @@ def main():
     ansible_module = AnsibleModule(
         argument_spec = dict(
             ### server ###
-            setup_adtrust=dict(required=False, type='bool'),
             setup_kra=dict(required=False, type='bool'),
             ### certificate system ###
             subject_base=dict(required=True),
+            ### ad trust ###
+            enable_compat=dict(required=False, type='bool', default=False),
+            rid_base=dict(required=False, type='int'),
+            secondary_rid_base=dict(required=False, type='int'),
+            ### additional ###
+            adtrust_netbios_name=dict(required=True),
+            adtrust_reset_netbios_name=dict(required=True, type='bool'),
             ### additional ###
             ccache=dict(required=True),
             _top_dir = dict(required=True),
@@ -95,18 +98,23 @@ def main():
 
     options = installer
     ### server ###
-    options.setup_adtrust = ansible_module.params.get('setup_adtrust')
     options.setup_kra = ansible_module.params.get('setup_kra')
     ### certificate system ###
     options.subject_base = ansible_module.params.get('subject_base')
     if options.subject_base is not None:
         options.subject_base = DN(options.subject_base)
-    ### additional ###
+    ### ad trust ###
+    options.enable_compat = ansible_module.params.get('enable_compat')
+    options.rid_base = ansible_module.params.get('rid_base')
+    options.secondary_rid_base = ansible_module.params.get('secondary_rid_base')    ### additional ###
     ccache = ansible_module.params.get('ccache')
     os.environ['KRB5CCNAME'] = ccache
     options._top_dir = ansible_module.params.get('_top_dir')
     options.setup_ca = ansible_module.params.get('setup_ca')
     config_master_host_name = ansible_module.params.get('config_master_host_name')
+    adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')
+    adtrust.reset_netbios_name = \
+        ansible_module.params.get('adtrust_reset_netbios_name')
 
     # init #
 
@@ -133,7 +141,6 @@ def main():
     api.Backend.ldap2.connect()
 
     with redirect_stdout(ansible_log):
-        #if options.setup_adtrust:
         ansible_log.debug("-- INSTALL ADTRUST --")
 
         adtrust.install(False, options, fstore, api)

roles/ipareplica/module_utils/ansible_ipa_replica.py

@@ -65,6 +65,7 @@ if NUM_VERSION >= 40600:
     from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
     from ipapython.dn import DN
     from ipapython.admintool import ScriptError
+    from ipapython.ipa_log_manager import standard_logging_setup
     from ipaplatform import services
     from ipaplatform.tasks import tasks
     from ipaplatform.paths import paths
@@ -121,8 +122,10 @@ else:
 
 
 logger = logging.getLogger("ipa-server-install")
-logger.setLevel(logging.DEBUG)
-
+#logger.setLevel(logging.DEBUG)
+standard_logging_setup(
+    paths.IPAREPLICA_INSTALL_LOG, verbose=False, debug=False,
+    filemode='a', console_format='%(message)s')
 
 @contextlib_contextmanager
 def redirect_stdout(f):
@@ -227,6 +230,14 @@ options.disable_dnssec_master = False
 options.kasp_db_file = None
 options.force = False
 
+# ServerMasterInstall
+options.add_sids = True
+options.add_agents = False
+
+# ServerReplicaInstall
+options.subject_base = None
+options.ca_subject = None
+
 
 def api_Backend_ldap2(host_name, setup_ca, connect=False):
     # we are sure we have the configuration file ready.

roles/ipareplica/tasks/install.yml

@@ -42,7 +42,7 @@
     domain: "{{ ipareplica_domain | default(ipaserver_domain) | default(omit) }}"
     servers: "{{ groups.ipaservers | default(groups.ipaserver) | default(omit) }}"
     realm: "{{ ipareplica_realm | default(omit) }}"
-    hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipareplica_hostname | default(omit) }}"
     ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
     ### server ###
     setup_adtrust: "{{ ipareplica_setup_adtrust }}"
@@ -68,10 +68,11 @@
     no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
   register: result_ipareplica_test
 
-- meta: end_play
-  when: result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined
-
 - block:
+  # This block is executed only when
+  # not ansible_check_mode and
+  # not (result_ipareplica_test.client_already_configured is defined or
+  #      result_ipareplica_test.server_already_configured is defined)
 
   - name: Install - Setup client
     include_role:
@@ -158,6 +159,7 @@
       forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"
       no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
       ### ad trust ###
+      enable_compat: "{{ ipareplica_enable_compat }}"
       netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
       rid_base: "{{ ipareplica_rid_base | default(omit) }}"
       secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"
@@ -594,15 +596,20 @@
   - name: Install - Setup adtrust
     ipareplica_setup_adtrust:
       ### replica ###
-      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
       setup_kra: "{{ result_ipareplica_test.setup_kra }}"
       ### certificate system ###
       subject_base: "{{ result_ipareplica_prepare.subject_base }}"
+      ### ad trust ###
+      enable_compat: "{{ ipareplica_enable_compat }}"
+      rid_base: "{{ result_ipareplica_prepare.rid_base }}"
+      secondary_rid_base: "{{ result_ipareplica_prepare.secondary_rid_base }}"
       ### additional ###
       ccache: "{{ result_ipareplica_prepare.ccache }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
       setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
       config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
+      adtrust_netbios_name: "{{ result_ipareplica_prepare.adtrust_netbios_name }}"
+      adtrust_reset_netbios_name: "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
     when: result_ipareplica_test.setup_adtrust
 
   #- name: Install - Disconnect backend
@@ -626,4 +633,4 @@
       state: absent
     when: result_ipareplica_enable_ipa.changed
 
-  when: not ansible_check_mode
+  when: not ansible_check_mode and not (result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined)

roles/ipaserver/library/ipaserver_prepare.py

@@ -167,6 +167,9 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    ### ad trust ###
+    options.enable_compat = ansible_module.params.get('enable_compat')
+    options.netbios_name = ansible_module.params.get('netbios_name')
     ### additional ###
     options.setup_ca = ansible_module.params.get('setup_ca')
     options._host_name_overridden = ansible_module.params.get(

roles/ipaserver/library/ipaserver_setup_adtrust.py

@@ -54,8 +54,15 @@ def main():
         argument_spec = dict(
             # basic
             hostname=dict(required=False),
-            setup_ca=dict(required=True, type='bool', default=False),
-            setup_adtrust=dict(required=True, type='bool', default=False),
+            setup_ca=dict(required=False, type='bool', default=False),
+            setup_adtrust=dict(required=False, type='bool', default=False),
+            ### ad trust ###
+            enable_compat=dict(required=False, type='bool', default=False),
+            rid_base=dict(required=False, type='int'),
+            secondary_rid_base=dict(required=False, type='int'),
+            ### additional ###
+            adtrust_netbios_name=dict(required=True),
+            adtrust_reset_netbios_name=dict(required=True, type='bool')
         ),
     )
 
@@ -67,6 +74,14 @@ def main():
     options.host_name = ansible_module.params.get('hostname')
     options.setup_ca = ansible_module.params.get('setup_ca')
     options.setup_adtrust = ansible_module.params.get('setup_adtrust')
+    ### ad trust ###
+    options.enable_compat = ansible_module.params.get('enable_compat')
+    options.rid_base = ansible_module.params.get('rid_base')
+    options.secondary_rid_base = ansible_module.params.get('secondary_rid_base')
+    ### additional ###
+    adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')
+    adtrust.reset_netbios_name = \
+        ansible_module.params.get('adtrust_reset_netbios_name')
 
     # init ##########################################################
 

roles/ipaserver/library/ipaserver_test.py

@@ -115,8 +115,9 @@ def main():
             ### ad trust ###
             enable_compat=dict(required=False, type='bool', default=False),
             netbios_name=dict(required=False),
-            rid_base=dict(required=False, type='int'),
-            secondary_rid_base=dict(required=False, type='int'),
+            rid_base=dict(required=False, type='int', default=1000),
+            secondary_rid_base=dict(required=False, type='int',
+                                    default=100000000),
 
             ### additional ###
         ),
@@ -730,7 +731,7 @@ def main():
             adtrust.install_check(False, options, api)
 
     except (RuntimeError, ValueError, ScriptError) as e:
-        module.fail_json(msg=str(e))
+        ansible_module.fail_json(msg=str(e))
 
     finally:
         try:
@@ -779,12 +780,17 @@ def main():
                              forward_policy=options.forward_policy,
                              forwarders=options.forwarders,
                              no_dnssec_validation=options.no_dnssec_validation,
+                             ### ad trust ###
+                             rid_base=options.rid_base,
+                             secondary_rid_base=options.secondary_rid_base,
                              ### additional ###
                              _installation_cleanup=_installation_cleanup,
                              domainlevel=options.domainlevel,
                              dns_ip_addresses=[ str(ip) for ip
                                                 in dns.ip_addresses ],
-                             dns_reverse_zones=dns.reverse_zones)
+                             dns_reverse_zones=dns.reverse_zones,
+                             adtrust_netbios_name=adtrust.netbios_name,
+                             adtrust_reset_netbios_name=adtrust.reset_netbios_name)
 
 if __name__ == '__main__':
     main()

roles/ipaserver/module_utils/ansible_ipa_server.py

@@ -56,6 +56,7 @@ if NUM_VERSION >= 40500:
         from ipaclient.install.ipachangeconf import IPAChangeConf
     from ipalib.install import certmonger, sysrestore
     from ipapython import ipautil
+    from ipapython.ipa_log_manager import standard_logging_setup
     if NUM_VERSION < 40600:
         from ipapython.ipa_log_manager import root_logger
     from ipapython.ipautil import (
@@ -132,7 +133,10 @@ else:
 
 
 logger = logging.getLogger("ipa-server-install")
-logger.setLevel(logging.DEBUG)
+#logger.setLevel(logging.DEBUG)
+standard_logging_setup(
+    paths.IPASERVER_INSTALL_LOG, verbose=False, debug=False,
+    filemode='a', console_format='%(message)s')
 
 
 @contextlib_contextmanager
@@ -195,6 +199,11 @@ class options_obj(object):
 options = options_obj()
 installer = options
 
+# ServerMasterInstall
+options.add_sids = True
+options.add_agents = False
+
+
 def api_Backend_ldap2(host_name, setup_ca, connect=False):
     # we are sure we have the configuration file ready.
     cfg = dict(context='installer', confdir=paths.ETC_IPA, in_server=True,

roles/ipaserver/tasks/install.yml

@@ -36,7 +36,7 @@
     ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
     domain: "{{ ipaserver_domain | default(omit) }}"
     realm: "{{ ipaserver_realm | default(omit) }}"
-    hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipaserver_hostname | default(omit) }}"
     ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
     no_host_dns: "{{ ipaserver_no_host_dns }}"
     ### server ###
@@ -93,10 +93,12 @@
     ### additional ###
   register: result_ipaserver_test
 
-- meta: end_play
-  when: not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined)
-
 - block:
+  # This block is executed only when
+  # not ansible_check_mode and
+  # not (not result_ipaserver_test.changed and
+  #      (result_ipaserver_test.client_already_configured is defined or
+  #       result_ipaserver_test.server_already_configured is defined)
 
   - block:
     - name: Install - Master password creation
@@ -142,8 +144,8 @@
       auto_forwarders: "{{ ipaserver_auto_forwarders }}"
       no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
       ### ad trust ###
-      # enable_compat
-      # netbios_name
+      enable_compat: "{{ ipaserver_enable_compat }}"
+      netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
       # rid_base
       # secondary_rid_base
       ### additional ###
@@ -311,6 +313,13 @@
       hostname: "{{ result_ipaserver_test.hostname }}"
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
       setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
+      ### ad trust ###
+      enable_compat: "{{ ipaserver_enable_compat }}"
+      rid_base: "{{ result_ipaserver_test.rid_base }}"
+      secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
+      ### additional ###
+      adtrust_netbios_name: "{{ result_ipaserver_test.adtrust_netbios_name }}"
+      adtrust_reset_netbios_name: "{{ result_ipaserver_test.adtrust_reset_netbios_name }}"
     when: result_ipaserver_test.setup_adtrust
 
   - name: Install - Set DS password
@@ -390,4 +399,4 @@
       {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
     when: ipaserver_setup_firewalld | bool
 
-  when: not ansible_check_mode
+  when: not ansible_check_mode and not (not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined))