diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py index 4c12ae1f..2778ce9e 100644 --- a/roles/ipaclient/library/ipaclient_setup_nss.py +++ b/roles/ipaclient/library/ipaclient_setup_nss.py @@ -129,9 +129,6 @@ def main(): fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) - standard_logging_setup( - paths.IPACLIENT_INSTALL_LOG, verbose=True, debug=False, - filemode='a', console_format='%(message)s') os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE diff --git a/roles/ipaclient/library/ipaclient_setup_ntp.py b/roles/ipaclient/library/ipaclient_setup_ntp.py index d7b4f3b7..9f941942 100644 --- a/roles/ipaclient/library/ipaclient_setup_ntp.py +++ b/roles/ipaclient/library/ipaclient_setup_ntp.py @@ -115,11 +115,11 @@ def main(): cli_domain = module.params.get('domain') options.conf_ntp = not options.no_ntp + options.debug = False fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) - ntp_servers = [ ] synced_ntp = False if sync_time is not None: if options.conf_ntp: @@ -133,40 +133,43 @@ def main(): else: logger.info("Skipping chrony configuration") - elif not options.on_master and options.conf_ntp: - # Attempt to sync time with IPA server. - # If we're skipping NTP configuration, we also skip the time sync here. - # We assume that NTP servers are discoverable through SRV records - # in the DNS. - # If that fails, we try to sync directly with IPA server, - # assuming it runs NTP - if not options.ntp_servers: - # Detect NTP servers + else: + ntp_srv_servers = [ ] + if not options.on_master and options.conf_ntp: + # Attempt to sync time with IPA server. + # If we're skipping NTP configuration, we also skip the time sync here. + # We assume that NTP servers are discoverable through SRV records + # in the DNS. + # If that fails, we try to sync directly with IPA server, + # assuming it runs NTP + logger.info('Synchronizing time with KDC...') ds = ipadiscovery.IPADiscovery() - ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', - None, break_on_first=False) - else: - ntp_servers = options.ntp_servers + ntp_srv_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', + None, break_on_first=False) + synced_ntp = False + ntp_servers = ntp_srv_servers - # Attempt to sync time: - # At first with given or dicovered time servers. If no ntp - # servers have been given or discovered, then with the ipa - # server. - module.log('Synchronizing time ...') - synced_ntp = False - # use user specified NTP servers if there are any - for s in ntp_servers: - synced_ntp = timeconf.synconce_ntp(s, False) - if synced_ntp: - break - if not synced_ntp and not ntp_servers: - synced_ntp = timeconf.synconce_ntp(cli_server[0], False) - if not synced_ntp: - module.warn("Unable to sync time with NTP server") + # use user specified NTP servers if there are any + if options.ntp_servers: + ntp_servers = options.ntp_servers + + for s in ntp_servers: + synced_ntp = ntpconf.synconce_ntp(s, options.debug) + if synced_ntp: + break + + if not synced_ntp and not options.ntp_servers: + synced_ntp = timeconf.synconce_ntp(cli_server[0], options.debug) + if not synced_ntp: + module.warn( + "Unable to sync time with NTP " + "server, assuming the time is in sync. Please check " + "that 123 UDP port is opened.") + else: + logger.info('Skipping synchronizing time with NTP server.') # Done - module.exit_json(changed=True, - synced_ntp=synced_ntp) + module.exit_json(changed=synced_ntp) if __name__ == '__main__': main() diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py index c8870a35..345ad1d7 100644 --- a/roles/ipaclient/module_utils/ansible_ipa_client.py +++ b/roles/ipaclient/module_utils/ansible_ipa_client.py @@ -225,6 +225,9 @@ if NUM_VERSION >= 40400: sssd_enable_ifp = None logger = logging.getLogger("ipa-client-install") + standard_logging_setup( + paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=False, + filemode='a', console_format='%(message)s') root_logger = logger else: diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 606087e0..9a148f9d 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -35,7 +35,7 @@ domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}" servers: "{{ ipaclient_servers | default(omit) }}" realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}" - hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}" + hostname: "{{ ipaclient_hostname | default(omit) }}" ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}" ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}" no_ntp: "{{ ipaclient_no_ntp }}" @@ -53,20 +53,12 @@ enable_dns_updates: "{{ ipassd_enable_dns_updates }}" register: result_ipaclient_test -- meta: end_play - when: result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool - -- name: Install - Set default principal if no keytab is given - set_fact: - ipaadmin_principal: admin - when: ipaadmin_principal is undefined and ipaclient_keytab is undefined - -- name: Install - Cleanup leftover ccache - file: - path: "/etc/ipa/.dns_ccache" - state: absent - - block: + - name: Install - Cleanup leftover ccache + file: + path: "/etc/ipa/.dns_ccache" + state: absent + - name: Install - Configure NTP ipaclient_setup_ntp: ### basic ### @@ -143,6 +135,14 @@ when: ipaclient_use_otp | bool - block: + # This block is executed only when + # not (not ipaclient_on_master | bool and + # not result_ipaclient_join.changed and + # not ipaclient_allow_repair | bool and + # (result_ipaclient_test_keytab.krb5_keytab_ok or + # (result_ipaclient_join.already_joined is defined and + # result_ipaclient_join.already_joined))) + - name: Install - Check if principal and keytab are set fail: msg="Principal and keytab cannot be used together" when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != "" @@ -166,8 +166,8 @@ - name: Install - Backup and set hostname ipaclient_set_hostname: - hostname: "{{ result_ipaclient_test.hostname }}" - when: not ipaclient_on_master | bool + hostname: "{{ ipaclient_hostname }}" + when: not ipaclient_on_master | bool and ipaclient_hostname is defined - name: Install - Join IPA ipaclient_join: @@ -187,10 +187,6 @@ when: not ipaclient_on_master | bool and (not result_ipaclient_test_keytab.krb5_keytab_ok or ipaclient_force_join) - block: - - name: Install - End playbook processing - file: - path: "/etc/ipa/.dns_ccache" - state: absent - fail: msg: "The krb5 configuration is not correct, please enable allow_repair to fix this." when: not result_ipaclient_test_keytab.krb5_conf_ok @@ -200,104 +196,106 @@ - fail: msg: "The ca.crt file is missing, please enable allow_repair to fix this." when: not result_ipaclient_test_keytab.ca_crt_exists - - meta: end_play when: not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined)) - - name: Install - Configure IPA default.conf - ipaclient_ipa_conf: - servers: "{{ result_ipaclient_test.servers }}" - domain: "{{ result_ipaclient_test.domain }}" - realm: "{{ result_ipaclient_test.realm }}" - hostname: "{{ result_ipaclient_test.hostname }}" - basedn: "{{ result_ipaclient_test.basedn }}" - when: not ipaclient_on_master | bool + - block: + - name: Install - Configure IPA default.conf + ipaclient_ipa_conf: + servers: "{{ result_ipaclient_test.servers }}" + domain: "{{ result_ipaclient_test.domain }}" + realm: "{{ result_ipaclient_test.realm }}" + hostname: "{{ result_ipaclient_test.hostname }}" + basedn: "{{ result_ipaclient_test.basedn }}" + when: not ipaclient_on_master | bool - - name: Install - Configure SSSD - ipaclient_setup_sssd: - servers: "{{ result_ipaclient_test.servers }}" - domain: "{{ result_ipaclient_test.domain }}" - realm: "{{ result_ipaclient_test.realm }}" - hostname: "{{ result_ipaclient_test.hostname }}" - on_master: "{{ ipaclient_on_master }}" - no_ssh: "{{ ipaclient_no_ssh }}" - no_sshd: "{{ ipaclient_no_sshd }}" - no_sudo: "{{ ipaclient_no_sudo }}" - all_ip_addresses: "{{ ipaclient_all_ip_addresses }}" - fixed_primary: "{{ ipassd_fixed_primary }}" - permit: "{{ ipassd_permit }}" - enable_dns_updates: "{{ ipassd_enable_dns_updates }}" - preserve_sssd: "{{ ipassd_preserve_sssd }}" - no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}" + - name: Install - Configure SSSD + ipaclient_setup_sssd: + servers: "{{ result_ipaclient_test.servers }}" + domain: "{{ result_ipaclient_test.domain }}" + realm: "{{ result_ipaclient_test.realm }}" + hostname: "{{ result_ipaclient_test.hostname }}" + on_master: "{{ ipaclient_on_master }}" + no_ssh: "{{ ipaclient_no_ssh }}" + no_sshd: "{{ ipaclient_no_sshd }}" + no_sudo: "{{ ipaclient_no_sudo }}" + all_ip_addresses: "{{ ipaclient_all_ip_addresses }}" + fixed_primary: "{{ ipassd_fixed_primary }}" + permit: "{{ ipassd_permit }}" + enable_dns_updates: "{{ ipassd_enable_dns_updates }}" + preserve_sssd: "{{ ipassd_preserve_sssd }}" + no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}" - - name: Install - Configure krb5 for IPA realm - ipaclient_setup_krb5: - realm: "{{ result_ipaclient_test.realm }}" - domain: "{{ result_ipaclient_test.domain }}" - servers: "{{ result_ipaclient_test.servers }}" - kdc: "{{ result_ipaclient_test.kdc }}" - dnsok: "{{ result_ipaclient_test.dnsok }}" - client_domain: "{{ result_ipaclient_test.client_domain }}" - hostname: "{{ result_ipaclient_test.hostname }}" - sssd: "{{ result_ipaclient_test.sssd }}" - force: "{{ ipaclient_force }}" - #on_master: "{{ ipaclient_on_master }}" - when: not ipaclient_on_master | bool + - name: Install - Configure krb5 for IPA realm + ipaclient_setup_krb5: + realm: "{{ result_ipaclient_test.realm }}" + domain: "{{ result_ipaclient_test.domain }}" + servers: "{{ result_ipaclient_test.servers }}" + kdc: "{{ result_ipaclient_test.kdc }}" + dnsok: "{{ result_ipaclient_test.dnsok }}" + client_domain: "{{ result_ipaclient_test.client_domain }}" + hostname: "{{ result_ipaclient_test.hostname }}" + sssd: "{{ result_ipaclient_test.sssd }}" + force: "{{ ipaclient_force }}" + #on_master: "{{ ipaclient_on_master }}" + when: not ipaclient_on_master | bool - - name: Install - IPA API calls for remaining enrollment parts - ipaclient_api: - servers: "{{ result_ipaclient_test.servers }}" - realm: "{{ result_ipaclient_test.realm }}" - hostname: "{{ result_ipaclient_test.hostname }}" - #debug: yes - register: result_ipaclient_api + - name: Install - IPA API calls for remaining enrollment parts + ipaclient_api: + servers: "{{ result_ipaclient_test.servers }}" + realm: "{{ result_ipaclient_test.realm }}" + hostname: "{{ result_ipaclient_test.hostname }}" + #debug: yes + register: result_ipaclient_api - - name: Install - Fix IPA ca - ipaclient_fix_ca: - servers: "{{ result_ipaclient_test.servers }}" - realm: "{{ result_ipaclient_test.realm }}" - basedn: "{{ result_ipaclient_test.basedn }}" - allow_repair: "{{ ipaclient_allow_repair }}" - when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists + - name: Install - Fix IPA ca + ipaclient_fix_ca: + servers: "{{ result_ipaclient_test.servers }}" + realm: "{{ result_ipaclient_test.realm }}" + basedn: "{{ result_ipaclient_test.basedn }}" + allow_repair: "{{ ipaclient_allow_repair }}" + when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists - - name: Install - Create IPA NSS database - ipaclient_setup_nss: - servers: "{{ result_ipaclient_test.servers }}" - domain: "{{ result_ipaclient_test.domain }}" - realm: "{{ result_ipaclient_test.realm }}" - basedn: "{{ result_ipaclient_test.basedn }}" - hostname: "{{ result_ipaclient_test.hostname }}" - subject_base: "{{ result_ipaclient_api.subject_base }}" - principal: "{{ ipaadmin_principal | default(omit) }}" - mkhomedir: "{{ ipaclient_mkhomedir }}" - ca_enabled: "{{ result_ipaclient_api.ca_enabled }}" - on_master: "{{ ipaclient_on_master }}" + - name: Install - Create IPA NSS database + ipaclient_setup_nss: + servers: "{{ result_ipaclient_test.servers }}" + domain: "{{ result_ipaclient_test.domain }}" + realm: "{{ result_ipaclient_test.realm }}" + basedn: "{{ result_ipaclient_test.basedn }}" + hostname: "{{ result_ipaclient_test.hostname }}" + subject_base: "{{ result_ipaclient_api.subject_base }}" + principal: "{{ ipaadmin_principal | default(omit) }}" + mkhomedir: "{{ ipaclient_mkhomedir }}" + ca_enabled: "{{ result_ipaclient_api.ca_enabled }}" + on_master: "{{ ipaclient_on_master }}" - - name: Install - Configure SSH and SSHD - ipaclient_setup_ssh: - servers: "{{ result_ipaclient_test.servers }}" - sssd: "{{ result_ipaclient_test.sssd }}" - no_ssh: "{{ ipaclient_no_ssh }}" - ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}" - no_sshd: "{{ ipaclient_no_sshd }}" + - name: Install - Configure SSH and SSHD + ipaclient_setup_ssh: + servers: "{{ result_ipaclient_test.servers }}" + sssd: "{{ result_ipaclient_test.sssd }}" + no_ssh: "{{ ipaclient_no_ssh }}" + ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}" + no_sshd: "{{ ipaclient_no_sshd }}" - - name: Install - Configure automount - ipaclient_setup_automount: - servers: "{{ result_ipaclient_test.servers }}" - sssd: "{{ result_ipaclient_test.sssd }}" - automount_location: "{{ ipaautomount_location | default(omit) }}" + - name: Install - Configure automount + ipaclient_setup_automount: + servers: "{{ result_ipaclient_test.servers }}" + sssd: "{{ result_ipaclient_test.sssd }}" + automount_location: "{{ ipaautomount_location | default(omit) }}" - - name: Install - Configure firefox - ipaclient_setup_firefox: - firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}" - when: ipaclient_configure_firefox | bool + - name: Install - Configure firefox + ipaclient_setup_firefox: + firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}" + when: ipaclient_configure_firefox | bool - - name: Install - Configure NIS - ipaclient_setup_nis: - domain: "{{ result_ipaclient_test.domain }}" - nisdomain: "{{ ipaclient_nisdomain | default(omit)}}" - when: not ipaclient_no_nisdomain | bool + - name: Install - Configure NIS + ipaclient_setup_nis: + domain: "{{ result_ipaclient_test.domain }}" + nisdomain: "{{ ipaclient_nisdomain | default(omit)}}" + when: not ipaclient_no_nisdomain | bool - when: not ansible_check_mode + when: not (not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined))) + + when: not ansible_check_mode and not (result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool) always: - name: Cleanup leftover ccache diff --git a/roles/ipareplica/defaults/main.yml b/roles/ipareplica/defaults/main.yml index d60c68c9..5fe168fa 100644 --- a/roles/ipareplica/defaults/main.yml +++ b/roles/ipareplica/defaults/main.yml @@ -30,8 +30,6 @@ ipareplica_no_forwarders: no ipareplica_auto_forwarders: no ipareplica_no_dnssec_validation: no ### ad trust ### -ipareplica_add_sids: no -ipareplica_add_agents: no ipareplica_enable_compat: no ### uninstall ### ipareplica_ignore_topology_disconnect: no diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py index 0d965c3c..7e4d8911 100644 --- a/roles/ipareplica/library/ipareplica_prepare.py +++ b/roles/ipareplica/library/ipareplica_prepare.py @@ -184,6 +184,11 @@ def main(): no_dnssec_validation=dict(required=False, type='bool', default=False), ### ad trust ### + enable_compat=dict(required=False, type='bool', default=False), + netbios_name=dict(required=False), + rid_base=dict(required=False, type='int', default=1000), + secondary_rid_base=dict(required=False, type='int', + default=100000000), ### additional ### server=dict(required=True), skip_conncheck=dict(required=False, type='bool'), @@ -243,6 +248,11 @@ def main(): options.forward_policy = ansible_module.params.get('forward_policy') options.no_dnssec_validation = ansible_module.params.get( 'no_dnssec_validationdnssec_validation') + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.netbios_name = ansible_module.params.get('netbios_name') + options.rid_base = ansible_module.params.get('rid_base') + options.secondary_rid_base = ansible_module.params.get('secondary_rid_base') ### additional ### #options._host_name_overridden = ansible_module.params.get( @@ -701,7 +711,12 @@ def main(): config_setup_ca=config.setup_ca, config_master_host_name=config.master_host_name, config_ca_host_name=config.ca_host_name, - config_ips=[ str(ip) for ip in config.ips ]) + config_ips=[ str(ip) for ip in config.ips ], + ### ad trust ### + rid_base=options.rid_base, + secondary_rid_base=options.secondary_rid_base, + adtrust_netbios_name=adtrust.netbios_name, + adtrust_reset_netbios_name=adtrust.reset_netbios_name) if __name__ == '__main__': main() diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py index 34838daa..565aee11 100644 --- a/roles/ipareplica/library/ipareplica_setup_adtrust.py +++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py @@ -37,9 +37,6 @@ short description: Setup adtrust description: Setup adtrust options: - setup_adtrust: - description: - required: yes setup_kra: description: required: yes @@ -75,10 +72,16 @@ def main(): ansible_module = AnsibleModule( argument_spec = dict( ### server ### - setup_adtrust=dict(required=False, type='bool'), setup_kra=dict(required=False, type='bool'), ### certificate system ### subject_base=dict(required=True), + ### ad trust ### + enable_compat=dict(required=False, type='bool', default=False), + rid_base=dict(required=False, type='int'), + secondary_rid_base=dict(required=False, type='int'), + ### additional ### + adtrust_netbios_name=dict(required=True), + adtrust_reset_netbios_name=dict(required=True, type='bool'), ### additional ### ccache=dict(required=True), _top_dir = dict(required=True), @@ -95,18 +98,23 @@ def main(): options = installer ### server ### - options.setup_adtrust = ansible_module.params.get('setup_adtrust') options.setup_kra = ansible_module.params.get('setup_kra') ### certificate system ### options.subject_base = ansible_module.params.get('subject_base') if options.subject_base is not None: options.subject_base = DN(options.subject_base) - ### additional ### + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.rid_base = ansible_module.params.get('rid_base') + options.secondary_rid_base = ansible_module.params.get('secondary_rid_base') ### additional ### ccache = ansible_module.params.get('ccache') os.environ['KRB5CCNAME'] = ccache options._top_dir = ansible_module.params.get('_top_dir') options.setup_ca = ansible_module.params.get('setup_ca') config_master_host_name = ansible_module.params.get('config_master_host_name') + adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') + adtrust.reset_netbios_name = \ + ansible_module.params.get('adtrust_reset_netbios_name') # init # @@ -133,7 +141,6 @@ def main(): api.Backend.ldap2.connect() with redirect_stdout(ansible_log): - #if options.setup_adtrust: ansible_log.debug("-- INSTALL ADTRUST --") adtrust.install(False, options, fstore, api) diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py index 3b06da68..92bf1cda 100644 --- a/roles/ipareplica/module_utils/ansible_ipa_replica.py +++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py @@ -65,6 +65,7 @@ if NUM_VERSION >= 40600: from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS from ipapython.dn import DN from ipapython.admintool import ScriptError + from ipapython.ipa_log_manager import standard_logging_setup from ipaplatform import services from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -121,8 +122,10 @@ else: logger = logging.getLogger("ipa-server-install") -logger.setLevel(logging.DEBUG) - +#logger.setLevel(logging.DEBUG) +standard_logging_setup( + paths.IPAREPLICA_INSTALL_LOG, verbose=False, debug=False, + filemode='a', console_format='%(message)s') @contextlib_contextmanager def redirect_stdout(f): @@ -227,6 +230,14 @@ options.disable_dnssec_master = False options.kasp_db_file = None options.force = False +# ServerMasterInstall +options.add_sids = True +options.add_agents = False + +# ServerReplicaInstall +options.subject_base = None +options.ca_subject = None + def api_Backend_ldap2(host_name, setup_ca, connect=False): # we are sure we have the configuration file ready. diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 47279a0c..dc4c0e79 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -42,7 +42,7 @@ domain: "{{ ipareplica_domain | default(ipaserver_domain) | default(omit) }}" servers: "{{ groups.ipaservers | default(groups.ipaserver) | default(omit) }}" realm: "{{ ipareplica_realm | default(omit) }}" - hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}" + hostname: "{{ ipareplica_hostname | default(omit) }}" ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}" ### server ### setup_adtrust: "{{ ipareplica_setup_adtrust }}" @@ -68,10 +68,11 @@ no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}" register: result_ipareplica_test -- meta: end_play - when: result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined - - block: + # This block is executed only when + # not ansible_check_mode and + # not (result_ipareplica_test.client_already_configured is defined or + # result_ipareplica_test.server_already_configured is defined) - name: Install - Setup client include_role: @@ -158,6 +159,7 @@ forward_policy: "{{ ipareplica_forward_policy | default(omit) }}" no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}" ### ad trust ### + enable_compat: "{{ ipareplica_enable_compat }}" netbios_name: "{{ ipareplica_netbios_name | default(omit) }}" rid_base: "{{ ipareplica_rid_base | default(omit) }}" secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}" @@ -594,15 +596,20 @@ - name: Install - Setup adtrust ipareplica_setup_adtrust: ### replica ### - setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" setup_kra: "{{ result_ipareplica_test.setup_kra }}" ### certificate system ### subject_base: "{{ result_ipareplica_prepare.subject_base }}" + ### ad trust ### + enable_compat: "{{ ipareplica_enable_compat }}" + rid_base: "{{ result_ipareplica_prepare.rid_base }}" + secondary_rid_base: "{{ result_ipareplica_prepare.secondary_rid_base }}" ### additional ### ccache: "{{ result_ipareplica_prepare.ccache }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}" + adtrust_netbios_name: "{{ result_ipareplica_prepare.adtrust_netbios_name }}" + adtrust_reset_netbios_name: "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}" when: result_ipareplica_test.setup_adtrust #- name: Install - Disconnect backend @@ -626,4 +633,4 @@ state: absent when: result_ipareplica_enable_ipa.changed - when: not ansible_check_mode + when: not ansible_check_mode and not (result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined) diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py index 51ad8b86..8bf5738e 100644 --- a/roles/ipaserver/library/ipaserver_prepare.py +++ b/roles/ipaserver/library/ipaserver_prepare.py @@ -167,6 +167,9 @@ def main(): options.forward_policy = ansible_module.params.get('forward_policy') options.no_dnssec_validation = ansible_module.params.get( 'no_dnssec_validation') + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.netbios_name = ansible_module.params.get('netbios_name') ### additional ### options.setup_ca = ansible_module.params.get('setup_ca') options._host_name_overridden = ansible_module.params.get( diff --git a/roles/ipaserver/library/ipaserver_setup_adtrust.py b/roles/ipaserver/library/ipaserver_setup_adtrust.py index fdc559d3..29166e11 100644 --- a/roles/ipaserver/library/ipaserver_setup_adtrust.py +++ b/roles/ipaserver/library/ipaserver_setup_adtrust.py @@ -54,8 +54,15 @@ def main(): argument_spec = dict( # basic hostname=dict(required=False), - setup_ca=dict(required=True, type='bool', default=False), - setup_adtrust=dict(required=True, type='bool', default=False), + setup_ca=dict(required=False, type='bool', default=False), + setup_adtrust=dict(required=False, type='bool', default=False), + ### ad trust ### + enable_compat=dict(required=False, type='bool', default=False), + rid_base=dict(required=False, type='int'), + secondary_rid_base=dict(required=False, type='int'), + ### additional ### + adtrust_netbios_name=dict(required=True), + adtrust_reset_netbios_name=dict(required=True, type='bool') ), ) @@ -67,6 +74,14 @@ def main(): options.host_name = ansible_module.params.get('hostname') options.setup_ca = ansible_module.params.get('setup_ca') options.setup_adtrust = ansible_module.params.get('setup_adtrust') + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.rid_base = ansible_module.params.get('rid_base') + options.secondary_rid_base = ansible_module.params.get('secondary_rid_base') + ### additional ### + adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') + adtrust.reset_netbios_name = \ + ansible_module.params.get('adtrust_reset_netbios_name') # init ########################################################## diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py index c9f7cce2..63856511 100644 --- a/roles/ipaserver/library/ipaserver_test.py +++ b/roles/ipaserver/library/ipaserver_test.py @@ -115,8 +115,9 @@ def main(): ### ad trust ### enable_compat=dict(required=False, type='bool', default=False), netbios_name=dict(required=False), - rid_base=dict(required=False, type='int'), - secondary_rid_base=dict(required=False, type='int'), + rid_base=dict(required=False, type='int', default=1000), + secondary_rid_base=dict(required=False, type='int', + default=100000000), ### additional ### ), @@ -730,7 +731,7 @@ def main(): adtrust.install_check(False, options, api) except (RuntimeError, ValueError, ScriptError) as e: - module.fail_json(msg=str(e)) + ansible_module.fail_json(msg=str(e)) finally: try: @@ -779,12 +780,17 @@ def main(): forward_policy=options.forward_policy, forwarders=options.forwarders, no_dnssec_validation=options.no_dnssec_validation, + ### ad trust ### + rid_base=options.rid_base, + secondary_rid_base=options.secondary_rid_base, ### additional ### _installation_cleanup=_installation_cleanup, domainlevel=options.domainlevel, dns_ip_addresses=[ str(ip) for ip in dns.ip_addresses ], - dns_reverse_zones=dns.reverse_zones) + dns_reverse_zones=dns.reverse_zones, + adtrust_netbios_name=adtrust.netbios_name, + adtrust_reset_netbios_name=adtrust.reset_netbios_name) if __name__ == '__main__': main() diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py index 6713ae8c..dfa26031 100644 --- a/roles/ipaserver/module_utils/ansible_ipa_server.py +++ b/roles/ipaserver/module_utils/ansible_ipa_server.py @@ -56,6 +56,7 @@ if NUM_VERSION >= 40500: from ipaclient.install.ipachangeconf import IPAChangeConf from ipalib.install import certmonger, sysrestore from ipapython import ipautil + from ipapython.ipa_log_manager import standard_logging_setup if NUM_VERSION < 40600: from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( @@ -132,7 +133,10 @@ else: logger = logging.getLogger("ipa-server-install") -logger.setLevel(logging.DEBUG) +#logger.setLevel(logging.DEBUG) +standard_logging_setup( + paths.IPASERVER_INSTALL_LOG, verbose=False, debug=False, + filemode='a', console_format='%(message)s') @contextlib_contextmanager @@ -195,6 +199,11 @@ class options_obj(object): options = options_obj() installer = options +# ServerMasterInstall +options.add_sids = True +options.add_agents = False + + def api_Backend_ldap2(host_name, setup_ca, connect=False): # we are sure we have the configuration file ready. cfg = dict(context='installer', confdir=paths.ETC_IPA, in_server=True, diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 32374f32..f482bc08 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -36,7 +36,7 @@ ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}" domain: "{{ ipaserver_domain | default(omit) }}" realm: "{{ ipaserver_realm | default(omit) }}" - hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}" + hostname: "{{ ipaserver_hostname | default(omit) }}" ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}" no_host_dns: "{{ ipaserver_no_host_dns }}" ### server ### @@ -93,10 +93,12 @@ ### additional ### register: result_ipaserver_test -- meta: end_play - when: not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined) - - block: + # This block is executed only when + # not ansible_check_mode and + # not (not result_ipaserver_test.changed and + # (result_ipaserver_test.client_already_configured is defined or + # result_ipaserver_test.server_already_configured is defined) - block: - name: Install - Master password creation @@ -142,8 +144,8 @@ auto_forwarders: "{{ ipaserver_auto_forwarders }}" no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}" ### ad trust ### - # enable_compat - # netbios_name + enable_compat: "{{ ipaserver_enable_compat }}" + netbios_name: "{{ ipaserver_netbios_name | default(omit) }}" # rid_base # secondary_rid_base ### additional ### @@ -311,6 +313,13 @@ hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" + ### ad trust ### + enable_compat: "{{ ipaserver_enable_compat }}" + rid_base: "{{ result_ipaserver_test.rid_base }}" + secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}" + ### additional ### + adtrust_netbios_name: "{{ result_ipaserver_test.adtrust_netbios_name }}" + adtrust_reset_netbios_name: "{{ result_ipaserver_test.adtrust_reset_netbios_name }}" when: result_ipaserver_test.setup_adtrust - name: Install - Set DS password @@ -390,4 +399,4 @@ {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }} when: ipaserver_setup_firewalld | bool - when: not ansible_check_mode + when: not ansible_check_mode and not (not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined))