From cdc431ff9209c42a44fc487aa433570026851cd4 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 16 Apr 2019 14:50:55 +0200 Subject: [PATCH 1/8] ipa[client,replica,server]: Make sure that installer logs are created The installer logs have not been created using the ansible ipaclient, ipareplica and ipaserver roles. This has been fixed and the installer logs are created now. This is a new and fixed version of 2113c79 where verbose mode is turned off. --- roles/ipaclient/library/ipaclient_setup_nss.py | 3 --- roles/ipaclient/module_utils/ansible_ipa_client.py | 3 +++ roles/ipareplica/module_utils/ansible_ipa_replica.py | 11 +++++++++-- roles/ipaserver/module_utils/ansible_ipa_server.py | 6 +++++- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py index 4c12ae1f..2778ce9e 100644 --- a/roles/ipaclient/library/ipaclient_setup_nss.py +++ b/roles/ipaclient/library/ipaclient_setup_nss.py @@ -129,9 +129,6 @@ def main(): fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) - standard_logging_setup( - paths.IPACLIENT_INSTALL_LOG, verbose=True, debug=False, - filemode='a', console_format='%(message)s') os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py index c8870a35..345ad1d7 100644 --- a/roles/ipaclient/module_utils/ansible_ipa_client.py +++ b/roles/ipaclient/module_utils/ansible_ipa_client.py @@ -225,6 +225,9 @@ if NUM_VERSION >= 40400: sssd_enable_ifp = None logger = logging.getLogger("ipa-client-install") + standard_logging_setup( + paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=False, + filemode='a', console_format='%(message)s') root_logger = logger else: diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py index 3b06da68..76df774f 100644 --- a/roles/ipareplica/module_utils/ansible_ipa_replica.py +++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py @@ -65,6 +65,7 @@ if NUM_VERSION >= 40600: from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS from ipapython.dn import DN from ipapython.admintool import ScriptError + from ipapython.ipa_log_manager import standard_logging_setup from ipaplatform import services from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -121,8 +122,10 @@ else: logger = logging.getLogger("ipa-server-install") -logger.setLevel(logging.DEBUG) - +#logger.setLevel(logging.DEBUG) +standard_logging_setup( + paths.IPAREPLICA_INSTALL_LOG, verbose=False, debug=False, + filemode='a', console_format='%(message)s') @contextlib_contextmanager def redirect_stdout(f): @@ -227,6 +230,10 @@ options.disable_dnssec_master = False options.kasp_db_file = None options.force = False +# ServerReplicaInstall +options.subject_base = None +options.ca_subject = None + def api_Backend_ldap2(host_name, setup_ca, connect=False): # we are sure we have the configuration file ready. diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py index 6713ae8c..ae5d16af 100644 --- a/roles/ipaserver/module_utils/ansible_ipa_server.py +++ b/roles/ipaserver/module_utils/ansible_ipa_server.py @@ -56,6 +56,7 @@ if NUM_VERSION >= 40500: from ipaclient.install.ipachangeconf import IPAChangeConf from ipalib.install import certmonger, sysrestore from ipapython import ipautil + from ipapython.ipa_log_manager import standard_logging_setup if NUM_VERSION < 40600: from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( @@ -132,7 +133,10 @@ else: logger = logging.getLogger("ipa-server-install") -logger.setLevel(logging.DEBUG) +#logger.setLevel(logging.DEBUG) +standard_logging_setup( + paths.IPASERVER_INSTALL_LOG, verbose=False, debug=False, + filemode='a', console_format='%(message)s') @contextlib_contextmanager From 2cffd6ebf9edd80b01f921141e181ec40c961148 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 17 Apr 2019 14:36:50 +0200 Subject: [PATCH 2/8] ipaclient_setup_ntp: Use time sync code from 4.6.4 if sync_time is not defined The FreeIPA versions since 4.7.0 are using chrony and also the new sync_time function for time synchronization which has been added to ipaclient/install/client.py. The old version in ipaclient_setup_ntp has been updated to the code that has been used in 4.6.4. --- .../ipaclient/library/ipaclient_setup_ntp.py | 65 ++++++++++--------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/roles/ipaclient/library/ipaclient_setup_ntp.py b/roles/ipaclient/library/ipaclient_setup_ntp.py index d7b4f3b7..9f941942 100644 --- a/roles/ipaclient/library/ipaclient_setup_ntp.py +++ b/roles/ipaclient/library/ipaclient_setup_ntp.py @@ -115,11 +115,11 @@ def main(): cli_domain = module.params.get('domain') options.conf_ntp = not options.no_ntp + options.debug = False fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) - ntp_servers = [ ] synced_ntp = False if sync_time is not None: if options.conf_ntp: @@ -133,40 +133,43 @@ def main(): else: logger.info("Skipping chrony configuration") - elif not options.on_master and options.conf_ntp: - # Attempt to sync time with IPA server. - # If we're skipping NTP configuration, we also skip the time sync here. - # We assume that NTP servers are discoverable through SRV records - # in the DNS. - # If that fails, we try to sync directly with IPA server, - # assuming it runs NTP - if not options.ntp_servers: - # Detect NTP servers + else: + ntp_srv_servers = [ ] + if not options.on_master and options.conf_ntp: + # Attempt to sync time with IPA server. + # If we're skipping NTP configuration, we also skip the time sync here. + # We assume that NTP servers are discoverable through SRV records + # in the DNS. + # If that fails, we try to sync directly with IPA server, + # assuming it runs NTP + logger.info('Synchronizing time with KDC...') ds = ipadiscovery.IPADiscovery() - ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', - None, break_on_first=False) - else: - ntp_servers = options.ntp_servers + ntp_srv_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', + None, break_on_first=False) + synced_ntp = False + ntp_servers = ntp_srv_servers - # Attempt to sync time: - # At first with given or dicovered time servers. If no ntp - # servers have been given or discovered, then with the ipa - # server. - module.log('Synchronizing time ...') - synced_ntp = False - # use user specified NTP servers if there are any - for s in ntp_servers: - synced_ntp = timeconf.synconce_ntp(s, False) - if synced_ntp: - break - if not synced_ntp and not ntp_servers: - synced_ntp = timeconf.synconce_ntp(cli_server[0], False) - if not synced_ntp: - module.warn("Unable to sync time with NTP server") + # use user specified NTP servers if there are any + if options.ntp_servers: + ntp_servers = options.ntp_servers + + for s in ntp_servers: + synced_ntp = ntpconf.synconce_ntp(s, options.debug) + if synced_ntp: + break + + if not synced_ntp and not options.ntp_servers: + synced_ntp = timeconf.synconce_ntp(cli_server[0], options.debug) + if not synced_ntp: + module.warn( + "Unable to sync time with NTP " + "server, assuming the time is in sync. Please check " + "that 123 UDP port is opened.") + else: + logger.info('Skipping synchronizing time with NTP server.') # Done - module.exit_json(changed=True, - synced_ntp=synced_ntp) + module.exit_json(changed=synced_ntp) if __name__ == '__main__': main() From bbaaf1f74c78cc461b41e900ce6d5e0ec1232a90 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 17 Apr 2019 14:43:59 +0200 Subject: [PATCH 3/8] ipa[server,replica,client]: Do not enforce ansible_fqdn as hostname The ansible_fqdn hostname has been enforced to be set and used in ipaserver, ipareplica and also ipaclient role. This has been removed as the hostname should only be set if specified explicitly with ipa[server,replica,client]_hostname. --- roles/ipaclient/tasks/install.yml | 6 +++--- roles/ipareplica/tasks/install.yml | 2 +- roles/ipaserver/tasks/install.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 606087e0..6434bd1d 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -35,7 +35,7 @@ domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}" servers: "{{ ipaclient_servers | default(omit) }}" realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}" - hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}" + hostname: "{{ ipaclient_hostname | default(omit) }}" ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}" ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}" no_ntp: "{{ ipaclient_no_ntp }}" @@ -166,8 +166,8 @@ - name: Install - Backup and set hostname ipaclient_set_hostname: - hostname: "{{ result_ipaclient_test.hostname }}" - when: not ipaclient_on_master | bool + hostname: "{{ ipaclient_hostname }}" + when: not ipaclient_on_master | bool and ipaclient_hostname is defined - name: Install - Join IPA ipaclient_join: diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 47279a0c..334b745d 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -42,7 +42,7 @@ domain: "{{ ipareplica_domain | default(ipaserver_domain) | default(omit) }}" servers: "{{ groups.ipaservers | default(groups.ipaserver) | default(omit) }}" realm: "{{ ipareplica_realm | default(omit) }}" - hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}" + hostname: "{{ ipareplica_hostname | default(omit) }}" ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}" ### server ### setup_adtrust: "{{ ipareplica_setup_adtrust }}" diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 32374f32..2e652847 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -36,7 +36,7 @@ ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}" domain: "{{ ipaserver_domain | default(omit) }}" realm: "{{ ipaserver_realm | default(omit) }}" - hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}" + hostname: "{{ ipaserver_hostname | default(omit) }}" ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}" no_host_dns: "{{ ipaserver_no_host_dns }}" ### server ### From 0954f8457272eec6b0784bd7f4629a05e82cb7fd Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 17 Apr 2019 15:08:36 +0200 Subject: [PATCH 4/8] ipa[server,replica,client]: Do not use meta end_play Meta end_play has been used as a simple solution to end the playbook processing in special conditions, like for example when the deployment was already done before. meta end_play has been replaced with blocks and conditions for these blocks. Fixes: #70 (Avoid using meta end_play) --- roles/ipaclient/tasks/install.yml | 204 ++++++++++++++--------------- roles/ipareplica/tasks/install.yml | 9 +- roles/ipaserver/tasks/install.yml | 10 +- 3 files changed, 112 insertions(+), 111 deletions(-) diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 6434bd1d..9a148f9d 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -53,20 +53,12 @@ enable_dns_updates: "{{ ipassd_enable_dns_updates }}" register: result_ipaclient_test -- meta: end_play - when: result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool - -- name: Install - Set default principal if no keytab is given - set_fact: - ipaadmin_principal: admin - when: ipaadmin_principal is undefined and ipaclient_keytab is undefined - -- name: Install - Cleanup leftover ccache - file: - path: "/etc/ipa/.dns_ccache" - state: absent - - block: + - name: Install - Cleanup leftover ccache + file: + path: "/etc/ipa/.dns_ccache" + state: absent + - name: Install - Configure NTP ipaclient_setup_ntp: ### basic ### @@ -143,6 +135,14 @@ when: ipaclient_use_otp | bool - block: + # This block is executed only when + # not (not ipaclient_on_master | bool and + # not result_ipaclient_join.changed and + # not ipaclient_allow_repair | bool and + # (result_ipaclient_test_keytab.krb5_keytab_ok or + # (result_ipaclient_join.already_joined is defined and + # result_ipaclient_join.already_joined))) + - name: Install - Check if principal and keytab are set fail: msg="Principal and keytab cannot be used together" when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != "" @@ -187,10 +187,6 @@ when: not ipaclient_on_master | bool and (not result_ipaclient_test_keytab.krb5_keytab_ok or ipaclient_force_join) - block: - - name: Install - End playbook processing - file: - path: "/etc/ipa/.dns_ccache" - state: absent - fail: msg: "The krb5 configuration is not correct, please enable allow_repair to fix this." when: not result_ipaclient_test_keytab.krb5_conf_ok @@ -200,104 +196,106 @@ - fail: msg: "The ca.crt file is missing, please enable allow_repair to fix this." when: not result_ipaclient_test_keytab.ca_crt_exists - - meta: end_play when: not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined)) - - name: Install - Configure IPA default.conf - ipaclient_ipa_conf: - servers: "{{ result_ipaclient_test.servers }}" - domain: "{{ result_ipaclient_test.domain }}" - realm: "{{ result_ipaclient_test.realm }}" - hostname: "{{ result_ipaclient_test.hostname }}" - basedn: "{{ result_ipaclient_test.basedn }}" - when: not ipaclient_on_master | bool + - block: + - name: Install - Configure IPA default.conf + ipaclient_ipa_conf: + servers: "{{ result_ipaclient_test.servers }}" + domain: "{{ result_ipaclient_test.domain }}" + realm: "{{ result_ipaclient_test.realm }}" + hostname: "{{ result_ipaclient_test.hostname }}" + basedn: "{{ result_ipaclient_test.basedn }}" + when: not ipaclient_on_master | bool - - name: Install - Configure SSSD - ipaclient_setup_sssd: - servers: "{{ result_ipaclient_test.servers }}" - domain: "{{ result_ipaclient_test.domain }}" - realm: "{{ result_ipaclient_test.realm }}" - hostname: "{{ result_ipaclient_test.hostname }}" - on_master: "{{ ipaclient_on_master }}" - no_ssh: "{{ ipaclient_no_ssh }}" - no_sshd: "{{ ipaclient_no_sshd }}" - no_sudo: "{{ ipaclient_no_sudo }}" - all_ip_addresses: "{{ ipaclient_all_ip_addresses }}" - fixed_primary: "{{ ipassd_fixed_primary }}" - permit: "{{ ipassd_permit }}" - enable_dns_updates: "{{ ipassd_enable_dns_updates }}" - preserve_sssd: "{{ ipassd_preserve_sssd }}" - no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}" + - name: Install - Configure SSSD + ipaclient_setup_sssd: + servers: "{{ result_ipaclient_test.servers }}" + domain: "{{ result_ipaclient_test.domain }}" + realm: "{{ result_ipaclient_test.realm }}" + hostname: "{{ result_ipaclient_test.hostname }}" + on_master: "{{ ipaclient_on_master }}" + no_ssh: "{{ ipaclient_no_ssh }}" + no_sshd: "{{ ipaclient_no_sshd }}" + no_sudo: "{{ ipaclient_no_sudo }}" + all_ip_addresses: "{{ ipaclient_all_ip_addresses }}" + fixed_primary: "{{ ipassd_fixed_primary }}" + permit: "{{ ipassd_permit }}" + enable_dns_updates: "{{ ipassd_enable_dns_updates }}" + preserve_sssd: "{{ ipassd_preserve_sssd }}" + no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}" - - name: Install - Configure krb5 for IPA realm - ipaclient_setup_krb5: - realm: "{{ result_ipaclient_test.realm }}" - domain: "{{ result_ipaclient_test.domain }}" - servers: "{{ result_ipaclient_test.servers }}" - kdc: "{{ result_ipaclient_test.kdc }}" - dnsok: "{{ result_ipaclient_test.dnsok }}" - client_domain: "{{ result_ipaclient_test.client_domain }}" - hostname: "{{ result_ipaclient_test.hostname }}" - sssd: "{{ result_ipaclient_test.sssd }}" - force: "{{ ipaclient_force }}" - #on_master: "{{ ipaclient_on_master }}" - when: not ipaclient_on_master | bool + - name: Install - Configure krb5 for IPA realm + ipaclient_setup_krb5: + realm: "{{ result_ipaclient_test.realm }}" + domain: "{{ result_ipaclient_test.domain }}" + servers: "{{ result_ipaclient_test.servers }}" + kdc: "{{ result_ipaclient_test.kdc }}" + dnsok: "{{ result_ipaclient_test.dnsok }}" + client_domain: "{{ result_ipaclient_test.client_domain }}" + hostname: "{{ result_ipaclient_test.hostname }}" + sssd: "{{ result_ipaclient_test.sssd }}" + force: "{{ ipaclient_force }}" + #on_master: "{{ ipaclient_on_master }}" + when: not ipaclient_on_master | bool - - name: Install - IPA API calls for remaining enrollment parts - ipaclient_api: - servers: "{{ result_ipaclient_test.servers }}" - realm: "{{ result_ipaclient_test.realm }}" - hostname: "{{ result_ipaclient_test.hostname }}" - #debug: yes - register: result_ipaclient_api + - name: Install - IPA API calls for remaining enrollment parts + ipaclient_api: + servers: "{{ result_ipaclient_test.servers }}" + realm: "{{ result_ipaclient_test.realm }}" + hostname: "{{ result_ipaclient_test.hostname }}" + #debug: yes + register: result_ipaclient_api - - name: Install - Fix IPA ca - ipaclient_fix_ca: - servers: "{{ result_ipaclient_test.servers }}" - realm: "{{ result_ipaclient_test.realm }}" - basedn: "{{ result_ipaclient_test.basedn }}" - allow_repair: "{{ ipaclient_allow_repair }}" - when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists + - name: Install - Fix IPA ca + ipaclient_fix_ca: + servers: "{{ result_ipaclient_test.servers }}" + realm: "{{ result_ipaclient_test.realm }}" + basedn: "{{ result_ipaclient_test.basedn }}" + allow_repair: "{{ ipaclient_allow_repair }}" + when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists - - name: Install - Create IPA NSS database - ipaclient_setup_nss: - servers: "{{ result_ipaclient_test.servers }}" - domain: "{{ result_ipaclient_test.domain }}" - realm: "{{ result_ipaclient_test.realm }}" - basedn: "{{ result_ipaclient_test.basedn }}" - hostname: "{{ result_ipaclient_test.hostname }}" - subject_base: "{{ result_ipaclient_api.subject_base }}" - principal: "{{ ipaadmin_principal | default(omit) }}" - mkhomedir: "{{ ipaclient_mkhomedir }}" - ca_enabled: "{{ result_ipaclient_api.ca_enabled }}" - on_master: "{{ ipaclient_on_master }}" + - name: Install - Create IPA NSS database + ipaclient_setup_nss: + servers: "{{ result_ipaclient_test.servers }}" + domain: "{{ result_ipaclient_test.domain }}" + realm: "{{ result_ipaclient_test.realm }}" + basedn: "{{ result_ipaclient_test.basedn }}" + hostname: "{{ result_ipaclient_test.hostname }}" + subject_base: "{{ result_ipaclient_api.subject_base }}" + principal: "{{ ipaadmin_principal | default(omit) }}" + mkhomedir: "{{ ipaclient_mkhomedir }}" + ca_enabled: "{{ result_ipaclient_api.ca_enabled }}" + on_master: "{{ ipaclient_on_master }}" - - name: Install - Configure SSH and SSHD - ipaclient_setup_ssh: - servers: "{{ result_ipaclient_test.servers }}" - sssd: "{{ result_ipaclient_test.sssd }}" - no_ssh: "{{ ipaclient_no_ssh }}" - ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}" - no_sshd: "{{ ipaclient_no_sshd }}" + - name: Install - Configure SSH and SSHD + ipaclient_setup_ssh: + servers: "{{ result_ipaclient_test.servers }}" + sssd: "{{ result_ipaclient_test.sssd }}" + no_ssh: "{{ ipaclient_no_ssh }}" + ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}" + no_sshd: "{{ ipaclient_no_sshd }}" - - name: Install - Configure automount - ipaclient_setup_automount: - servers: "{{ result_ipaclient_test.servers }}" - sssd: "{{ result_ipaclient_test.sssd }}" - automount_location: "{{ ipaautomount_location | default(omit) }}" + - name: Install - Configure automount + ipaclient_setup_automount: + servers: "{{ result_ipaclient_test.servers }}" + sssd: "{{ result_ipaclient_test.sssd }}" + automount_location: "{{ ipaautomount_location | default(omit) }}" - - name: Install - Configure firefox - ipaclient_setup_firefox: - firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}" - when: ipaclient_configure_firefox | bool + - name: Install - Configure firefox + ipaclient_setup_firefox: + firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}" + when: ipaclient_configure_firefox | bool - - name: Install - Configure NIS - ipaclient_setup_nis: - domain: "{{ result_ipaclient_test.domain }}" - nisdomain: "{{ ipaclient_nisdomain | default(omit)}}" - when: not ipaclient_no_nisdomain | bool + - name: Install - Configure NIS + ipaclient_setup_nis: + domain: "{{ result_ipaclient_test.domain }}" + nisdomain: "{{ ipaclient_nisdomain | default(omit)}}" + when: not ipaclient_no_nisdomain | bool - when: not ansible_check_mode + when: not (not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined))) + + when: not ansible_check_mode and not (result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool) always: - name: Cleanup leftover ccache diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 334b745d..59dd0ded 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -68,10 +68,11 @@ no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}" register: result_ipareplica_test -- meta: end_play - when: result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined - - block: + # This block is executed only when + # not ansible_check_mode and + # not (result_ipareplica_test.client_already_configured is defined or + # result_ipareplica_test.server_already_configured is defined) - name: Install - Setup client include_role: @@ -626,4 +627,4 @@ state: absent when: result_ipareplica_enable_ipa.changed - when: not ansible_check_mode + when: not ansible_check_mode and not (result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined) diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 2e652847..aaf07800 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -93,10 +93,12 @@ ### additional ### register: result_ipaserver_test -- meta: end_play - when: not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined) - - block: + # This block is executed only when + # not ansible_check_mode and + # not (not result_ipaserver_test.changed and + # (result_ipaserver_test.client_already_configured is defined or + # result_ipaserver_test.server_already_configured is defined) - block: - name: Install - Master password creation @@ -390,4 +392,4 @@ {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }} when: ipaserver_setup_firewalld | bool - when: not ansible_check_mode + when: not ansible_check_mode and not (not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined)) From 482e3e944fa00c21fdea0d13ba2f1cbca7b67875 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 17 Apr 2019 16:58:06 +0200 Subject: [PATCH 5/8] ipaserver_test: Fix traceback caused by an Error In case of an RuntimeError, ValueError or ScriptError the fail_json call was done on module instead of ansible_module. module simply does not exist. --- roles/ipaserver/library/ipaserver_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py index c9f7cce2..a451b9f5 100644 --- a/roles/ipaserver/library/ipaserver_test.py +++ b/roles/ipaserver/library/ipaserver_test.py @@ -730,7 +730,7 @@ def main(): adtrust.install_check(False, options, api) except (RuntimeError, ValueError, ScriptError) as e: - module.fail_json(msg=str(e)) + ansible_module.fail_json(msg=str(e)) finally: try: From 3967743a593509492a9359a2236caefa5cfd61f7 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 17 Apr 2019 17:02:12 +0200 Subject: [PATCH 6/8] roles/ipareplica/defaults/main.yml: Remove unused settings The settings ipareplica_add_sids and ipareplica_add_agents are not used in the ipareplica role. Therefore they have been removed. --- roles/ipareplica/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/ipareplica/defaults/main.yml b/roles/ipareplica/defaults/main.yml index d60c68c9..5fe168fa 100644 --- a/roles/ipareplica/defaults/main.yml +++ b/roles/ipareplica/defaults/main.yml @@ -30,8 +30,6 @@ ipareplica_no_forwarders: no ipareplica_auto_forwarders: no ipareplica_no_dnssec_validation: no ### ad trust ### -ipareplica_add_sids: no -ipareplica_add_agents: no ipareplica_enable_compat: no ### uninstall ### ipareplica_ignore_topology_disconnect: no From a980aec1f83bc4c3fb8679a8c67d180aec223f7e Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 17 Apr 2019 17:05:44 +0200 Subject: [PATCH 7/8] ipaserver_setup_adtrust: Add missing settings for adtrust and module There have been missing settings that have not been provided to ipaserver_setup_adtrust. These are: enable_compat, rid_base and secondary_rid_base. The settings rid_base and secondary_rid_base are now initialized in ipaserver_test and propagated in the results. The two settings netbios_name and reset_netbios_name are placed in the adtrust binding in the adtrust.install_check call. These are now saved when ipaserver_test finishes and are written back in the fist steps of ipaserver_setup_adtrust to make adtrust.install working. The settings add_sids and add_agents are now initialized in ansible_ipa_server in the same way as in ServerMasterInstall. These settings are fixed in the server deployment. --- roles/ipaserver/library/ipaserver_prepare.py | 3 +++ .../library/ipaserver_setup_adtrust.py | 19 +++++++++++++++++-- roles/ipaserver/library/ipaserver_test.py | 12 +++++++++--- .../module_utils/ansible_ipa_server.py | 5 +++++ roles/ipaserver/tasks/install.yml | 11 +++++++++-- 5 files changed, 43 insertions(+), 7 deletions(-) diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py index 51ad8b86..8bf5738e 100644 --- a/roles/ipaserver/library/ipaserver_prepare.py +++ b/roles/ipaserver/library/ipaserver_prepare.py @@ -167,6 +167,9 @@ def main(): options.forward_policy = ansible_module.params.get('forward_policy') options.no_dnssec_validation = ansible_module.params.get( 'no_dnssec_validation') + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.netbios_name = ansible_module.params.get('netbios_name') ### additional ### options.setup_ca = ansible_module.params.get('setup_ca') options._host_name_overridden = ansible_module.params.get( diff --git a/roles/ipaserver/library/ipaserver_setup_adtrust.py b/roles/ipaserver/library/ipaserver_setup_adtrust.py index fdc559d3..29166e11 100644 --- a/roles/ipaserver/library/ipaserver_setup_adtrust.py +++ b/roles/ipaserver/library/ipaserver_setup_adtrust.py @@ -54,8 +54,15 @@ def main(): argument_spec = dict( # basic hostname=dict(required=False), - setup_ca=dict(required=True, type='bool', default=False), - setup_adtrust=dict(required=True, type='bool', default=False), + setup_ca=dict(required=False, type='bool', default=False), + setup_adtrust=dict(required=False, type='bool', default=False), + ### ad trust ### + enable_compat=dict(required=False, type='bool', default=False), + rid_base=dict(required=False, type='int'), + secondary_rid_base=dict(required=False, type='int'), + ### additional ### + adtrust_netbios_name=dict(required=True), + adtrust_reset_netbios_name=dict(required=True, type='bool') ), ) @@ -67,6 +74,14 @@ def main(): options.host_name = ansible_module.params.get('hostname') options.setup_ca = ansible_module.params.get('setup_ca') options.setup_adtrust = ansible_module.params.get('setup_adtrust') + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.rid_base = ansible_module.params.get('rid_base') + options.secondary_rid_base = ansible_module.params.get('secondary_rid_base') + ### additional ### + adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') + adtrust.reset_netbios_name = \ + ansible_module.params.get('adtrust_reset_netbios_name') # init ########################################################## diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py index a451b9f5..63856511 100644 --- a/roles/ipaserver/library/ipaserver_test.py +++ b/roles/ipaserver/library/ipaserver_test.py @@ -115,8 +115,9 @@ def main(): ### ad trust ### enable_compat=dict(required=False, type='bool', default=False), netbios_name=dict(required=False), - rid_base=dict(required=False, type='int'), - secondary_rid_base=dict(required=False, type='int'), + rid_base=dict(required=False, type='int', default=1000), + secondary_rid_base=dict(required=False, type='int', + default=100000000), ### additional ### ), @@ -779,12 +780,17 @@ def main(): forward_policy=options.forward_policy, forwarders=options.forwarders, no_dnssec_validation=options.no_dnssec_validation, + ### ad trust ### + rid_base=options.rid_base, + secondary_rid_base=options.secondary_rid_base, ### additional ### _installation_cleanup=_installation_cleanup, domainlevel=options.domainlevel, dns_ip_addresses=[ str(ip) for ip in dns.ip_addresses ], - dns_reverse_zones=dns.reverse_zones) + dns_reverse_zones=dns.reverse_zones, + adtrust_netbios_name=adtrust.netbios_name, + adtrust_reset_netbios_name=adtrust.reset_netbios_name) if __name__ == '__main__': main() diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py index ae5d16af..dfa26031 100644 --- a/roles/ipaserver/module_utils/ansible_ipa_server.py +++ b/roles/ipaserver/module_utils/ansible_ipa_server.py @@ -199,6 +199,11 @@ class options_obj(object): options = options_obj() installer = options +# ServerMasterInstall +options.add_sids = True +options.add_agents = False + + def api_Backend_ldap2(host_name, setup_ca, connect=False): # we are sure we have the configuration file ready. cfg = dict(context='installer', confdir=paths.ETC_IPA, in_server=True, diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index aaf07800..f482bc08 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -144,8 +144,8 @@ auto_forwarders: "{{ ipaserver_auto_forwarders }}" no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}" ### ad trust ### - # enable_compat - # netbios_name + enable_compat: "{{ ipaserver_enable_compat }}" + netbios_name: "{{ ipaserver_netbios_name | default(omit) }}" # rid_base # secondary_rid_base ### additional ### @@ -313,6 +313,13 @@ hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" + ### ad trust ### + enable_compat: "{{ ipaserver_enable_compat }}" + rid_base: "{{ result_ipaserver_test.rid_base }}" + secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}" + ### additional ### + adtrust_netbios_name: "{{ result_ipaserver_test.adtrust_netbios_name }}" + adtrust_reset_netbios_name: "{{ result_ipaserver_test.adtrust_reset_netbios_name }}" when: result_ipaserver_test.setup_adtrust - name: Install - Set DS password From 832d2333801bcf7520a9c8a743dc2f45da137b4a Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 18 Apr 2019 11:52:43 +0200 Subject: [PATCH 8/8] ipareplica_setup_adtrust: Add missing settings for adtrust and module There have been missing settings that have not been provided to ipareplica_setup_adtrust. These are: enable_compat, rid_base and secondary_rid_base. The settings rid_base and secondary_rid_base are now initialized in ipareplica_prepare and propagated in the results. The two settings netbios_name and reset_netbios_name are placed in the adtrust binding in the adtrust.install_check call. These are now saved when ipareplica_prepare finishes and are written back in the fist steps of ipareplica_setup_adtrust to make adtrust.install working. The settings add_sids and add_agents are now initialized in ansible_ipa_replica in the same way as in ServerMasterInstall. These settings are fixed in the replica deployment. Related: #73 (ipaserver_setup_adtrust fails on default smb.conf) --- .../ipareplica/library/ipareplica_prepare.py | 17 ++++++++++++++- .../library/ipareplica_setup_adtrust.py | 21 ++++++++++++------- .../module_utils/ansible_ipa_replica.py | 4 ++++ roles/ipareplica/tasks/install.yml | 8 ++++++- 4 files changed, 41 insertions(+), 9 deletions(-) diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py index 0d965c3c..7e4d8911 100644 --- a/roles/ipareplica/library/ipareplica_prepare.py +++ b/roles/ipareplica/library/ipareplica_prepare.py @@ -184,6 +184,11 @@ def main(): no_dnssec_validation=dict(required=False, type='bool', default=False), ### ad trust ### + enable_compat=dict(required=False, type='bool', default=False), + netbios_name=dict(required=False), + rid_base=dict(required=False, type='int', default=1000), + secondary_rid_base=dict(required=False, type='int', + default=100000000), ### additional ### server=dict(required=True), skip_conncheck=dict(required=False, type='bool'), @@ -243,6 +248,11 @@ def main(): options.forward_policy = ansible_module.params.get('forward_policy') options.no_dnssec_validation = ansible_module.params.get( 'no_dnssec_validationdnssec_validation') + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.netbios_name = ansible_module.params.get('netbios_name') + options.rid_base = ansible_module.params.get('rid_base') + options.secondary_rid_base = ansible_module.params.get('secondary_rid_base') ### additional ### #options._host_name_overridden = ansible_module.params.get( @@ -701,7 +711,12 @@ def main(): config_setup_ca=config.setup_ca, config_master_host_name=config.master_host_name, config_ca_host_name=config.ca_host_name, - config_ips=[ str(ip) for ip in config.ips ]) + config_ips=[ str(ip) for ip in config.ips ], + ### ad trust ### + rid_base=options.rid_base, + secondary_rid_base=options.secondary_rid_base, + adtrust_netbios_name=adtrust.netbios_name, + adtrust_reset_netbios_name=adtrust.reset_netbios_name) if __name__ == '__main__': main() diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py index 34838daa..565aee11 100644 --- a/roles/ipareplica/library/ipareplica_setup_adtrust.py +++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py @@ -37,9 +37,6 @@ short description: Setup adtrust description: Setup adtrust options: - setup_adtrust: - description: - required: yes setup_kra: description: required: yes @@ -75,10 +72,16 @@ def main(): ansible_module = AnsibleModule( argument_spec = dict( ### server ### - setup_adtrust=dict(required=False, type='bool'), setup_kra=dict(required=False, type='bool'), ### certificate system ### subject_base=dict(required=True), + ### ad trust ### + enable_compat=dict(required=False, type='bool', default=False), + rid_base=dict(required=False, type='int'), + secondary_rid_base=dict(required=False, type='int'), + ### additional ### + adtrust_netbios_name=dict(required=True), + adtrust_reset_netbios_name=dict(required=True, type='bool'), ### additional ### ccache=dict(required=True), _top_dir = dict(required=True), @@ -95,18 +98,23 @@ def main(): options = installer ### server ### - options.setup_adtrust = ansible_module.params.get('setup_adtrust') options.setup_kra = ansible_module.params.get('setup_kra') ### certificate system ### options.subject_base = ansible_module.params.get('subject_base') if options.subject_base is not None: options.subject_base = DN(options.subject_base) - ### additional ### + ### ad trust ### + options.enable_compat = ansible_module.params.get('enable_compat') + options.rid_base = ansible_module.params.get('rid_base') + options.secondary_rid_base = ansible_module.params.get('secondary_rid_base') ### additional ### ccache = ansible_module.params.get('ccache') os.environ['KRB5CCNAME'] = ccache options._top_dir = ansible_module.params.get('_top_dir') options.setup_ca = ansible_module.params.get('setup_ca') config_master_host_name = ansible_module.params.get('config_master_host_name') + adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') + adtrust.reset_netbios_name = \ + ansible_module.params.get('adtrust_reset_netbios_name') # init # @@ -133,7 +141,6 @@ def main(): api.Backend.ldap2.connect() with redirect_stdout(ansible_log): - #if options.setup_adtrust: ansible_log.debug("-- INSTALL ADTRUST --") adtrust.install(False, options, fstore, api) diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py index 76df774f..92bf1cda 100644 --- a/roles/ipareplica/module_utils/ansible_ipa_replica.py +++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py @@ -230,6 +230,10 @@ options.disable_dnssec_master = False options.kasp_db_file = None options.force = False +# ServerMasterInstall +options.add_sids = True +options.add_agents = False + # ServerReplicaInstall options.subject_base = None options.ca_subject = None diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 59dd0ded..dc4c0e79 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -159,6 +159,7 @@ forward_policy: "{{ ipareplica_forward_policy | default(omit) }}" no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}" ### ad trust ### + enable_compat: "{{ ipareplica_enable_compat }}" netbios_name: "{{ ipareplica_netbios_name | default(omit) }}" rid_base: "{{ ipareplica_rid_base | default(omit) }}" secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}" @@ -595,15 +596,20 @@ - name: Install - Setup adtrust ipareplica_setup_adtrust: ### replica ### - setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" setup_kra: "{{ result_ipareplica_test.setup_kra }}" ### certificate system ### subject_base: "{{ result_ipareplica_prepare.subject_base }}" + ### ad trust ### + enable_compat: "{{ ipareplica_enable_compat }}" + rid_base: "{{ result_ipareplica_prepare.rid_base }}" + secondary_rid_base: "{{ result_ipareplica_prepare.secondary_rid_base }}" ### additional ### ccache: "{{ result_ipareplica_prepare.ccache }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}" + adtrust_netbios_name: "{{ result_ipareplica_prepare.adtrust_netbios_name }}" + adtrust_reset_netbios_name: "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}" when: result_ipareplica_test.setup_adtrust #- name: Install - Disconnect backend