Merge pull request #866 from t-woerner/sid_generation_always

ipaserver/ipareplica: Always generate SIDs
2026-05-16 06:22:12 +00:00 · 2022-07-28 17:35:23 +05:30
parent 809e423947 eba457d5ff
commit 452d20e28d
8 changed files with 53 additions and 15 deletions
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -182,6 +182,9 @@ options:
  skip_conncheck:
    description: Skip connection check to remote master
    required: yes
+  sid_generation_always:
+    description: Enable SID generation always
+    required: yes
 author:
    - Thomas Woerner
 '''
@@ -275,6 +278,8 @@ def main():
            # additional
            server=dict(required=True),
            skip_conncheck=dict(required=False, type='bool'),
+            sid_generation_always=dict(required=False, type='bool',
+                                       default=False),
        ),
        supports_check_mode=True,
    )
@@ -350,6 +355,7 @@ def main():
    #     '_hostname_overridden')
    options.server = ansible_module.params.get('server')
    options.skip_conncheck = ansible_module.params.get('skip_conncheck')
+    sid_generation_always = ansible_module.params.get('sid_generation_always')

    # random serial numbers are master_only, therefore setting to False
    options.random_serial_numbers = False
@@ -761,7 +767,7 @@ def main():

        ansible_log.debug("-- CHECK ADTRUST --")

-        if options.setup_adtrust:
+        if options.setup_adtrust or sid_generation_always:
            adtrust.install_check(False, options, remote_api)

    except errors.ACIError:
--- a/roles/ipareplica/library/ipareplica_setup_adtrust.py
+++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py
@@ -71,6 +71,9 @@ options:
  setup_ca:
    description: Configure a dogtag CA
    required: no
+  setup_adtrust:
+    description: Configure AD trust capability
+    required: yes
  config_master_host_name:
    description: The config master_host_name setting
    required: no
@@ -112,6 +115,7 @@ def main():
            ccache=dict(required=True),
            _top_dir=dict(required=True),
            setup_ca=dict(required=True, type='bool'),
+            setup_adtrust=dict(required=True, type='bool'),
            config_master_host_name=dict(required=True),
        ),
        supports_check_mode=True,
@@ -140,6 +144,7 @@ def main():
    os.environ['KRB5CCNAME'] = ccache
    options._top_dir = ansible_module.params.get('_top_dir')
    options.setup_ca = ansible_module.params.get('setup_ca')
+    options.setup_adtrust = ansible_module.params.get('setup_adtrust')
    config_master_host_name = ansible_module.params.get(
        'config_master_host_name')
    adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -143,7 +143,7 @@ from ansible.module_utils.ansible_ipa_replica import (
    ansible_module_get_parsed_ip_addresses, service,
    redirect_stdout, create_ipa_conf, ipautil,
    x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance
 )


@@ -270,6 +270,14 @@ def main():
    #    #  options.setup_adtrust = False
    #    #  ansible_module.warn(msg="adtrust is not supported, disabling")

+    sid_generation_always = False
+    if not options.setup_adtrust:
+        # pylint: disable=deprecated-method
+        argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+        # pylint: enable=deprecated-method
+        if "fulltrust" in argspec.args:
+            sid_generation_always = True
+
    # if options.setup_kra and not kra_imported:
    #    # if "kra" not in options._allow_missing:
    #    ansible_module.fail_json(msg="kra can not be imported")
@@ -471,6 +479,7 @@ def main():
        # additional
        client_enrolled=client_enrolled,
        change_master_for_certmonger=change_master_for_certmonger,
+        sid_generation_always=sid_generation_always
    )


--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
           "common_check", "current_domain_level",
           "check_domain_level_is_supported", "promotion_check_ipa_domain",
           "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
-           "dnsname", "kernel_keyring", "krbinstance", "getargspec"]
+           "dnsname", "kernel_keyring", "krbinstance", "getargspec",
+           "adtrustinstance"]

 import sys

@@ -127,6 +128,7 @@ else:
            adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
            installutils, kra, krbinstance,
            otpdinstance, custodiainstance, service, upgradeinstance)
+        from ipaserver.install import adtrustinstance
        try:
            from ipaserver.masters import (
                find_providing_servers, find_providing_server)
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -749,13 +749,15 @@
      ccache: "{{ result_ipareplica_prepare.ccache }}"
      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
      setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
      config_master_host_name:
        "{{ result_ipareplica_prepare.config_master_host_name }}"
      adtrust_netbios_name:
        "{{ result_ipareplica_prepare.adtrust_netbios_name }}"
      adtrust_reset_netbios_name:
        "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
-    when: result_ipareplica_test.setup_adtrust
+    when: result_ipareplica_test.setup_adtrust or
+          result_ipareplica_test.sid_generation_always

  - name: Install - Enable IPA
    ipareplica_enable_ipa: