Merge pull request #866 from t-woerner/sid_generation_always

ipaserver/ipareplica: Always generate SIDs
2026-05-14 13:32:10 +00:00 · 2022-07-28 17:35:23 +05:30
parent 809e423947 eba457d5ff
commit 452d20e28d
8 changed files with 53 additions and 15 deletions
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -141,6 +141,9 @@ options:
  setup_ca:
    description: Configure a dogtag CA
    required: yes
+  sid_generation_always:
+    description: Enable SID generation always
+    required: yes
  _hostname_overridden:
    description: The installer _hostname_overridden setting
    required: yes
@@ -215,6 +218,8 @@ def main():
            setup_ca=dict(required=False, type='bool', default=False),
            random_serial_numbers=dict(required=False, type='bool',
                                       default=False),
+            sid_generation_always=dict(required=False, type='bool',
+                                       default=False),
            _hostname_overridden=dict(required=False, type='bool',
                                      default=False),
        ),
@@ -285,6 +290,7 @@ def main():
        'random_serial_numbers')
    options._host_name_overridden = ansible_module.params.get(
        '_hostname_overridden')
+    sid_generation_always = ansible_module.params.get('sid_generation_always')
    options.kasp_db_file = None

    # init ##################################################################
@@ -377,7 +383,7 @@ def main():
            logger.debug('Starting Directory Server')
            services.knownservices.dirsrv.start(instance_name)

-        if options.setup_adtrust:
+        if options.setup_adtrust or sid_generation_always:
            with redirect_stdout(ansible_log):
                adtrust.install_check(False, options, api)

--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -225,7 +225,7 @@ from ansible.module_utils.ansible_ipa_server import (
    read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
    check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
    validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
-    encode_certificate, check_available_memory, getargspec
+    encode_certificate, check_available_memory, getargspec, adtrustinstance
 )
 from ansible.module_utils import six

@@ -394,12 +394,16 @@ def main():

    # version specific ######################################################

-    if options.setup_adtrust and not adtrust_imported:
-        # if "adtrust" not in options._allow_missing:
-        ansible_module.fail_json(msg="adtrust can not be imported")
-        # else:
-        #   options.setup_adtrust = False
-        #   ansible_module.warn(msg="adtrust is not supported, disabling")
+    sid_generation_always = False
+    if not options.setup_adtrust:
+        # pylint: disable=deprecated-method
+        argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+        # pylint: enable=deprecated-method
+        if "fulltrust" in argspec.args:
+            sid_generation_always = True
+    else:
+        if not adtrust_imported:
+            ansible_module.fail_json(msg="adtrust can not be imported")

    if options.setup_kra and not kra_imported:
        # if "kra" not in options._allow_missing:
@@ -521,7 +525,8 @@ def main():
                    "You cannot specify an --enable-compat option without the "
                    "--setup-adtrust option")

-            if self.netbios_name:
+            # Deactivate test for new IPA SID generation
+            if self.netbios_name and not sid_generation_always:
                raise RuntimeError(
                    "You cannot specify a --netbios-name option without the "
                    "--setup-adtrust option")
@@ -1078,7 +1083,8 @@ def main():
                             ntp_pool=options.ntp_pool,
                             # additional
                             _installation_cleanup=_installation_cleanup,
-                             domainlevel=options.domainlevel)
+                             domainlevel=options.domainlevel,
+                             sid_generation_always=sid_generation_always)


 if __name__ == '__main__':
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -191,6 +191,7 @@
      secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
      ### additional ###
      setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+      sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}"
      random_serial_numbers: no
      _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
    register: result_ipaserver_prepare
@@ -394,7 +395,8 @@
        adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
        adtrust_reset_netbios_name:
          "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
-      when: result_ipaserver_test.setup_adtrust
+      when: result_ipaserver_test.setup_adtrust or
+            result_ipaserver_test.sid_generation_always

    - name: Install - Set DS password
      ipaserver_set_ds_password: