From 5bdaa9aa6f98c52f82e84fcc97b2df9a7fe730bc Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Fri, 31 May 2019 17:14:19 +0200 Subject: [PATCH] ipaclient/action_plugins/ipaclient_get_otp: Only require gssapi for keytab gssapi is only needed for OTP if keytab is used. The common case with password does not require gssapi. This change also fixes the new ansible 2.8 failure if gssapi is not installed on the controller. Ansible 2.8 seems to also transfer and load action plugins to the node if they are not used. --- README.md | 2 +- roles/ipaclient/action_plugins/ipaclient_get_otp.py | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index de0f764b..9004805b 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Requirements **Controller** * Ansible version: 2.5+ -* python3-gssapi is required on the controller if a one time password (OTP) is used to install the client. +* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client. **Node** * Supported FreeIPA version (see above) diff --git a/roles/ipaclient/action_plugins/ipaclient_get_otp.py b/roles/ipaclient/action_plugins/ipaclient_get_otp.py index 3c480ecd..c0c5aec6 100644 --- a/roles/ipaclient/action_plugins/ipaclient_get_otp.py +++ b/roles/ipaclient/action_plugins/ipaclient_get_otp.py @@ -17,7 +17,10 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -import gssapi +try: + import gssapi +except ImportError: + gssapi = None import os import shutil import subprocess @@ -76,6 +79,9 @@ def kinit_keytab(principal, keytab, ccache_name, config): Perform kinit using principal/keytab, with the specified config file and store the TGT in ccache_name. """ + if gssapi is None: + raise ImportError("gssapi is not available") + old_config = os.environ.get('KRB5_CONFIG') os.environ['KRB5_CONFIG'] = config try: