If the client is already installed and the allow_repair and force_join
options are not set end the playbook processing. This is useful if an
inventory file contains existing and new machines.
The advantage of this is that the krb5 configuration is created in the same
way as in the normal installers. The same functionality as in the normal
installers is used in ipaclient_setup_krb5. There is no need to adapt the
ipa-krb5 role or the the ask file for changes in how the krb5 configuration
is done. Additionally ipaclient_force is now a supported parameter as
it is in the normal installer.
New config option:
ipaclient_force
The variable has been added to ipaclient/defaults/main.yml.
The advantage of this is that the ipa default configuration is created in
the same way as in the normal installers. The same functionality as in the
normal installers is used in ipaclient_ipa_conf.
The no_ prefix for the ssh and sshd settings has been added back. The
naming of the settings should be the same all over the ipcalient role.
The exception is sssd here as it has been deprected and is used from
ipaclient_test.
The name for the setting ssh_trust_dns has been fixed to the command line
option name and not the internl optinos name.
ipaclient_setup_sssd is now using configure_sssd_conf from
ipaclient/install/client.py instead. This simplified the module a lot
and also adds more configuratino options for sssd.
These are new config options supported by ipaclient_setup_sssd:
ipaclient_no_sudo
ipassd_fixed_primary
ipassd_permit
ipassd_enable_dns_updates
ipassd_no_krb5_offline_passwords
ipassd_preserve_sssd
These variables have been added to ipaclient/defaults/main.yml.
The ipaclient_test module was not doing all tests that should be done
with the provided settings. All tests from ipaclient installer parts
are now part of ipaclient_test. There are some minor changes though to
make sure that the repair mode could still be used.
ansible_ipa_client bindings have been updated to fullfill new needs.
The import line of ansible_ipa_client was not correct and used a test
version of the binding that is not possible anymore due to the move of
the module_utils directories into the specific role locations.
The new module ipaclient_setup_ntp to configure and sync time with the NTP
server has been added. The irregular setting ipaclient_ntp has been removed.
The ipaclient_setup_ntp module is using either the new sync_time call or
for compatibility with older FreeIPA versions synconce_ntp.
The reference for ipaclient_ntp in REPLICA.md has been removed also.
This also fixes#55.
ipaclient_extras could configure several things internally according to
provided settings. These have been ssh, sshd, automount, firefox an also
nis. The ssh and sshd configuration is now plocated in ipaclient_setup_ssh,
the automount configuration in ipaclient_setup_automount, the firefox
configuration in ipaclient_setup_firefox and the nis configuration in
ipaclient_setup_nis.
The following additional settings have been added to
roles/ipaclient/defaults/main.yml to provide the same configruation options
as ipa-client-install does:
ipaclient_no_ssh: no
ipaclient_no_sshd: no
ipaclient_no_nisdomain: no
ipaclient_configure_firefox: no
The naming in the ipaclient role has not been following the naming scheme
and conventions used in the ipaserver and ipareplica roles. Also registered
results of modules and commands have not been unsing the result_ prefix as
in the other roles. All this has been fixed and the naming is consistent
now.
These are the renames:
ipahost -> ipaclient_get_otp
ipaapi -> ipaclient_api
ipaextras -> ipaclient_extras
ipafixca -> ipaclient_fix_ca
ipafstore -> ipaclient_fstore
ipa_facts -> ipaclient_get_facts
ipahost -> ipaclient_get_otp
ipajoin -> ipaclient_join
ipanss -> ipaclient_setup_nss
ipasssd -> ipaclient_setup_sssd
ipadiscovery -> ipaclient_test
ipatest -> ipaclient_test_keytab
With these settings for server, replica and client it is possible to skip
package installation. This is for example useful if the packages are already
installed. The settings default to yes
The setting ipareplica_no_package_install has been removed.
As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.
Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.
Fixes issue #38
The api command to get the server config is failing with more recent
freeipa versions. Therefore another way to gather the server config using
api.Backend.rpcclient.forward has been added in case the first version
fails.
The new code is from freeipa commit 8af6accfa5734a7e9a7c92fcf38d5440482413d4
(https://github.com/freeipa/freeipa/commit/8af6accf)
This is a partly pick of the changes done by pyguy for pull request #28.
The unrelated changed on inventory files have been removed and the change
to the README has been adapted to use the "Supported Distributions" section.
The original commits by pyguy in https://github.com/pyguy/ansible-freeipa
are:
commit 1ed1fa845eafd69432b1fd1fc8e5329e4991e84a
Author: pyguy <hr.josheghani@gmail.com>
Date: Mon Jun 25 17:17:31 2018 +0430
Ubuntu Support added
commit 9a4a7c84e4af20af27e814aba4fc2c6b8b35ec0f
Author: pyguy <hr.josheghani@gmail.com>
Date: Sun Jun 24 10:58:07 2018 +0430
Ubuntu support added
These roles will most likely not work in the common case. Therefore the roles
have been renamed.
The ipa-krpb5 role is used by ipcalient, but the ipa-sssd role is currently
not used.
As the action plugin is used with the default python interpreter and
the change to python3 for FreeIPA, the use of OTP was not working anymore.
The ansible_python_interpreter is not automatically used for the module
part of the action plugin. Therefore ansible_python_interpreter needed to
be added to the action plugin call as a new var to make sure that the
module part is used with the proper python version.
Also a new import for the Python2/3 import test has been added to discover
of the server is supporting python2 or python3. The old
ansible_python_interpreter setting is saved before doing this and restored
after the one-time password has been generated on the server.
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- A new option ntp_pool has been introduced.
paths.KDESTROY instead of "kdestroy" and paths.GETENT instead of "getent"
Affected modules:
roles/ipaclient/library/ipahost.py
roles/ipaclient/library/ipajoin.py
roles/ipaclient/library/ipanss.py
The directories library and action_plugins do only contain ipaclient specific
modules and plugins. Therefore these directories should be located in the
ipaclient role directory.
krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.
The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.
Two new settings have been added:
ipaclient_no_dns_lookup (bool, default: no)
Set to 'yes' to use groups.ipaserver in cluster environments as servers
for the clients. This deactivates DNS lookup in krb5.
ipaclient_servers (list of strings, default: undefined)
Manually override list of servers for example in a cluster environment on
a per client basis. The list of servers is normally taken from from
groups.ipaserver in cluster environments.
The krb5 DNS lookup settings krb5_dns_lookup_realm and krb5_dns_lookup_kdc
ans also the servers have not been set properly set if no server has been
specified and discovery succeeded. This has been fixed.
This fixes issue #23.
- Do not register a change in the playbook run when registering the
variable checking for whether or not Python 3 imports work
Signed-off-by: Kellin <kellin@retromud.org>
The client role is used also while installing the server. There has been an
issue where the server installation has not been complete because of a
playbook termination in the client.
This has been fixed and the client and also the server are fully configured
in the server installation.
The relative import of the distribution specific vars files requires to use
is not working. {{ role_path }} needs to be used to force the load of the
proper files.
The server role has different setting names:
- groups.ipaserver: groups.ipaservers
- ipaserver_domain: ipaclient_domain
- ipaserver_realm: ipaclient_realm
Both need to be supported to be able to sue the client role within the server
role, but also standalone.
Attempt to sync time if on_master is not set and no_ntp is not set: At
first with given or dicovered time servers. If no ntp servers have been
given or discovered, then with the ipa server.
New parameters:
on_master:
description: IPA client installation on IPA server
required: false
default: false
type: bool
default: no
ntp_servers:
description: List of NTP servers to use
required: false
type: list
default: []
no_ntp:
description: Do not sync time and do not detect time servers
required: false
default: false
type: bool
default: no
The ntp_servers output parameter is now always an empty list if on_master
or no_ntp is set.
ipaclient_hostname needs to be specified in the inventory file for the hosts
where the name needs to get changed.
Example:
192.168.1.1 ipaclient_hostname=ipaclient1.mine.local
The option should not be specified in [ipaclients:vars] as all hosts would
get the same name.
With ansible 2.3.1 it is possible to have one place as an additional utils
module to do all the needed steps to be able to generate the environment for
new and older ipa versions.
The library modules are now a lot smaller.
The minimal ansible version has been increased to 2.3.1.
In the future it might now also be possible to have a special
ansible_ipa_client version for ipa < 4.4 in this utils module.
