krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.
The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.
Two new settings have been added:
ipaclient_no_dns_lookup (bool, default: no)
Set to 'yes' to use groups.ipaserver in cluster environments as servers
for the clients. This deactivates DNS lookup in krb5.
ipaclient_servers (list of strings, default: undefined)
Manually override list of servers for example in a cluster environment on
a per client basis. The list of servers is normally taken from from
groups.ipaserver in cluster environments.
Attempt to sync time if on_master is not set and no_ntp is not set: At
first with given or dicovered time servers. If no ntp servers have been
given or discovered, then with the ipa server.
New parameters:
on_master:
description: IPA client installation on IPA server
required: false
default: false
type: bool
default: no
ntp_servers:
description: List of NTP servers to use
required: false
type: list
default: []
no_ntp:
description: Do not sync time and do not detect time servers
required: false
default: false
type: bool
default: no
The ntp_servers output parameter is now always an empty list if on_master
or no_ntp is set.
When allow_repair is enabled, then the playbook will continue for an
already joined host. The remaining steps ipaconf, ipasssd, krb5, ipaapi,
ipanss and ipaextras will be redone.
If allow_repair is disabled, then the meta module will be
used with the end_play option to stop the processing of the playbook
without an error.
The use of otp can be forced to not transfer the admin password while setting
up the ipa client. Only the one-time-password will be transferred to the
client machine.
ipaclient_password will be overwritten by the otp password.
