The first validation test of the krb5.keytab is now done using the system
krb5.conf file. If this test failed, then the validation will be done with
the temporary krb5.conf file.
An additionally IPA test has been added. For now this is "ipa ping" as there
seems not to be a more comprehensive validation test for proper IPA
configuration.
Add big block has been added that contains all steps where the ccache is
created an used. With the block it is possible to add an always clause to
remove the ccachae also in the error case. The cleanup of the ccache is
also done in the beginning to make sure that no ccache leftover will be
used.
The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server - done in ipaapi as we are authenticaed there already
to use the api.
The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server.
subject_base has been added as a new return value.
Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of
guessed value from ipadiscovery.
When allow_repair is enabled, then the playbook will continue for an
already joined host. The remaining steps ipaconf, ipasssd, krb5, ipaapi,
ipanss and ipaextras will be redone.
If allow_repair is disabled, then the meta module will be
used with the end_play option to stop the processing of the playbook
without an error.
If a working krb5.keytab has been detected on the host then use_otp will be
disabled and join will not be called. This is done to preserve the keytab
entry in the host entry on the server.
Enforcing the creation of a one-time-password will result in a host-disable
call for the host entry. This will remove an existing keytab and password from
the entry.
The choined tag is only set if changes have been done with the join.
already_joined is set if the ipa-join command is filing with error 13
(already joined). The module is not calling fail_json in this case anymore.
Test if the krb5.keytab on the machine is valid and can be used.
options:
servers:
description: The FQDN of the IPA servers to connect to.
required: true
domain:
description: The primary DNS domain of an existing IPA deployment.
required: true
realm:
description: The Kerberos realm of an existing IPA deployment.
required: true
hostname:
description: The hostname of the machine to join (FQDN).
required: true
kdc:
description: The name or address of the host running the KDC.
required: true
principal:
description: The authorized kerberos principal used to join the IPA realm.
required: false
kinit_attempts:
description: Repeat the request for host Kerberos ticket X times.
required: false
default: 5
returns:
krb5_keytab_ok:
description: The flag describes if krb5.keytab on the host is usable.
returned: always
type: bool
If a otp has bene generated it is needed to purge the realm from an exising
host keytab. If there is no host keytab or if the keytab is not containing
information about the realm, ipa-rmkeytab will fail and these two errors are
ignored.
When ipahost is run to generate an OTP and the host is already existing,
the OTP is properly generated but ipa-join will fail if the host is
already enrolled (ie when it has a keytab).
Add a step calling ipa host-disable to erase OTP and keytab before
requesting an OTP.
If use_otp is not enabled, then the principal will be set to "admin" after
the discovery has been done. If use_otp is enabled, then the princial will
be set to "admin" after the join has been done - as admin will not match
with the otp.
The use of otp can be forced to not transfer the admin password while setting
up the ipa client. Only the one-time-password will be transferred to the
client machine.
ipaclient_password will be overwritten by the otp password.
The one_of check was using a tuple instead of a list, the check for principal
or keytab has been removed, a new mutually exclusive check for password
xor keytab has been added.
