These two settings are not set using the krb.init_info method, but used in
krb.enable_ssl.
The configuration of PKINIT fails in IPA 4.7.0 because of the issue
https://pagure.io/freeipa/issue/7655 where auto detection of the
master is not properly working. With the missing setting of krb.master_fqdn
the not workint auto detection has been triggered, which resulted in
failed PKINIT enablement.
Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).
These modules have been adapted:
ipareplica_custodia_import_dm_password
ipareplica_enable_ipa
ipareplica_setup_ca
ipareplica_setup_custodia
ipareplica_setup_kra
This is related to freeipa#0f31564b35aac250456233f98730811560eda664
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
The module ipareplica_master_password has been a copy from ipaserver role
and still contained code to read the cache file. This is not needed for
the replica. Therefore there is no need also to provide the dm password
to ipareplica_master_password any more.
The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.
See [1] for a reference to the upstream documentation.
The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/
[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
This test is not properly working with EL-8 nodes as the default system
python is not located in /usr/bin. Additionally Ansible 2.8 is able to
detect the default python version on the system. As the installation
base for IPA 4.5.90 where the Python 3 bindings have not been working
properly should be really small or not existing any more the deactivation
of this test should be fine.
The hidden replica support introduced some incompatible changes to replica
deployment. The methods find_providing_server and find_providing_serves
have been moved from ipaserver.install.service to ipaserver.masters.
Additionally the host_name argument for find_providing_server is a list
now. This breaks existing ipareplica Ansible modules ipareplica_prepare
and ipareplica_enable_ipa.
The freeipa-trust service has not been added if adtrust was enabled. For
ipareplica the addition of freeipa-replication has been removed as the
used port is not used anymore since some time.
Fixes: #83 (when installing with ipaserver_setup_adtrust: true the firewalld
service freeipa-trust is not added)
The dependency is either working with galaxy or with local role collection
but not with both because the role name is for the first t_woerner.ipaclient
but for the second it needs to be ipaclient only.
There have been missing settings that have not been provided to
ipareplica_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.
The settings rid_base and secondary_rid_base are now initialized in
ipareplica_prepare and propagated in the results.
The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipareplica_prepare finishes and are written back in the fist steps of
ipareplica_setup_adtrust to make adtrust.install working.
The settings add_sids and add_agents are now initialized in
ansible_ipa_replica in the same way as in ServerMasterInstall. These
settings are fixed in the replica deployment.
Related: #73 (ipaserver_setup_adtrust fails on default smb.conf)
Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.
meta end_play has been replaced with blocks and conditions for these
blocks.
Fixes: #70 (Avoid using meta end_play)
The ansible_fqdn hostname has been enforced to be set and used in
ipaserver, ipareplica and also ipaclient role. This has been removed as
the hostname should only be set if specified explicitly with
ipa[server,replica,client]_hostname.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now. This is a new and fixed version of 2113c79 where
verbose mode is turned off.
The call of standard_logging_setup results in verbose and debug output in
the ansible modules. This needs to be done in an altenative way.
This reverts commit 2113c79111.
The configuration of DNS failed because of missing DNS settings in the
ipareplica_prepare and ipareplica_setup_dns.
Some fixed settings for use with DNSInstallInterface have been added
to ansible_ipa_replica:
options.dnssec_master = False
options.disable_dnssec_master = False
options.kasp_db_file = None
options.force = False
Fixes: #58 (install-replica fails: reverse_zones seems to be empty)
Fixes: #63 (ipareplica_setup_dns fails)
ipaserver_master_password and ipaserver_setup_ntp have been linked from
the ipaserver role before. With the move of the module_utils parts to the
specific role locations the use of ipaserver modules leads to the missing
dependency ansible_ipa_server, that is now only available in the server
role.
The ipaserver_master_password module has been replaced by the ipareplica
specific ipareplica_master_password module. The ipaserver_setup_ntp module
has been removed as the time related changes for replica are done in the
client install part.
Fixes: #59 (Module is missing interpreter line)
