Currently ipaclient role is using the module ipaclient only for uninstallation,
and this module contains a lot of unused code.
It is simpler to directly call the command-line
ipa-client-install --uninstall -U
and remove the ipaclient module.
When the client already has a working keytab, use_otp is disabled. This creates
an issue when ipaclient_force_join is set, because the join module is called
with ipaadmin_principal and ipaadmin_password, but these variables may be
undefined if ipaadmin_keytab is used instead.
We should not disable OTP when force-join is specified.
With the test it is not needed to pin down the python interpreter for ansible
modules. It is therefore possible to use a Python2 version on Fedora-27 and
a Python3 version on Fedora-26.
In the client krb5.conf setup, a pkinit_anchors entry
was being added for pki-ca-bundle. This should instead
be kdc-ca-bundle.
Signed-off-by: Scott Poore <spoore@redhat.com>
The new results from ipatest (krb5_conf_ok and ipa_test_ok) are now used for
additional fails to suggest to enable allow_repair.
The playbook is not ended anymore if ipajoin changed something.
The rename was needed to be able to have more than one package in the list
of required packages.
For RHEL-7.3 it has been needed to add ipa-admintools to have /usr/bin/ipa
available. libselinux-python has been added for all.
Add big block has been added that contains all steps where the ccache is
created an used. With the block it is possible to add an always clause to
remove the ccachae also in the error case. The cleanup of the ccache is
also done in the beginning to make sure that no ccache leftover will be
used.
The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server.
subject_base has been added as a new return value.
Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of
guessed value from ipadiscovery.
When allow_repair is enabled, then the playbook will continue for an
already joined host. The remaining steps ipaconf, ipasssd, krb5, ipaapi,
ipanss and ipaextras will be redone.
If allow_repair is disabled, then the meta module will be
used with the end_play option to stop the processing of the playbook
without an error.
If a working krb5.keytab has been detected on the host then use_otp will be
disabled and join will not be called. This is done to preserve the keytab
entry in the host entry on the server.
Enforcing the creation of a one-time-password will result in a host-disable
call for the host entry. This will remove an existing keytab and password from
the entry.
If a otp has bene generated it is needed to purge the realm from an exising
host keytab. If there is no host keytab or if the keytab is not containing
information about the realm, ipa-rmkeytab will fail and these two errors are
ignored.
If use_otp is not enabled, then the principal will be set to "admin" after
the discovery has been done. If use_otp is enabled, then the princial will
be set to "admin" after the join has been done - as admin will not match
with the otp.
The use of otp can be forced to not transfer the admin password while setting
up the ipa client. Only the one-time-password will be transferred to the
client machine.
ipaclient_password will be overwritten by the otp password.
New variables have been added (undefined by default):
krb5_dns_canonicalize_hostname
krb5_pkinit_anchors
krb5_pkinit_pool
These are set according to the ipa version requirements. See
roles/ipaclient/tasks/install.yml
Documentation for domain, principal, keytab, ca_cert_file and kinit_attempts
has been added.
ca_certs_file has been renamed to ca_cert_file as it is used in
ipa-client-install.
