|
 |
fca774 |
From 0ec89eb53cf8771b34528ec210b2614370d9b662 Mon Sep 17 00:00:00 2001
|
|
|
fca774 |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
fca774 |
Date: Thu, 23 Mar 2023 18:13:08 +0100
|
|
|
fca774 |
Subject: [PATCH] ipaclient: ipaclient_setup_nss also needs krb_name parameter
|
|
|
fca774 |
|
|
|
fca774 |
With the fix to defer creating the final krb5.conf on clients a bug has
|
|
|
fca774 |
been introduced with ipaclient_setup_nss: The krb_name parameter that
|
|
|
fca774 |
points to the temporary krb5 configuration was not added to the module.
|
|
|
fca774 |
|
|
|
fca774 |
With a properly configured DNS (like for example IPA DNS) the krb TXT
|
|
|
fca774 |
records have been present in the DNS configuration. These have been used
|
|
|
fca774 |
automatically as a fallback and broke server affinity for the client.
|
|
|
fca774 |
Without the TXT records creating the IPA NSS database failed with
|
|
|
fca774 |
"Cannot find KDC for realm ..".
|
|
|
fca774 |
|
|
|
fca774 |
The krb_name parameter has been added to ipaclient_setup_nss and is also
|
|
|
fca774 |
properly set in tasks/install.yml.
|
|
|
fca774 |
---
|
|
|
fca774 |
roles/ipaclient/library/ipaclient_setup_nss.py | 8 ++++++++
|
|
|
fca774 |
roles/ipaclient/tasks/install.yml | 1 +
|
|
|
fca774 |
2 files changed, 9 insertions(+)
|
|
|
fca774 |
|
|
|
fca774 |
diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
|
|
|
fca774 |
index 74ca9d4..0e8c658 100644
|
|
|
fca774 |
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
|
|
|
fca774 |
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
|
|
|
fca774 |
@@ -152,6 +152,10 @@ options:
|
|
|
fca774 |
The dist of nss_ldap or nss-pam-ldapd files if sssd is disabled
|
|
|
fca774 |
required: yes
|
|
|
fca774 |
type: dict
|
|
|
fca774 |
+ krb_name:
|
|
|
fca774 |
+ description: The krb5 config file name
|
|
|
fca774 |
+ type: str
|
|
|
fca774 |
+ required: yes
|
|
|
fca774 |
author:
|
|
|
fca774 |
- Thomas Woerner (@t-woerner)
|
|
|
fca774 |
'''
|
|
|
fca774 |
@@ -167,6 +171,7 @@ EXAMPLES = '''
|
|
|
fca774 |
subject_base: O=EXAMPLE.COM
|
|
|
fca774 |
principal: admin
|
|
|
fca774 |
ca_enabled: yes
|
|
|
fca774 |
+ krb_name: /tmp/tmpkrb5.conf
|
|
|
fca774 |
'''
|
|
|
fca774 |
|
|
|
fca774 |
RETURN = '''
|
|
|
fca774 |
@@ -218,6 +223,7 @@ def main():
|
|
|
fca774 |
no_krb5_offline_passwords=dict(required=False, type='bool'),
|
|
|
fca774 |
no_dns_sshfp=dict(required=False, type='bool', default=False),
|
|
|
fca774 |
nosssd_files=dict(required=True, type='dict'),
|
|
|
fca774 |
+ krb_name=dict(required=True, type='str'),
|
|
|
fca774 |
),
|
|
|
fca774 |
supports_check_mode=False,
|
|
|
fca774 |
)
|
|
|
fca774 |
@@ -268,6 +274,8 @@ def main():
|
|
|
fca774 |
options.sssd = not options.no_sssd
|
|
|
fca774 |
options.no_ac = False
|
|
|
fca774 |
nosssd_files = module.params.get('nosssd_files')
|
|
|
fca774 |
+ krb_name = module.params.get('krb_name')
|
|
|
fca774 |
+ os.environ['KRB5_CONFIG'] = krb_name
|
|
|
fca774 |
|
|
|
fca774 |
# pylint: disable=invalid-name
|
|
|
fca774 |
CCACHE_FILE = paths.IPA_DNS_CCACHE
|
|
|
fca774 |
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
|
|
|
fca774 |
index 662f09a..1dc6fdf 100644
|
|
|
fca774 |
--- a/roles/ipaclient/tasks/install.yml
|
|
|
fca774 |
+++ b/roles/ipaclient/tasks/install.yml
|
|
|
fca774 |
@@ -382,6 +382,7 @@
|
|
|
fca774 |
| default(ipasssd_no_krb5_offline_passwords) }}"
|
|
|
fca774 |
no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
|
|
|
fca774 |
nosssd_files: "{{ result_ipaclient_test.nosssd_files }}"
|
|
|
fca774 |
+ krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
|
|
|
fca774 |
|
|
|
fca774 |
- name: Install - Configure SSH and SSHD
|
|
|
fca774 |
ipaclient_setup_ssh:
|
|
|
fca774 |
--
|
|
|
fca774 |
2.39.2
|
|
|
fca774 |
|
|
|
fca774 |
From 10d072a8c42e6aa91485661d02b31f79bcc89fc0 Mon Sep 17 00:00:00 2001
|
|
|
fca774 |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
fca774 |
Date: Fri, 24 Mar 2023 12:40:32 +0100
|
|
|
fca774 |
Subject: [PATCH] ipaclient: ipaclient_fix_ca also needs krb_name parameter
|
|
|
fca774 |
|
|
|
fca774 |
With the fix to defer creating the final krb5.conf on clients a bug has
|
|
|
fca774 |
been introduced with ipaclient_fix_ca: The krb_name parameter that
|
|
|
fca774 |
points to the temporary krb5 configuration was not added to the module
|
|
|
fca774 |
|
|
|
fca774 |
Without this the server affinity is broken for allow_repair and additionally
|
|
|
fca774 |
ipaclient_fix_ca could fail if krb5 configuration needs to be repraied
|
|
|
fca774 |
and also CA needs to be fixed.
|
|
|
fca774 |
|
|
|
fca774 |
The krb_name parameter has been added to ipaclient_fix_ca and is also
|
|
|
fca774 |
properly set in tasks/install.yml.
|
|
|
fca774 |
---
|
|
|
fca774 |
roles/ipaclient/library/ipaclient_fix_ca.py | 8 ++++++++
|
|
|
fca774 |
roles/ipaclient/tasks/install.yml | 1 +
|
|
|
fca774 |
2 files changed, 9 insertions(+)
|
|
|
fca774 |
|
|
|
fca774 |
diff --git a/roles/ipaclient/library/ipaclient_fix_ca.py b/roles/ipaclient/library/ipaclient_fix_ca.py
|
|
|
fca774 |
index 238b316..ede8d56 100644
|
|
|
fca774 |
--- a/roles/ipaclient/library/ipaclient_fix_ca.py
|
|
|
fca774 |
+++ b/roles/ipaclient/library/ipaclient_fix_ca.py
|
|
|
fca774 |
@@ -54,6 +54,10 @@ options:
|
|
|
fca774 |
the host entry will not be changed on the server
|
|
|
fca774 |
type: bool
|
|
|
fca774 |
required: yes
|
|
|
fca774 |
+ krb_name:
|
|
|
fca774 |
+ description: The krb5 config file name
|
|
|
fca774 |
+ type: str
|
|
|
fca774 |
+ required: yes
|
|
|
fca774 |
author:
|
|
|
fca774 |
- Thomas Woerner (@t-woerner)
|
|
|
fca774 |
'''
|
|
|
fca774 |
@@ -65,6 +69,7 @@ EXAMPLES = '''
|
|
|
fca774 |
realm: EXAMPLE.COM
|
|
|
fca774 |
basedn: dc=example,dc=com
|
|
|
fca774 |
allow_repair: yes
|
|
|
fca774 |
+ krb_name: /tmp/tmpkrb5.conf
|
|
|
fca774 |
'''
|
|
|
fca774 |
|
|
|
fca774 |
RETURN = '''
|
|
|
fca774 |
@@ -87,6 +92,7 @@ def main():
|
|
|
fca774 |
realm=dict(required=True, type='str'),
|
|
|
fca774 |
basedn=dict(required=True, type='str'),
|
|
|
fca774 |
allow_repair=dict(required=True, type='bool'),
|
|
|
fca774 |
+ krb_name=dict(required=True, type='str'),
|
|
|
fca774 |
),
|
|
|
fca774 |
)
|
|
|
fca774 |
|
|
|
fca774 |
@@ -98,6 +104,8 @@ def main():
|
|
|
fca774 |
realm = module.params.get('realm')
|
|
|
fca774 |
basedn = module.params.get('basedn')
|
|
|
fca774 |
allow_repair = module.params.get('allow_repair')
|
|
|
fca774 |
+ krb_name = module.params.get('krb_name')
|
|
|
fca774 |
+ os.environ['KRB5_CONFIG'] = krb_name
|
|
|
fca774 |
|
|
|
fca774 |
env = {'PATH': SECURE_PATH}
|
|
|
fca774 |
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
|
fca774 |
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
|
|
|
fca774 |
index 1dc6fdf..7ff2c39 100644
|
|
|
fca774 |
--- a/roles/ipaclient/tasks/install.yml
|
|
|
fca774 |
+++ b/roles/ipaclient/tasks/install.yml
|
|
|
fca774 |
@@ -346,6 +346,7 @@
|
|
|
fca774 |
realm: "{{ result_ipaclient_test.realm }}"
|
|
|
fca774 |
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
|
fca774 |
allow_repair: "{{ ipaclient_allow_repair }}"
|
|
|
fca774 |
+ krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
|
|
|
fca774 |
when: not ipaclient_on_master | bool and
|
|
|
fca774 |
result_ipaclient_test_keytab.krb5_keytab_ok and
|
|
|
fca774 |
not result_ipaclient_test_keytab.ca_crt_exists
|
|
|
fca774 |
--
|
|
|
fca774 |
2.39.2
|
|
|
fca774 |
|