diff --git a/.ansible-freeipa.metadata b/.ansible-freeipa.metadata index 035cfbf..a00700e 100644 --- a/.ansible-freeipa.metadata +++ b/.ansible-freeipa.metadata @@ -1 +1 @@ -c4d984a5760e18c642703728f847fd9a8e4d2d7a SOURCES/ansible-freeipa-1.8.3.tar.gz +03f590ebf93439a08c56f8b98e61f38619309556 SOURCES/ansible-freeipa-1.9.2.tar.gz diff --git a/.gitignore b/.gitignore index b89a6c4..b2787d0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ansible-freeipa-1.8.3.tar.gz +SOURCES/ansible-freeipa-1.9.2.tar.gz diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch deleted file mode 100644 index be0dbca..0000000 --- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch +++ /dev/null @@ -1,435 +0,0 @@ -From 3c8d6c7c7aec408b3b68440982929e30e7d69130 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Mon, 5 Sep 2022 17:18:00 -0300 -Subject: [PATCH] ipaconfig: Add support for SID related attributes. - -Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable -and configure SIDs, and set the Netbios name. - -This patch adds the following parameters to ipaconfig plugin: - enable_sids: New users and groups automatically get a SID assigned - add_sids: Add SIDs for existing users and groups - netbios_name: NetBIOS name of the IPA domain - -Both add_sids and netbios_name requires 'enable_sid: yes'. - -'enable_sid' and 'netbios_name' are returned when querying IPA -configuration. - -'add_sids' always generate SIDs for users and groups, so, muiltiple -executions of the playbook with 'add_sids: yes' will return 'changed', -even if users and groups SIDs are not modified. - -A new test playbook is available: - - tests/config/test_config_sid.yml - -New examples playbooks are available: - - playbooks/config/change-ipa-domain-netbios-name.yml - playbooks/config/generate-users-groups-sids.yml - -Fixes: #781 -Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174 -Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184 ---- - README-config.md | 42 ++++++ - .../config/change-ipa-domain-netbios-name.yml | 12 ++ - .../config/generate-users-groups-sids.yml | 12 ++ - plugins/modules/ipaconfig.py | 120 +++++++++++++++++- - tests/azure/templates/variables_centos-7.yaml | 9 +- - tests/config/test_config_sid.yml | 70 ++++++++++ - 6 files changed, 256 insertions(+), 9 deletions(-) - create mode 100644 playbooks/config/change-ipa-domain-netbios-name.yml - create mode 100644 playbooks/config/generate-users-groups-sids.yml - create mode 100644 tests/config/test_config_sid.yml - -diff --git a/README-config.md b/README-config.md -index 17c85f1..13023ea 100644 ---- a/README-config.md -+++ b/README-config.md -@@ -65,6 +65,9 @@ Example playbook to read config options: - maxusername: 64 - ``` - -+ -+Example playbook to set global configuration options: -+ - ```yaml - --- - - name: Playbook to ensure some config options are set -@@ -79,6 +82,40 @@ Example playbook to read config options: - ``` - - -+Example playbook to enable SID and generate users and groups SIDs: -+ -+```yaml -+--- -+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ add_sids: yes -+``` -+ -+Example playbook to change IPA domain NetBIOS name: -+ -+```yaml -+--- -+- name: Playbook to change IPA domain netbios name -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Set IPA domain netbios name -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ netbios_name: IPADOM -+``` -+ - Variables - ========= - -@@ -111,6 +148,9 @@ Variable | Description | Required - `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no - `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no - `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no -+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no -+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no -+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no - - - Return Values -@@ -140,6 +180,8 @@ Variable | Description | Returned When -   | `user_auth_type` |   -   | `domain_resolution_order` |   -   | `ca_renewal_master_server` |   -+  | `enable_sid` |   -+  | `netbios_name` |   - - All returned fields take the same form as their namesake input parameters - -diff --git a/playbooks/config/change-ipa-domain-netbios-name.yml b/playbooks/config/change-ipa-domain-netbios-name.yml -new file mode 100644 -index 0000000..04e56b3 ---- /dev/null -+++ b/playbooks/config/change-ipa-domain-netbios-name.yml -@@ -0,0 +1,12 @@ -+--- -+- name: Playbook to change IPA domain netbios name -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Set IPA domain netbios name -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ netbios_name: IPADOM -diff --git a/playbooks/config/generate-users-groups-sids.yml b/playbooks/config/generate-users-groups-sids.yml -new file mode 100644 -index 0000000..9df85ba ---- /dev/null -+++ b/playbooks/config/generate-users-groups-sids.yml -@@ -0,0 +1,12 @@ -+--- -+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ add_sids: yes -diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py -index 6731e37..d1f1398 100644 ---- a/plugins/modules/ipaconfig.py -+++ b/plugins/modules/ipaconfig.py -@@ -148,6 +148,24 @@ options: - required: false - type: list - aliases: ["ipadomainresolutionorder"] -+ enable_sid: -+ description: > -+ New users and groups automatically get a SID assigned. -+ Requires IPA 4.9.8+. -+ required: false -+ type: bool -+ netbios_name: -+ description: > -+ NetBIOS name of the IPA domain. -+ Requires IPA 4.9.8+ and 'enable_sid: yes'. -+ required: false -+ type: string -+ add_sids: -+ description: > -+ Add SIDs for existing users and groups. -+ Requires IPA 4.9.8+ and 'enable_sid: yes'. -+ required: false -+ type: bool - ''' - - EXAMPLES = ''' -@@ -169,6 +187,24 @@ EXAMPLES = ''' - ipaadmin_password: SomeADMINpassword - defaultshell: /bin/bash - maxusername: 64 -+ -+- name: Playbook to enable SID and generate users and groups SIDs -+ hosts: ipaserver -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ add_sids: yes -+ -+- name: Playbook to change IPA domain netbios name -+ hosts: ipaserver -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ netbios_name: IPADOM - ''' - - RETURN = ''' -@@ -247,6 +283,14 @@ config: - domain_resolution_order: - description: list of domains used for short name qualification - returned: always -+ enable_sid: -+ description: > -+ new users and groups automatically get a SID assigned. -+ Requires IPA 4.9.8+. -+ returned: always -+ netbios_name: -+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+. -+ returned: if enable_sid is True - ''' - - -@@ -260,6 +304,28 @@ def config_show(module): - return _result["result"] - - -+def get_netbios_name(module): -+ try: -+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True}) -+ except Exception: # pylint: disable=broad-except -+ return None -+ else: -+ return _result["result"]["ipantflatname"][0] -+ -+ -+def is_enable_sid(module): -+ """When 'enable-sid' is true admin user and admins group have SID set.""" -+ _result = module.ipa_command("user_show", "admin", {"all": True}) -+ sid = _result["result"].get("ipantsecurityidentifier", [""]) -+ if not sid[0].endswith("-500"): -+ return False -+ _result = module.ipa_command("group_show", "admins", {"all": True}) -+ sid = _result["result"].get("ipantsecurityidentifier", [""]) -+ if not sid[0].endswith("-512"): -+ return False -+ return True -+ -+ - def main(): - ansible_module = IPAAnsibleModule( - argument_spec=dict( -@@ -313,7 +379,10 @@ def main(): - aliases=["ipauserauthtype"]), - ca_renewal_master_server=dict(type="str", required=False), - domain_resolution_order=dict(type="list", required=False, -- aliases=["ipadomainresolutionorder"]) -+ aliases=["ipadomainresolutionorder"]), -+ enable_sid=dict(type="bool", required=False), -+ add_sids=dict(type="bool", required=False), -+ netbios_name=dict(type="str", required=False), - ), - supports_check_mode=True, - ) -@@ -344,7 +413,10 @@ def main(): - "pac_type": "ipakrbauthzdata", - "user_auth_type": "ipauserauthtype", - "ca_renewal_master_server": "ca_renewal_master_server", -- "domain_resolution_order": "ipadomainresolutionorder" -+ "domain_resolution_order": "ipadomainresolutionorder", -+ "enable_sid": "enable_sid", -+ "netbios_name": "netbios_name", -+ "add_sids": "add_sids", - } - allow_empty_string = ["pac_type", "user_auth_type", "configstring"] - reverse_field_map = {v: k for k, v in field_map.items()} -@@ -394,11 +466,47 @@ def main(): - changed = False - exit_args = {} - -- # Connect to IPA API -- with ansible_module.ipa_connect(): -+ # Connect to IPA API (enable-sid requires context == 'client') -+ with ansible_module.ipa_connect(context="client"): -+ has_enable_sid = ansible_module.ipa_command_param_exists( -+ "config_mod", "enable_sid") - - result = config_show(ansible_module) -+ - if params: -+ netbios_name = params.get("netbios_name") -+ if netbios_name: -+ netbios_name = netbios_name.upper() -+ add_sids = params.get("add_sids") -+ enable_sid = params.get("enable_sid") -+ required_sid = any([netbios_name, add_sids]) -+ if required_sid and not enable_sid: -+ ansible_module.fail_json( -+ "'enable-sid: yes' required for 'netbios_name' " -+ "and 'add-sids'." -+ ) -+ if enable_sid: -+ if not has_enable_sid: -+ ansible_module.fail_json( -+ "This version of IPA does not support 'enable-sid'.") -+ if ( -+ netbios_name -+ and netbios_name == get_netbios_name(ansible_module) -+ ): -+ del params["netbios_name"] -+ netbios_name = None -+ if not add_sids and "add_sids" in params: -+ del params["add_sids"] -+ if ( -+ not any([netbios_name, add_sids]) -+ and is_enable_sid(ansible_module) -+ ): -+ del params["enable_sid"] -+ else: -+ for param in ["enable_sid", "netbios_name", "add_sids"]: -+ if param in params: -+ del params[params] -+ - params = { - k: v for k, v in params.items() - if k not in result or result[k] != v -@@ -458,6 +566,10 @@ def main(): - # Add empty domain_resolution_order if it is not set - if "domain_resolution_order" not in exit_args: - exit_args["domain_resolution_order"] = [] -+ # Set enable_sid -+ if has_enable_sid: -+ exit_args["enable_sid"] = is_enable_sid(ansible_module) -+ exit_args["netbios_name"] = get_netbios_name(ansible_module) - - # Done - ansible_module.exit_json(changed=changed, config=exit_args) -#diff --git a/tests/azure/templates/variables_centos-7.yaml b/tests/azure/templates/variables_centos-7.yaml -#index 586d5ec..8628af2 100644 -#--- a/tests/azure/templates/variables_centos-7.yaml -#+++ b/tests/azure/templates/variables_centos-7.yaml -#@@ -12,8 +12,7 @@ -# # -# --- -# variables: -#- empty: true -#-# ipa_enabled_modules: >- -#-# ipa_enabled_tests: >- -#-# ipa_disabled_modules: >- -#-# ipa_disabled_tests: >- -#+ # ipa_enabled_modules: >- -#+ # ipa_enabled_tests: >- -#+ # ipa_disabled_modules: >- -#+ ipa_disabled_tests: test_config_sid -diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml -new file mode 100644 -index 0000000..1761795 ---- /dev/null -+++ b/tests/config/test_config_sid.yml -@@ -0,0 +1,70 @@ -+--- -+- name: Test config -+ hosts: "{{ ipa_test_host | default('ipaserver') }}" -+ become: no -+ gather_facts: no -+ -+ tasks: -+ -+ # GET CURRENT CONFIG -+ -+ - name: Return current values of the global configuration options -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ register: previous -+ -+ # TESTS -+ - block: -+ - name: Ensure SID is enabled. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ register: result -+ failed_when: result.failed or previous.config.enable_sid == result.changed -+ -+ - name: Ensure SID is enabled, again. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ register: result -+ failed_when: result.failed or result.changed -+ -+ - name: Ensure netbios_name is "IPATESTPLAY" -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ netbios_name: IPATESTPLAY -+ register: result -+ failed_when: result.failed or not result.changed -+ -+ - name: Ensure netbios_name is "IPATESTPLAY", again -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ netbios_name: IPATESTPLAY -+ register: result -+ failed_when: result.failed or result.changed -+ -+ # add_sids is not idempotent as it always tries to generate the missing -+ # SIDs for users and groups. -+ - name: Add SIDs to users and groups. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ add_sids: yes -+ -+ # REVERT TO PREVIOUS CONFIG -+ always: -+ # Once SID is enabled, it cannot be reverted. -+ - name: Revert netbios_name to original configuration -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}" -+ enable_sid: yes --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch deleted file mode 100644 index ed62b05..0000000 --- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 320168071ff56c00ff65870e781a261075fccc66 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Wed, 21 Sep 2022 18:28:55 -0300 -Subject: [PATCH] ipaconfig: Do not allow enable_sid set to False. - -Once enabled, SID cannot be disabled. This patch ensures that an error -is raised if one tries to disable SID. ---- - README-config.md | 2 +- - plugins/modules/ipaconfig.py | 15 ++++++++------- - tests/config/test_config_sid.yml | 13 +++++++++++++ - 3 files changed, 22 insertions(+), 8 deletions(-) - -diff --git a/README-config.md b/README-config.md -index 13023ea..d6fe40a 100644 ---- a/README-config.md -+++ b/README-config.md -@@ -148,7 +148,7 @@ Variable | Description | Required - `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no - `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no - `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no --`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no -+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no - `netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no - `add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no - -diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py -index 87810b2..9c19afb 100644 ---- a/plugins/modules/ipaconfig.py -+++ b/plugins/modules/ipaconfig.py -@@ -175,7 +175,7 @@ options: - enable_sid: - description: > - New users and groups automatically get a SID assigned. -- Requires IPA 4.9.8+. -+ Cannot be deactivated once activated. Requires IPA 4.9.8+. - required: false - type: bool - netbios_name: -@@ -525,11 +525,16 @@ def main(): - result = config_show(ansible_module) - - if params: -+ enable_sid = params.get("enable_sid") -+ sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module) -+ -+ if sid_is_enabled and enable_sid is False: -+ ansible_module.fail_json(msg="SID cannot be disabled.") -+ - netbios_name = params.get("netbios_name") - if netbios_name: - netbios_name = netbios_name.upper() - add_sids = params.get("add_sids") -- enable_sid = params.get("enable_sid") - required_sid = any([netbios_name, add_sids]) - if required_sid and not enable_sid: - ansible_module.fail_json( -@@ -551,13 +556,9 @@ def main(): - del params["add_sids"] - if ( - not any([netbios_name, add_sids]) -- and is_enable_sid(ansible_module) -+ and sid_is_enabled - ): - del params["enable_sid"] -- else: -- for param in ["enable_sid", "netbios_name", "add_sids"]: -- if param in params: -- del params[params] - - params = { - k: v for k, v in params.items() -diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml -index 1761795..bd550a5 100644 ---- a/tests/config/test_config_sid.yml -+++ b/tests/config/test_config_sid.yml -@@ -6,6 +6,9 @@ - - tasks: - -+ - name: Set FreeIPA facts. -+ include_tasks: ../env_freeipa_facts.yml -+ - # GET CURRENT CONFIG - - - name: Return current values of the global configuration options -@@ -32,6 +35,14 @@ - register: result - failed_when: result.failed or result.changed - -+ - name: Try to Ensure SID is disabled. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: no -+ register: result -+ failed_when: not result.failed or "SID cannot be disabled." not in result.msg -+ - - name: Ensure netbios_name is "IPATESTPLAY" - ipaconfig: - ipaadmin_password: SomeADMINpassword -@@ -59,6 +70,8 @@ - enable_sid: yes - add_sids: yes - -+ # only run tests if version supports enable-sid -+ when: ipa_version is version("4.9.8", ">=") - # REVERT TO PREVIOUS CONFIG - always: - # Once SID is enabled, it cannot be reverted. --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch deleted file mode 100644 index 66cc686..0000000 --- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch +++ /dev/null @@ -1,218 +0,0 @@ -Adapted version of - -From c808ad6e3408c2145ba660025c75531920f05d73 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Tue, 18 Oct 2022 10:26:01 -0300 -Subject: [PATCH] ipaconfig: Do not require enable_sid for add_sids or - netbios_name - -Current behavior of ipaconfig mimics FreeIPA CLI and requires that -'enable_sid' is set to True every time add_sids or netbios_name are -used. It is sufficient that SID generation is enabled to use add_sids -and netbios_name, but the IPA API requires 'enable_sid' so that the -operations are executed. - -This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or -set 'netbios_name without requiring 'enable_sid' to be set on the -playbook. - -If SID generation is enabled, 'add_sids' and 'netbios_name' can be used -without 'enable_sid: yes'. If SID generation is not enabled, an error -message will be raised if 'enable_sid: yes' is not used. ---- - README-config.md | 4 +-- - plugins/modules/ipaconfig.py | 53 +++++++++++++++++--------------- - tests/config/test_config_sid.yml | 48 +++++++++++++++++++++++++++-- - 3 files changed, 76 insertions(+), 29 deletions(-) - -diff --git a/README-config.md b/README-config.md -index d6fe40a..a1d6117 100644 ---- a/README-config.md -+++ b/README-config.md -@@ -149,8 +149,8 @@ Variable | Description | Required - `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no - `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no - `enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no --`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no --`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no -+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no -+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no - - - Return Values -diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py -index 9c19afb..7e78492 100644 ---- a/plugins/modules/ipaconfig.py -+++ b/plugins/modules/ipaconfig.py -@@ -180,14 +180,14 @@ options: - type: bool - netbios_name: - description: > -- NetBIOS name of the IPA domain. -- Requires IPA 4.9.8+ and 'enable_sid: yes'. -+ NetBIOS name of the IPA domain. Requires IPA 4.9.8+ -+ and SID generation to be activated. - required: false - type: string - add_sids: - description: > -- Add SIDs for existing users and groups. -- Requires IPA 4.9.8+ and 'enable_sid: yes'. -+ Add SIDs for existing users and groups. Requires IPA 4.9.8+ -+ and SID generation to be activated. - required: false - type: bool - ''' -@@ -362,7 +362,7 @@ def get_netbios_name(module): - - - def is_enable_sid(module): -- """When 'enable-sid' is true admin user and admins group have SID set.""" -+ """When 'enable_sid' is true admin user and admins group have SID set.""" - _result = module.ipa_command("user_show", "admin", {"all": True}) - sid = _result["result"].get("ipantsecurityidentifier", [""]) - if not sid[0].endswith("-500"): -@@ -517,7 +517,7 @@ def main(): - changed = False - exit_args = {} - -- # Connect to IPA API (enable-sid requires context == 'client') -+ # Connect to IPA API (enable_sid requires context == 'client') - with ansible_module.ipa_connect(context="client"): - has_enable_sid = ansible_module.ipa_command_param_exists( - "config_mod", "enable_sid") -@@ -532,20 +532,8 @@ def main(): - ansible_module.fail_json(msg="SID cannot be disabled.") - - netbios_name = params.get("netbios_name") -- if netbios_name: -- netbios_name = netbios_name.upper() - add_sids = params.get("add_sids") -- required_sid = any([netbios_name, add_sids]) -- if required_sid and not enable_sid: -- ansible_module.fail_json( -- msg="'enable-sid: yes' required for 'netbios_name' " -- "and 'add-sids'." -- ) -- if enable_sid: -- if not has_enable_sid: -- ansible_module.fail_json( -- msg="This version of IPA does not support enable-sid." -- ) -+ if has_enable_sid: - if ( - netbios_name - and netbios_name == get_netbios_name(ansible_module) -@@ -554,12 +542,27 @@ def main(): - netbios_name = None - if not add_sids and "add_sids" in params: - del params["add_sids"] -- if ( -- not any([netbios_name, add_sids]) -- and sid_is_enabled -- ): -- del params["enable_sid"] -- -+ if any([netbios_name, add_sids]): -+ if sid_is_enabled: -+ params["enable_sid"] = True -+ else: -+ if not enable_sid: -+ ansible_module.fail_json( -+ msg="SID generation must be enabled for " -+ "'netbios_name' and 'add_sids'. Use " -+ "'enable_sid: yes'." -+ ) -+ else: -+ if sid_is_enabled and "enable_sid" in params: -+ del params["enable_sid"] -+ -+ else: -+ if any([enable_sid, netbios_name, add_sids is not None]): -+ ansible_module.fail_json( -+ msg="This version of IPA does not support enable_sid, " -+ "add_sids or netbios_name setting through the " -+ "config module" -+ ) - params = { - k: v for k, v in params.items() - if k not in result or result[k] != v -diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml -index bd550a5..d8d78f1 100644 ---- a/tests/config/test_config_sid.yml -+++ b/tests/config/test_config_sid.yml -@@ -19,6 +19,32 @@ - - # TESTS - - block: -+ - name: Check if SID is enabled. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ check_mode: yes -+ register: sid_disabled -+ -+ - name: Ensure netbios_name can't be changed without SID enabled. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ netbios_name: IPATESTPLAY -+ register: result -+ failed_when: not result.failed and "SID generation must be enabled" in result.msg -+ when: sid_disabled.changed -+ -+ - name: Ensure SIDs can't be changed without SID enabled. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ add_sids: yes -+ register: result -+ failed_when: not result.failed and "SID generation must be enabled" in result.msg -+ when: sid_disabled.changed -+ - - name: Ensure SID is enabled. - ipaconfig: - ipaadmin_password: SomeADMINpassword -@@ -56,18 +82,36 @@ - ipaconfig: - ipaadmin_password: SomeADMINpassword - ipaapi_context: "{{ ipa_context | default(omit) }}" -- enable_sid: yes - netbios_name: IPATESTPLAY - register: result - failed_when: result.failed or result.changed - -+ - name: Ensure netbios_name cannot be set with lowercase characters -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ netbios_name: IPATESTplay -+ register: result -+ failed_when: -+ (not result.failed -+ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) -+ -+ - name: Ensure netbios_name cannot be set different lowercase characters -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ netbios_name: otherPLAY -+ register: result -+ failed_when: -+ (not result.failed -+ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) -+ - # add_sids is not idempotent as it always tries to generate the missing - # SIDs for users and groups. - - name: Add SIDs to users and groups. - ipaconfig: - ipaadmin_password: SomeADMINpassword - ipaapi_context: "{{ ipa_context | default(omit) }}" -- enable_sid: yes - add_sids: yes - - # only run tests if version supports enable-sid --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch deleted file mode 100644 index ef3d7f2..0000000 --- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4da89de1d41a752e561d17f628dd6c2cbda3f326 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Wed, 21 Sep 2022 10:10:52 -0300 -Subject: [PATCH] ipaconfig: Fix fail_json calls. - -Ansible's fail_json() method required that the message paramater was -passed with a keyword parameter, rather than a positional one. Although -this seems to work with ansible-core 2.13+, it might not work with -previous versions of Ansible. - -This patch fixes the behaviour for all supported Ansible versions. ---- - plugins/modules/ipaconfig.py | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py -index b0b4062..87810b2 100644 ---- a/plugins/modules/ipaconfig.py -+++ b/plugins/modules/ipaconfig.py -@@ -533,13 +533,14 @@ def main(): - required_sid = any([netbios_name, add_sids]) - if required_sid and not enable_sid: - ansible_module.fail_json( -- "'enable-sid: yes' required for 'netbios_name' " -- "and 'add-sids'." -+ msg="'enable-sid: yes' required for 'netbios_name' " -+ "and 'add-sids'." - ) - if enable_sid: - if not has_enable_sid: - ansible_module.fail_json( -- "This version of IPA does not support 'enable-sid'.") -+ msg="This version of IPA does not support enable-sid." -+ ) - if ( - netbios_name - and netbios_name == get_netbios_name(ansible_module) --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch b/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch deleted file mode 100644 index 0fcb881..0000000 --- a/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch +++ /dev/null @@ -1,73 +0,0 @@ -From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Tue, 30 Aug 2022 16:38:42 +0200 -Subject: [PATCH] ipaserver: Add missing idstart check - -The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs. -This is "Require idstart to be larger than UID_MAX" for freeipa. - -Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment) ---- - roles/ipaserver/library/ipaserver_test.py | 13 ++++++++++++- - roles/ipaserver/module_utils/ansible_ipa_server.py | 7 ++++++- - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py -index 2158150..f830f37 100644 ---- a/roles/ipaserver/library/ipaserver_test.py -+++ b/roles/ipaserver/library/ipaserver_test.py -@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import ( - read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, - check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, - validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, -- encode_certificate, check_available_memory, getargspec, adtrustinstance -+ encode_certificate, check_available_memory, getargspec, adtrustinstance, -+ get_min_idstart - ) - from ansible.module_utils import six - -@@ -579,6 +580,16 @@ def main(): - "'--ignore-topology-disconnect/--ignore-last-of-role' " - "options can be used only during uninstallation") - -+ if get_min_idstart is not None: -+ min_idstart = get_min_idstart() -+ if self.idstart < min_idstart: -+ raise RuntimeError( -+ "idstart (%i) must be larger than UID_MAX/GID_MAX " -+ "(%i) setting in /etc/login.defs." % ( -+ self.idstart, min_idstart -+ ) -+ ) -+ - if self.idmax < self.idstart: - raise RuntimeError( - "idmax (%s) cannot be smaller than idstart (%s)" % -diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py -index aba6b68..5b1c4e5 100644 ---- a/roles/ipaserver/module_utils/ansible_ipa_server.py -+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py -@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger", - "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader", - "default_subject_base", "default_ca_subject_dn", - "check_ldap_conf", "encode_certificate", "decode_certificate", -- "check_available_memory", "getargspec"] -+ "check_available_memory", "getargspec", "get_min_idstart"] - - import sys - -@@ -200,6 +200,11 @@ else: - from ipalib.x509 import load_certificate - load_pem_x509_certificate = None - -+ try: -+ from ipaserver.install.server.install import get_min_idstart -+ except ImportError: -+ get_min_idstart = None -+ - else: - # IPA version < 4.5 - --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch b/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch deleted file mode 100644 index c951d94..0000000 --- a/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 5 Sep 2022 13:16:26 +0200 -Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog - -In some cases ipa code is using sys.stdout.isatty. As stdout is mapped -to AnsibleModuleLog this call will lead in a traceback as it was not -defined. - -The staticmethod isatty has been added to AnsibleModuleLog in ipaserver -role module_utils/ansible_ipa_server.py and in ipareplica role -module_utils/ansible_ipa_repica.py. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415 - ansible-freeipa Replica Install Setup DNS fails -Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty' -Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty' ---- - roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++ - roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py -index 0e4e738..27ee13d 100644 ---- a/roles/ipareplica/module_utils/ansible_ipa_replica.py -+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py -@@ -222,6 +222,10 @@ else: - def info(self, msg): - self.module.debug(msg) - -+ @staticmethod -+ def isatty(): -+ return False -+ - def write(self, msg): - self.module.debug(msg) - # self.module.warn(msg) -diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py -index 5b1c4e5..8e7be0b 100644 ---- a/roles/ipaserver/module_utils/ansible_ipa_server.py -+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py -@@ -255,6 +255,10 @@ else: - def info(self, msg): - self.module.debug(msg) - -+ @staticmethod -+ def isatty(): -+ return False -+ - def write(self, msg): - self.module.debug(msg) - # self.module.warn(msg) --- -2.37.3 - diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec index 6c1a2fa..c55a23d 100644 --- a/SPECS/ansible-freeipa.spec +++ b/SPECS/ansible-freeipa.spec @@ -7,24 +7,17 @@ Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Name: ansible-freeipa -Version: 1.8.3 -Release: 2%{?dist} +Version: 1.9.2 +Release: 1%{?dist} URL: https://github.com/freeipa/ansible-freeipa License: GPLv3+ Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch1: ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch -Patch2: ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch -Patch3: ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch -Patch4: ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch -Patch5: ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch -Patch6: ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch - - BuildArch: noarch %description -Ansible roles and playbooks to install and uninstall FreeIPA servers, replicas -and clients. Also modules management. +Ansible roles to install and uninstall FreeIPA servers, replicas and clients, +roles for backups and SmartCard configuration, modules for management and also +playbooks for all roles and modules. Note: The Ansible playbooks and roles require a configured Ansible environment where the Ansible nodes are reachable and are properly set up to have an IP @@ -56,6 +49,7 @@ Features - Modules for hostgroup management - Modules for idrange management - Modules for location management +- Modules for netgroup management - Modules for permission management - Modules for privilege management - Modules for pwpolicy management @@ -73,7 +67,6 @@ Features - Modules for user management - Modules for vault management - Supported FreeIPA Versions FreeIPA versions 4.6 and up are supported by all roles. @@ -93,8 +86,6 @@ Requirements Controller - Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection) - - /usr/bin/kinit is required on the controller if a one time password (OTP) - is used Node - Supported FreeIPA version (see above) @@ -122,23 +113,17 @@ to get the needed requrements to run the tests. %prep %setup -q # Do not create backup files with patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 # Fix python modules and module utils: # - Remove shebang # - Remove execute flag -for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do +for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; +do sed -i '1{/\/usr\/bin\/python*/d;}' $i chmod a-x $i done -for i in utils/*.py utils/ansible-ipa-*-install utils/new_module \ - utils/changelog utils/ansible-doc-test; +for i in utils/*.py utils/new_module utils/changelog utils/ansible-doc-test; do sed -i '{s@/usr/bin/python*@%{python}@}' $i done @@ -191,19 +176,55 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/ %{_datadir}/ansible-freeipa/requirements-tests.txt %changelog -* Tue Oct 18 2022 Thomas Woerner - 1.8.3-2 -- ipaserver: Add missing idstart check - Resolves: RHBZ#2132974 -- Replica Install Setup DNS fails - Resolves: RHBZ#2132988 -- ipaconfig: Add support for SID related attributes - Resolves: RHBZ#2132994 -- paconfig: Fix fail_json calls - Resolves: RHBZ#2135753 +* Tue Jan 31 2023 Thomas Woerner - 1.9.2-1 +- Update to version 1.9.2 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.2 + Resolves: RHBZ#2125591 +- ipabackup: Use ipabackup_item again in copy_backup_to_server + Resolves: RHBZ#2165951 + +* Mon Jan 30 2023 Thomas Woerner - 1.9.1-1 +- Update to version 1.9.1 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.1 + Resolves: RHBZ#2125591 +- pwpolicy: Allow clearing policy values + Resolves: RHBZ#2150332 +- Use netgroup_find instead of netgroup_show to workaround IPA bug + Resolves: RHBZ#2144724 + +* Wed Dec 7 2022 Thomas Woerner - 1.9.0-1 +- Update to version 1.9.0 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.0 + Related: RHBZ#2125591 +- pwpolicy: Add support for password check and grace limit + Resolves: RHBZ#2015288 - ipaconfig: Do not allow enable_sid set to False - Resolves: RHBZ#2135754 + Resolves: RHBZ#2127447 +- ipaclient: No kinit on controller for deployment using OTP + Resolves: RHBZ#2127885 +- ipaclient: Configure DNS resolver + Resolves: RHBZ#2127894 +- New netgroup management module + Resolves: RHBZ#2127908 +- sudorule: Add support for 'hostmask' parameter + Resolves: RHBZ#2127912 +- ipaconfig: Fix fail_json calls + Resolves: RHBZ#2128460 - ipaconfig: Do not require enable_sid for add_sids or netbios_name - Resolves: RHBZ#2135775 + Resolves: RHBZ#2134530 +- ipaserver: Add missing idstart check + Resolves: RHBZ#2132729 + +* Mon Sep 12 2022 Thomas Woerner - 1.8.4-1 +- Update to version 1.8.4 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.4 + Resolves: RHBZ#2125591 +- 'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED' + Resolves: RHBZ#2121362 +- ansible-freeipa Replica Install Setup DNS fails + Resolves: RHBZ#2120415 +- ipaconfig does not support SID and netbios attributes + Resolves: RHBZ#2069174 * Tue Aug 16 2022 Thomas Woerner - 1.8.3-1 - Update to version 1.8.3