diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py --- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py 2022-10-07 16:51:35.750411448 +0200 @@ -182,6 +182,9 @@ options: skip_conncheck: description: Skip connection check to remote master required: yes + sid_generation_always: + description: Enable SID generation always + required: yes author: - Thomas Woerner ''' @@ -275,6 +278,8 @@ def main(): # additional server=dict(required=True), skip_conncheck=dict(required=False, type='bool'), + sid_generation_always=dict(required=False, type='bool', + default=False), ), supports_check_mode=True, ) @@ -350,6 +355,7 @@ def main(): # '_hostname_overridden') options.server = ansible_module.params.get('server') options.skip_conncheck = ansible_module.params.get('skip_conncheck') + sid_generation_always = ansible_module.params.get('sid_generation_always') # init # @@ -755,7 +761,7 @@ def main(): ansible_log.debug("-- CHECK ADTRUST --") - if options.setup_adtrust: + if options.setup_adtrust or sid_generation_always: adtrust.install_check(False, options, remote_api) except errors.ACIError: diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py --- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py 2022-10-07 16:44:59.008094369 +0200 @@ -71,6 +71,9 @@ options: setup_ca: description: Configure a dogtag CA required: no + setup_adtrust: + description: Configure AD trust capability + required: yes config_master_host_name: description: The config master_host_name setting required: no @@ -112,6 +115,7 @@ def main(): ccache=dict(required=True), _top_dir=dict(required=True), setup_ca=dict(required=True, type='bool'), + setup_adtrust=dict(required=True, type='bool'), config_master_host_name=dict(required=True), ), supports_check_mode=True, @@ -140,6 +144,7 @@ def main(): os.environ['KRB5CCNAME'] = ccache options._top_dir = ansible_module.params.get('_top_dir') options.setup_ca = ansible_module.params.get('setup_ca') + options.setup_adtrust = ansible_module.params.get('setup_adtrust') config_master_host_name = ansible_module.params.get( 'config_master_host_name') adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py --- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py 2022-10-07 16:50:45.621497736 +0200 @@ -144,7 +144,7 @@ from ansible.module_utils.ansible_ipa_re ansible_module_get_parsed_ip_addresses, service, redirect_stdout, create_ipa_conf, ipautil, x509, validate_domain_name, common_check, - IPA_PYTHON_VERSION + IPA_PYTHON_VERSION, adtrustinstance ) @@ -271,6 +271,14 @@ def main(): # # options.setup_adtrust = False # # ansible_module.warn(msg="adtrust is not supported, disabling") + sid_generation_always = False + if not options.setup_adtrust: + # pylint: disable=deprecated-method + argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__) + # pylint: enable=deprecated-method + if "fulltrust" in argspec.args: + sid_generation_always = True + # if options.setup_kra and not kra_imported: # # if "kra" not in options._allow_missing: # ansible_module.fail_json(msg="kra can not be imported") @@ -472,6 +480,7 @@ def main(): # additional client_enrolled=client_enrolled, change_master_for_certmonger=change_master_for_certmonger, + sid_generation_always=sid_generation_always ) diff -up ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py --- ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py 2022-10-07 16:54:27.707115487 +0200 @@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", "common_check", "current_domain_level", "check_domain_level_is_supported", "promotion_check_ipa_domain", "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance", - "dnsname", "kernel_keyring", "krbinstance"] + "dnsname", "kernel_keyring", "krbinstance", + "adtrustinstance"] import sys @@ -105,6 +106,7 @@ else: adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance, installutils, kra, krbinstance, otpdinstance, custodiainstance, service, upgradeinstance) + from ipaserver.install import adtrustinstance try: from ipaserver.masters import ( find_providing_servers, find_providing_server) diff -up ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml --- ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml 2022-10-07 16:44:59.008094369 +0200 @@ -748,13 +748,15 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" + setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}" adtrust_netbios_name: "{{ result_ipareplica_prepare.adtrust_netbios_name }}" adtrust_reset_netbios_name: "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}" - when: result_ipareplica_test.setup_adtrust + when: result_ipareplica_test.setup_adtrust or + result_ipareplica_test.sid_generation_always - name: Install - Enable IPA ipareplica_enable_ipa: diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py --- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py 2022-10-07 16:47:45.005808635 +0200 @@ -141,6 +141,9 @@ options: setup_ca: description: Configure a dogtag CA required: yes + sid_generation_always: + description: Enable SID generation always + required: yes _hostname_overridden: description: The installer _hostname_overridden setting required: yes @@ -213,6 +216,8 @@ def main(): # additional setup_ca=dict(required=False, type='bool', default=False), + sid_generation_always=dict(required=False, type='bool', + default=False), _hostname_overridden=dict(required=False, type='bool', default=False), ), @@ -279,6 +284,7 @@ def main(): options.setup_ca = ansible_module.params.get('setup_ca') options._host_name_overridden = ansible_module.params.get( '_hostname_overridden') + sid_generation_always = ansible_module.params.get('sid_generation_always') options.kasp_db_file = None # init ################################################################## @@ -371,7 +377,7 @@ def main(): logger.debug('Starting Directory Server') services.knownservices.dirsrv.start(instance_name) - if options.setup_adtrust: + if options.setup_adtrust or sid_generation_always: with redirect_stdout(ansible_log): adtrust.install_check(False, options, api) diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py --- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 16:46:12.413968014 +0200 @@ -226,7 +226,7 @@ from ansible.module_utils.ansible_ipa_se read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, - encode_certificate, check_available_memory + encode_certificate, check_available_memory, adtrustinstance ) from ansible.module_utils import six @@ -395,12 +395,16 @@ def main(): # version specific ###################################################### - if options.setup_adtrust and not adtrust_imported: - # if "adtrust" not in options._allow_missing: - ansible_module.fail_json(msg="adtrust can not be imported") - # else: - # options.setup_adtrust = False - # ansible_module.warn(msg="adtrust is not supported, disabling") + sid_generation_always = False + if not options.setup_adtrust: + # pylint: disable=deprecated-method + argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__) + # pylint: enable=deprecated-method + if "fulltrust" in argspec.args: + sid_generation_always = True + else: + if not adtrust_imported: + ansible_module.fail_json(msg="adtrust can not be imported") if options.setup_kra and not kra_imported: # if "kra" not in options._allow_missing: @@ -522,7 +526,8 @@ def main(): "You cannot specify an --enable-compat option without the " "--setup-adtrust option") - if self.netbios_name: + # Deactivate test for new IPA SID generation + if self.netbios_name and not sid_generation_always: raise RuntimeError( "You cannot specify a --netbios-name option without the " "--setup-adtrust option") @@ -1079,7 +1084,8 @@ def main(): ntp_pool=options.ntp_pool, # additional _installation_cleanup=_installation_cleanup, - domainlevel=options.domainlevel) + domainlevel=options.domainlevel, + sid_generation_always=sid_generation_always) if __name__ == '__main__': diff -up ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml --- ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100 +++ ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml 2022-10-07 16:48:36.946719227 +0200 @@ -191,6 +191,7 @@ secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}" ### additional ### setup_ca: "{{ result_ipaserver_test.setup_ca }}" + sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}" _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}" register: result_ipaserver_prepare @@ -392,7 +393,8 @@ adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}" adtrust_reset_netbios_name: "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}" - when: result_ipaserver_test.setup_adtrust + when: result_ipaserver_test.setup_adtrust or + result_ipaserver_test.sid_generation_always - name: Install - Set DS password ipaserver_set_ds_password: