diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch new file mode 100644 index 0000000..be0dbca --- /dev/null +++ b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch @@ -0,0 +1,435 @@ +From 3c8d6c7c7aec408b3b68440982929e30e7d69130 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Mon, 5 Sep 2022 17:18:00 -0300 +Subject: [PATCH] ipaconfig: Add support for SID related attributes. + +Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable +and configure SIDs, and set the Netbios name. + +This patch adds the following parameters to ipaconfig plugin: + enable_sids: New users and groups automatically get a SID assigned + add_sids: Add SIDs for existing users and groups + netbios_name: NetBIOS name of the IPA domain + +Both add_sids and netbios_name requires 'enable_sid: yes'. + +'enable_sid' and 'netbios_name' are returned when querying IPA +configuration. + +'add_sids' always generate SIDs for users and groups, so, muiltiple +executions of the playbook with 'add_sids: yes' will return 'changed', +even if users and groups SIDs are not modified. + +A new test playbook is available: + + tests/config/test_config_sid.yml + +New examples playbooks are available: + + playbooks/config/change-ipa-domain-netbios-name.yml + playbooks/config/generate-users-groups-sids.yml + +Fixes: #781 +Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174 +Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184 +--- + README-config.md | 42 ++++++ + .../config/change-ipa-domain-netbios-name.yml | 12 ++ + .../config/generate-users-groups-sids.yml | 12 ++ + plugins/modules/ipaconfig.py | 120 +++++++++++++++++- + tests/azure/templates/variables_centos-7.yaml | 9 +- + tests/config/test_config_sid.yml | 70 ++++++++++ + 6 files changed, 256 insertions(+), 9 deletions(-) + create mode 100644 playbooks/config/change-ipa-domain-netbios-name.yml + create mode 100644 playbooks/config/generate-users-groups-sids.yml + create mode 100644 tests/config/test_config_sid.yml + +diff --git a/README-config.md b/README-config.md +index 17c85f1..13023ea 100644 +--- a/README-config.md ++++ b/README-config.md +@@ -65,6 +65,9 @@ Example playbook to read config options: + maxusername: 64 + ``` + ++ ++Example playbook to set global configuration options: ++ + ```yaml + --- + - name: Playbook to ensure some config options are set +@@ -79,6 +82,40 @@ Example playbook to read config options: + ``` + + ++Example playbook to enable SID and generate users and groups SIDs: ++ ++```yaml ++--- ++- name: Playbook to ensure SIDs are enabled and users and groups have SIDs ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ add_sids: yes ++``` ++ ++Example playbook to change IPA domain NetBIOS name: ++ ++```yaml ++--- ++- name: Playbook to change IPA domain netbios name ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Set IPA domain netbios name ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ netbios_name: IPADOM ++``` ++ + Variables + ========= + +@@ -111,6 +148,9 @@ Variable | Description | Required + `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no + `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no + `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no ++`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no ++`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no ++`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no + + + Return Values +@@ -140,6 +180,8 @@ Variable | Description | Returned When +   | `user_auth_type` |   +   | `domain_resolution_order` |   +   | `ca_renewal_master_server` |   ++  | `enable_sid` |   ++  | `netbios_name` |   + + All returned fields take the same form as their namesake input parameters + +diff --git a/playbooks/config/change-ipa-domain-netbios-name.yml b/playbooks/config/change-ipa-domain-netbios-name.yml +new file mode 100644 +index 0000000..04e56b3 +--- /dev/null ++++ b/playbooks/config/change-ipa-domain-netbios-name.yml +@@ -0,0 +1,12 @@ ++--- ++- name: Playbook to change IPA domain netbios name ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Set IPA domain netbios name ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ netbios_name: IPADOM +diff --git a/playbooks/config/generate-users-groups-sids.yml b/playbooks/config/generate-users-groups-sids.yml +new file mode 100644 +index 0000000..9df85ba +--- /dev/null ++++ b/playbooks/config/generate-users-groups-sids.yml +@@ -0,0 +1,12 @@ ++--- ++- name: Playbook to ensure SIDs are enabled and users and groups have SIDs ++ hosts: ipaserver ++ become: no ++ gather_facts: no ++ ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ add_sids: yes +diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py +index 6731e37..d1f1398 100644 +--- a/plugins/modules/ipaconfig.py ++++ b/plugins/modules/ipaconfig.py +@@ -148,6 +148,24 @@ options: + required: false + type: list + aliases: ["ipadomainresolutionorder"] ++ enable_sid: ++ description: > ++ New users and groups automatically get a SID assigned. ++ Requires IPA 4.9.8+. ++ required: false ++ type: bool ++ netbios_name: ++ description: > ++ NetBIOS name of the IPA domain. ++ Requires IPA 4.9.8+ and 'enable_sid: yes'. ++ required: false ++ type: string ++ add_sids: ++ description: > ++ Add SIDs for existing users and groups. ++ Requires IPA 4.9.8+ and 'enable_sid: yes'. ++ required: false ++ type: bool + ''' + + EXAMPLES = ''' +@@ -169,6 +187,24 @@ EXAMPLES = ''' + ipaadmin_password: SomeADMINpassword + defaultshell: /bin/bash + maxusername: 64 ++ ++- name: Playbook to enable SID and generate users and groups SIDs ++ hosts: ipaserver ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ add_sids: yes ++ ++- name: Playbook to change IPA domain netbios name ++ hosts: ipaserver ++ tasks: ++ - name: Enable SID and generate users and groups SIDS ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ enable_sid: yes ++ netbios_name: IPADOM + ''' + + RETURN = ''' +@@ -247,6 +283,14 @@ config: + domain_resolution_order: + description: list of domains used for short name qualification + returned: always ++ enable_sid: ++ description: > ++ new users and groups automatically get a SID assigned. ++ Requires IPA 4.9.8+. ++ returned: always ++ netbios_name: ++ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+. ++ returned: if enable_sid is True + ''' + + +@@ -260,6 +304,28 @@ def config_show(module): + return _result["result"] + + ++def get_netbios_name(module): ++ try: ++ _result = module.ipa_command_no_name("trustconfig_show", {"all": True}) ++ except Exception: # pylint: disable=broad-except ++ return None ++ else: ++ return _result["result"]["ipantflatname"][0] ++ ++ ++def is_enable_sid(module): ++ """When 'enable-sid' is true admin user and admins group have SID set.""" ++ _result = module.ipa_command("user_show", "admin", {"all": True}) ++ sid = _result["result"].get("ipantsecurityidentifier", [""]) ++ if not sid[0].endswith("-500"): ++ return False ++ _result = module.ipa_command("group_show", "admins", {"all": True}) ++ sid = _result["result"].get("ipantsecurityidentifier", [""]) ++ if not sid[0].endswith("-512"): ++ return False ++ return True ++ ++ + def main(): + ansible_module = IPAAnsibleModule( + argument_spec=dict( +@@ -313,7 +379,10 @@ def main(): + aliases=["ipauserauthtype"]), + ca_renewal_master_server=dict(type="str", required=False), + domain_resolution_order=dict(type="list", required=False, +- aliases=["ipadomainresolutionorder"]) ++ aliases=["ipadomainresolutionorder"]), ++ enable_sid=dict(type="bool", required=False), ++ add_sids=dict(type="bool", required=False), ++ netbios_name=dict(type="str", required=False), + ), + supports_check_mode=True, + ) +@@ -344,7 +413,10 @@ def main(): + "pac_type": "ipakrbauthzdata", + "user_auth_type": "ipauserauthtype", + "ca_renewal_master_server": "ca_renewal_master_server", +- "domain_resolution_order": "ipadomainresolutionorder" ++ "domain_resolution_order": "ipadomainresolutionorder", ++ "enable_sid": "enable_sid", ++ "netbios_name": "netbios_name", ++ "add_sids": "add_sids", + } + allow_empty_string = ["pac_type", "user_auth_type", "configstring"] + reverse_field_map = {v: k for k, v in field_map.items()} +@@ -394,11 +466,47 @@ def main(): + changed = False + exit_args = {} + +- # Connect to IPA API +- with ansible_module.ipa_connect(): ++ # Connect to IPA API (enable-sid requires context == 'client') ++ with ansible_module.ipa_connect(context="client"): ++ has_enable_sid = ansible_module.ipa_command_param_exists( ++ "config_mod", "enable_sid") + + result = config_show(ansible_module) ++ + if params: ++ netbios_name = params.get("netbios_name") ++ if netbios_name: ++ netbios_name = netbios_name.upper() ++ add_sids = params.get("add_sids") ++ enable_sid = params.get("enable_sid") ++ required_sid = any([netbios_name, add_sids]) ++ if required_sid and not enable_sid: ++ ansible_module.fail_json( ++ "'enable-sid: yes' required for 'netbios_name' " ++ "and 'add-sids'." ++ ) ++ if enable_sid: ++ if not has_enable_sid: ++ ansible_module.fail_json( ++ "This version of IPA does not support 'enable-sid'.") ++ if ( ++ netbios_name ++ and netbios_name == get_netbios_name(ansible_module) ++ ): ++ del params["netbios_name"] ++ netbios_name = None ++ if not add_sids and "add_sids" in params: ++ del params["add_sids"] ++ if ( ++ not any([netbios_name, add_sids]) ++ and is_enable_sid(ansible_module) ++ ): ++ del params["enable_sid"] ++ else: ++ for param in ["enable_sid", "netbios_name", "add_sids"]: ++ if param in params: ++ del params[params] ++ + params = { + k: v for k, v in params.items() + if k not in result or result[k] != v +@@ -458,6 +566,10 @@ def main(): + # Add empty domain_resolution_order if it is not set + if "domain_resolution_order" not in exit_args: + exit_args["domain_resolution_order"] = [] ++ # Set enable_sid ++ if has_enable_sid: ++ exit_args["enable_sid"] = is_enable_sid(ansible_module) ++ exit_args["netbios_name"] = get_netbios_name(ansible_module) + + # Done + ansible_module.exit_json(changed=changed, config=exit_args) +#diff --git a/tests/azure/templates/variables_centos-7.yaml b/tests/azure/templates/variables_centos-7.yaml +#index 586d5ec..8628af2 100644 +#--- a/tests/azure/templates/variables_centos-7.yaml +#+++ b/tests/azure/templates/variables_centos-7.yaml +#@@ -12,8 +12,7 @@ +# # +# --- +# variables: +#- empty: true +#-# ipa_enabled_modules: >- +#-# ipa_enabled_tests: >- +#-# ipa_disabled_modules: >- +#-# ipa_disabled_tests: >- +#+ # ipa_enabled_modules: >- +#+ # ipa_enabled_tests: >- +#+ # ipa_disabled_modules: >- +#+ ipa_disabled_tests: test_config_sid +diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml +new file mode 100644 +index 0000000..1761795 +--- /dev/null ++++ b/tests/config/test_config_sid.yml +@@ -0,0 +1,70 @@ ++--- ++- name: Test config ++ hosts: "{{ ipa_test_host | default('ipaserver') }}" ++ become: no ++ gather_facts: no ++ ++ tasks: ++ ++ # GET CURRENT CONFIG ++ ++ - name: Return current values of the global configuration options ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ register: previous ++ ++ # TESTS ++ - block: ++ - name: Ensure SID is enabled. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ register: result ++ failed_when: result.failed or previous.config.enable_sid == result.changed ++ ++ - name: Ensure SID is enabled, again. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ register: result ++ failed_when: result.failed or result.changed ++ ++ - name: Ensure netbios_name is "IPATESTPLAY" ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ netbios_name: IPATESTPLAY ++ register: result ++ failed_when: result.failed or not result.changed ++ ++ - name: Ensure netbios_name is "IPATESTPLAY", again ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ netbios_name: IPATESTPLAY ++ register: result ++ failed_when: result.failed or result.changed ++ ++ # add_sids is not idempotent as it always tries to generate the missing ++ # SIDs for users and groups. ++ - name: Add SIDs to users and groups. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ add_sids: yes ++ ++ # REVERT TO PREVIOUS CONFIG ++ always: ++ # Once SID is enabled, it cannot be reverted. ++ - name: Revert netbios_name to original configuration ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ netbios_name: "{{ previous.config.netbios_name | default(omit) }}" ++ enable_sid: yes +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch new file mode 100644 index 0000000..ed62b05 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch @@ -0,0 +1,113 @@ +From 320168071ff56c00ff65870e781a261075fccc66 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Wed, 21 Sep 2022 18:28:55 -0300 +Subject: [PATCH] ipaconfig: Do not allow enable_sid set to False. + +Once enabled, SID cannot be disabled. This patch ensures that an error +is raised if one tries to disable SID. +--- + README-config.md | 2 +- + plugins/modules/ipaconfig.py | 15 ++++++++------- + tests/config/test_config_sid.yml | 13 +++++++++++++ + 3 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/README-config.md b/README-config.md +index 13023ea..d6fe40a 100644 +--- a/README-config.md ++++ b/README-config.md +@@ -148,7 +148,7 @@ Variable | Description | Required + `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no + `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no + `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no +-`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no ++`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no + `netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no + `add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no + +diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py +index 87810b2..9c19afb 100644 +--- a/plugins/modules/ipaconfig.py ++++ b/plugins/modules/ipaconfig.py +@@ -175,7 +175,7 @@ options: + enable_sid: + description: > + New users and groups automatically get a SID assigned. +- Requires IPA 4.9.8+. ++ Cannot be deactivated once activated. Requires IPA 4.9.8+. + required: false + type: bool + netbios_name: +@@ -525,11 +525,16 @@ def main(): + result = config_show(ansible_module) + + if params: ++ enable_sid = params.get("enable_sid") ++ sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module) ++ ++ if sid_is_enabled and enable_sid is False: ++ ansible_module.fail_json(msg="SID cannot be disabled.") ++ + netbios_name = params.get("netbios_name") + if netbios_name: + netbios_name = netbios_name.upper() + add_sids = params.get("add_sids") +- enable_sid = params.get("enable_sid") + required_sid = any([netbios_name, add_sids]) + if required_sid and not enable_sid: + ansible_module.fail_json( +@@ -551,13 +556,9 @@ def main(): + del params["add_sids"] + if ( + not any([netbios_name, add_sids]) +- and is_enable_sid(ansible_module) ++ and sid_is_enabled + ): + del params["enable_sid"] +- else: +- for param in ["enable_sid", "netbios_name", "add_sids"]: +- if param in params: +- del params[params] + + params = { + k: v for k, v in params.items() +diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml +index 1761795..bd550a5 100644 +--- a/tests/config/test_config_sid.yml ++++ b/tests/config/test_config_sid.yml +@@ -6,6 +6,9 @@ + + tasks: + ++ - name: Set FreeIPA facts. ++ include_tasks: ../env_freeipa_facts.yml ++ + # GET CURRENT CONFIG + + - name: Return current values of the global configuration options +@@ -32,6 +35,14 @@ + register: result + failed_when: result.failed or result.changed + ++ - name: Try to Ensure SID is disabled. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: no ++ register: result ++ failed_when: not result.failed or "SID cannot be disabled." not in result.msg ++ + - name: Ensure netbios_name is "IPATESTPLAY" + ipaconfig: + ipaadmin_password: SomeADMINpassword +@@ -59,6 +70,8 @@ + enable_sid: yes + add_sids: yes + ++ # only run tests if version supports enable-sid ++ when: ipa_version is version("4.9.8", ">=") + # REVERT TO PREVIOUS CONFIG + always: + # Once SID is enabled, it cannot be reverted. +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch new file mode 100644 index 0000000..66cc686 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch @@ -0,0 +1,218 @@ +Adapted version of + +From c808ad6e3408c2145ba660025c75531920f05d73 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Tue, 18 Oct 2022 10:26:01 -0300 +Subject: [PATCH] ipaconfig: Do not require enable_sid for add_sids or + netbios_name + +Current behavior of ipaconfig mimics FreeIPA CLI and requires that +'enable_sid' is set to True every time add_sids or netbios_name are +used. It is sufficient that SID generation is enabled to use add_sids +and netbios_name, but the IPA API requires 'enable_sid' so that the +operations are executed. + +This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or +set 'netbios_name without requiring 'enable_sid' to be set on the +playbook. + +If SID generation is enabled, 'add_sids' and 'netbios_name' can be used +without 'enable_sid: yes'. If SID generation is not enabled, an error +message will be raised if 'enable_sid: yes' is not used. +--- + README-config.md | 4 +-- + plugins/modules/ipaconfig.py | 53 +++++++++++++++++--------------- + tests/config/test_config_sid.yml | 48 +++++++++++++++++++++++++++-- + 3 files changed, 76 insertions(+), 29 deletions(-) + +diff --git a/README-config.md b/README-config.md +index d6fe40a..a1d6117 100644 +--- a/README-config.md ++++ b/README-config.md +@@ -149,8 +149,8 @@ Variable | Description | Required + `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no + `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no + `enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no +-`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no +-`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no ++`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no ++`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no + + + Return Values +diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py +index 9c19afb..7e78492 100644 +--- a/plugins/modules/ipaconfig.py ++++ b/plugins/modules/ipaconfig.py +@@ -180,14 +180,14 @@ options: + type: bool + netbios_name: + description: > +- NetBIOS name of the IPA domain. +- Requires IPA 4.9.8+ and 'enable_sid: yes'. ++ NetBIOS name of the IPA domain. Requires IPA 4.9.8+ ++ and SID generation to be activated. + required: false + type: string + add_sids: + description: > +- Add SIDs for existing users and groups. +- Requires IPA 4.9.8+ and 'enable_sid: yes'. ++ Add SIDs for existing users and groups. Requires IPA 4.9.8+ ++ and SID generation to be activated. + required: false + type: bool + ''' +@@ -362,7 +362,7 @@ def get_netbios_name(module): + + + def is_enable_sid(module): +- """When 'enable-sid' is true admin user and admins group have SID set.""" ++ """When 'enable_sid' is true admin user and admins group have SID set.""" + _result = module.ipa_command("user_show", "admin", {"all": True}) + sid = _result["result"].get("ipantsecurityidentifier", [""]) + if not sid[0].endswith("-500"): +@@ -517,7 +517,7 @@ def main(): + changed = False + exit_args = {} + +- # Connect to IPA API (enable-sid requires context == 'client') ++ # Connect to IPA API (enable_sid requires context == 'client') + with ansible_module.ipa_connect(context="client"): + has_enable_sid = ansible_module.ipa_command_param_exists( + "config_mod", "enable_sid") +@@ -532,20 +532,8 @@ def main(): + ansible_module.fail_json(msg="SID cannot be disabled.") + + netbios_name = params.get("netbios_name") +- if netbios_name: +- netbios_name = netbios_name.upper() + add_sids = params.get("add_sids") +- required_sid = any([netbios_name, add_sids]) +- if required_sid and not enable_sid: +- ansible_module.fail_json( +- msg="'enable-sid: yes' required for 'netbios_name' " +- "and 'add-sids'." +- ) +- if enable_sid: +- if not has_enable_sid: +- ansible_module.fail_json( +- msg="This version of IPA does not support enable-sid." +- ) ++ if has_enable_sid: + if ( + netbios_name + and netbios_name == get_netbios_name(ansible_module) +@@ -554,12 +542,27 @@ def main(): + netbios_name = None + if not add_sids and "add_sids" in params: + del params["add_sids"] +- if ( +- not any([netbios_name, add_sids]) +- and sid_is_enabled +- ): +- del params["enable_sid"] +- ++ if any([netbios_name, add_sids]): ++ if sid_is_enabled: ++ params["enable_sid"] = True ++ else: ++ if not enable_sid: ++ ansible_module.fail_json( ++ msg="SID generation must be enabled for " ++ "'netbios_name' and 'add_sids'. Use " ++ "'enable_sid: yes'." ++ ) ++ else: ++ if sid_is_enabled and "enable_sid" in params: ++ del params["enable_sid"] ++ ++ else: ++ if any([enable_sid, netbios_name, add_sids is not None]): ++ ansible_module.fail_json( ++ msg="This version of IPA does not support enable_sid, " ++ "add_sids or netbios_name setting through the " ++ "config module" ++ ) + params = { + k: v for k, v in params.items() + if k not in result or result[k] != v +diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml +index bd550a5..d8d78f1 100644 +--- a/tests/config/test_config_sid.yml ++++ b/tests/config/test_config_sid.yml +@@ -19,6 +19,32 @@ + + # TESTS + - block: ++ - name: Check if SID is enabled. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ enable_sid: yes ++ check_mode: yes ++ register: sid_disabled ++ ++ - name: Ensure netbios_name can't be changed without SID enabled. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ netbios_name: IPATESTPLAY ++ register: result ++ failed_when: not result.failed and "SID generation must be enabled" in result.msg ++ when: sid_disabled.changed ++ ++ - name: Ensure SIDs can't be changed without SID enabled. ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ add_sids: yes ++ register: result ++ failed_when: not result.failed and "SID generation must be enabled" in result.msg ++ when: sid_disabled.changed ++ + - name: Ensure SID is enabled. + ipaconfig: + ipaadmin_password: SomeADMINpassword +@@ -56,18 +82,36 @@ + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" +- enable_sid: yes + netbios_name: IPATESTPLAY + register: result + failed_when: result.failed or result.changed + ++ - name: Ensure netbios_name cannot be set with lowercase characters ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ netbios_name: IPATESTplay ++ register: result ++ failed_when: ++ (not result.failed ++ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) ++ ++ - name: Ensure netbios_name cannot be set different lowercase characters ++ ipaconfig: ++ ipaadmin_password: SomeADMINpassword ++ ipaapi_context: "{{ ipa_context | default(omit) }}" ++ netbios_name: otherPLAY ++ register: result ++ failed_when: ++ (not result.failed ++ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) ++ + # add_sids is not idempotent as it always tries to generate the missing + # SIDs for users and groups. + - name: Add SIDs to users and groups. + ipaconfig: + ipaadmin_password: SomeADMINpassword + ipaapi_context: "{{ ipa_context | default(omit) }}" +- enable_sid: yes + add_sids: yes + + # only run tests if version supports enable-sid +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch new file mode 100644 index 0000000..ef3d7f2 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch @@ -0,0 +1,40 @@ +From 4da89de1d41a752e561d17f628dd6c2cbda3f326 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Wed, 21 Sep 2022 10:10:52 -0300 +Subject: [PATCH] ipaconfig: Fix fail_json calls. + +Ansible's fail_json() method required that the message paramater was +passed with a keyword parameter, rather than a positional one. Although +this seems to work with ansible-core 2.13+, it might not work with +previous versions of Ansible. + +This patch fixes the behaviour for all supported Ansible versions. +--- + plugins/modules/ipaconfig.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py +index b0b4062..87810b2 100644 +--- a/plugins/modules/ipaconfig.py ++++ b/plugins/modules/ipaconfig.py +@@ -533,13 +533,14 @@ def main(): + required_sid = any([netbios_name, add_sids]) + if required_sid and not enable_sid: + ansible_module.fail_json( +- "'enable-sid: yes' required for 'netbios_name' " +- "and 'add-sids'." ++ msg="'enable-sid: yes' required for 'netbios_name' " ++ "and 'add-sids'." + ) + if enable_sid: + if not has_enable_sid: + ansible_module.fail_json( +- "This version of IPA does not support 'enable-sid'.") ++ msg="This version of IPA does not support enable-sid." ++ ) + if ( + netbios_name + and netbios_name == get_netbios_name(ansible_module) +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch b/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch new file mode 100644 index 0000000..0fcb881 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch @@ -0,0 +1,73 @@ +From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Tue, 30 Aug 2022 16:38:42 +0200 +Subject: [PATCH] ipaserver: Add missing idstart check + +The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs. +This is "Require idstart to be larger than UID_MAX" for freeipa. + +Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment) +--- + roles/ipaserver/library/ipaserver_test.py | 13 ++++++++++++- + roles/ipaserver/module_utils/ansible_ipa_server.py | 7 ++++++- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py +index 2158150..f830f37 100644 +--- a/roles/ipaserver/library/ipaserver_test.py ++++ b/roles/ipaserver/library/ipaserver_test.py +@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import ( + read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, + check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, + validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, +- encode_certificate, check_available_memory, getargspec, adtrustinstance ++ encode_certificate, check_available_memory, getargspec, adtrustinstance, ++ get_min_idstart + ) + from ansible.module_utils import six + +@@ -579,6 +580,16 @@ def main(): + "'--ignore-topology-disconnect/--ignore-last-of-role' " + "options can be used only during uninstallation") + ++ if get_min_idstart is not None: ++ min_idstart = get_min_idstart() ++ if self.idstart < min_idstart: ++ raise RuntimeError( ++ "idstart (%i) must be larger than UID_MAX/GID_MAX " ++ "(%i) setting in /etc/login.defs." % ( ++ self.idstart, min_idstart ++ ) ++ ) ++ + if self.idmax < self.idstart: + raise RuntimeError( + "idmax (%s) cannot be smaller than idstart (%s)" % +diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py +index aba6b68..5b1c4e5 100644 +--- a/roles/ipaserver/module_utils/ansible_ipa_server.py ++++ b/roles/ipaserver/module_utils/ansible_ipa_server.py +@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger", + "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader", + "default_subject_base", "default_ca_subject_dn", + "check_ldap_conf", "encode_certificate", "decode_certificate", +- "check_available_memory", "getargspec"] ++ "check_available_memory", "getargspec", "get_min_idstart"] + + import sys + +@@ -200,6 +200,11 @@ else: + from ipalib.x509 import load_certificate + load_pem_x509_certificate = None + ++ try: ++ from ipaserver.install.server.install import get_min_idstart ++ except ImportError: ++ get_min_idstart = None ++ + else: + # IPA version < 4.5 + +-- +2.37.3 + diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch b/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch new file mode 100644 index 0000000..c951d94 --- /dev/null +++ b/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch @@ -0,0 +1,55 @@ +From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 5 Sep 2022 13:16:26 +0200 +Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog + +In some cases ipa code is using sys.stdout.isatty. As stdout is mapped +to AnsibleModuleLog this call will lead in a traceback as it was not +defined. + +The staticmethod isatty has been added to AnsibleModuleLog in ipaserver +role module_utils/ansible_ipa_server.py and in ipareplica role +module_utils/ansible_ipa_repica.py. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415 + ansible-freeipa Replica Install Setup DNS fails +Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty' +Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty' +--- + roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++ + roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py +index 0e4e738..27ee13d 100644 +--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py ++++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py +@@ -222,6 +222,10 @@ else: + def info(self, msg): + self.module.debug(msg) + ++ @staticmethod ++ def isatty(): ++ return False ++ + def write(self, msg): + self.module.debug(msg) + # self.module.warn(msg) +diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py +index 5b1c4e5..8e7be0b 100644 +--- a/roles/ipaserver/module_utils/ansible_ipa_server.py ++++ b/roles/ipaserver/module_utils/ansible_ipa_server.py +@@ -255,6 +255,10 @@ else: + def info(self, msg): + self.module.debug(msg) + ++ @staticmethod ++ def isatty(): ++ return False ++ + def write(self, msg): + self.module.debug(msg) + # self.module.warn(msg) +-- +2.37.3 + diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec index 650f39b..6c1a2fa 100644 --- a/SPECS/ansible-freeipa.spec +++ b/SPECS/ansible-freeipa.spec @@ -8,10 +8,18 @@ Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Name: ansible-freeipa Version: 1.8.3 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://github.com/freeipa/ansible-freeipa License: GPLv3+ Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch1: ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch +Patch2: ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch +Patch3: ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch +Patch4: ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch +Patch5: ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch +Patch6: ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch + + BuildArch: noarch %description @@ -114,6 +122,12 @@ to get the needed requrements to run the tests. %prep %setup -q # Do not create backup files with patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 # Fix python modules and module utils: # - Remove shebang @@ -177,6 +191,20 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/ %{_datadir}/ansible-freeipa/requirements-tests.txt %changelog +* Tue Oct 18 2022 Thomas Woerner - 1.8.3-2 +- ipaserver: Add missing idstart check + Resolves: RHBZ#2132974 +- Replica Install Setup DNS fails + Resolves: RHBZ#2132988 +- ipaconfig: Add support for SID related attributes + Resolves: RHBZ#2132994 +- paconfig: Fix fail_json calls + Resolves: RHBZ#2135753 +- ipaconfig: Do not allow enable_sid set to False + Resolves: RHBZ#2135754 +- ipaconfig: Do not require enable_sid for add_sids or netbios_name + Resolves: RHBZ#2135775 + * Tue Aug 16 2022 Thomas Woerner - 1.8.3-1 - Update to version 1.8.3 https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.3