ipaclient: Fix allow_repair with removed krb5.conf and DNS lookup

[t-woerner]

The test in ipaclient_test_keytab is at first trying to use an existing krb5.conf to test if the host keytab can be used. With working DNS lookup an absent krb5.conf is not reported as an error as DNS lookup is silently used instead.

A temporary krb5.conf is now used in this test that forces to deactivate DNS lookups and also to load /etc/krb5.conf. A missing krb5.conf is now detected properly as the kinit call fails now properly.

ipaclient_test_keytab is now properly returning the state of usable or not usable krb5.conf in krb5_conf_ok. This fixes the handling of this case later on in the role.

[rjeffman]

LGTM. Thank you for fixing this!

[varunmylaraiah]

@t-woerner Changes work for me.

Reproduce steps:

1. install ipa-client with auto-discovery

[root@ansible ~]# cat inventory/clients.hosts
[ipaclients]
client1.ipadomain.test

[ipaclients:vars]
ipaadmin_principal=admin
ipaadmin_password=<XXXXXXXXXXXX>

[root@ansible ~]# cat install-clients.yaml
- name: Playbook to configure IPA clients
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: present

2. Once the client install succeeds, Move krb5.conf to /tmp
   # mv /etc/krb5.conf /tmp/

[root@client1 ~]# ll /etc/krb5.conf
ls: cannot access '/etc/krb5.conf': No such file or directory

3. Create lient inventory file with ipaclient_allow_repair=yes

[root@ansible ~]# cat inventory/clients_repair.hosts
[ipaclients]
client1.ipadomain.test

[ipaclients:vars]
ipaclient_allow_repair=yes

4. Run install-clients playbook with clients_repair inventory

[root@ansible ~]# ansible-playbook -vv -i inventory/clients_repair.hosts install-clients.yaml

PLAYBOOK: install-clients.yaml *********************************************************************************
1 plays in install-clients.yaml

PLAY [Playbook to configure IPA clients] ***********************************************************************

TASK [Gathering Facts] *****************************************************************************************
task path: /root/install-clients.yaml:2
ok: [client1.ipadomain.test]

TASK [ipaclient : Import variables specific to distribution] ***************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/main.yml:4
ok: [client1.ipadomain.test] => (item=/root/ansible-freeipa/roles/ipaclient/vars/default.yml) => {"ansible_facts": {"ipaclient_packages": ["ipa-client", "python3-libselinux"]}, "ansible_included_var_files": ["/root/ansible-freeipa/roles/ipaclient/vars/default.yml"], "ansible_loop_var": "item", "changed": false, "item": "/root/ansible-freeipa/roles/ipaclient/vars/default.yml"}

TASK [ipaclient : Install IPA client] **************************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/main.yml:19
included: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml for client1.ipadomain.test
*
*
*
TASK [ipaclient : Install - Disable One-Time Password for on_master] *******************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:104
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Test if IPA client has working krb5.keytab] ****************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:109
ok: [client1.ipadomain.test] => {"ca_crt_exists": true, "changed": false, "krb5_conf_ok": false, "krb5_keytab_ok": true, "ping_test_ok": true}

TASK [ipaclient : Install - Disable One-Time Password for client with working krb5.keytab] *********************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:119
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Keytab or password is required for getting otp] ************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:137
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Create temporary file for keytab] **************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:142
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Copy keytab to server temporary file] **********************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:151
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
*
*
*
TASK [ipaclient : Install - Backup and set hostname] ***********************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:237
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - Join IPA] **************************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:242
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : The krb5 configuration is not correct] *******************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:271
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : IPA test failed] *****************************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:277
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Fail due to missing ca.crt file] *************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:281
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Configure IPA default.conf] ********************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:295
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - Configure SSSD] ********************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:304
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - Configure krb5 for IPA realm] ******************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:326
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - IPA API calls for remaining enrollment parts] **************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:340
changed: [client1.ipadomain.test] => {"ca_enabled": true, "changed": true, "subject_base": "O=IPADOMAIN.TEST"}

TASK [ipaclient : Install - Fix IPA ca] ************************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:348
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Create IPA NSS database] ***********************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:358
changed: [client1.ipadomain.test] => {"ca_enabled_ra": true, "changed": true}

TASK [ipaclient : Install - Configure SSH and SSHD] ************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:390
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - Configure automount] ***************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:398
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - Configure firefox] *****************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:404
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [ipaclient : Install - Configure NIS] *********************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:410
changed: [client1.ipadomain.test] => {"changed": true}

TASK [ipaclient : Install - Restore original admin password if overwritten by OTP] *****************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:416
skipping: [client1.ipadomain.test] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

TASK [ipaclient : Cleanup leftover ccache] *********************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/install.yml:422
ok: [client1.ipadomain.test] => {"changed": false, "path": "/etc/ipa/.dns_ccache", "state": "absent"}

TASK [ipaclient : Uninstall IPA client] ************************************************************************
task path: /root/ansible-freeipa/roles/ipaclient/tasks/main.yml:23
skipping: [client1.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}

PLAY RECAP *****************************************************************************************************
client1.ipadomain.test     : ok=19   changed=9    unreachable=0    failed=0    skipped=28   rescued=0    ignored=0

5. Check krb5.config re-generated in /etc/

[root@client1 ~]# ll /etc/krb5.conf
-rw-r--r--. 1 root root 682 Feb  8 20:43 /etc/krb5.conf

[root@client1 ~]# diff /etc/krb5.conf /tmp/krb5.conf