def main(): module = AnsibleModule( argument_spec=dict( domain=dict(required=True, default=None), servers=dict(required=True, type='list', default=None), realm=dict(required=True, default=None), hostname=dict(required=True, default=None), basedn=dict(required=True), ), supports_check_mode=True, ) module._ansible_debug = True setup_logging() servers = module.params.get('servers') domain = module.params.get('domain') realm = module.params.get('realm') hostname = module.params.get('hostname') basedn = module.params.get('basedn') fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) configure_ipa_conf(fstore, basedn, realm, domain, servers, hostname) module.exit_json(changed=True)
def main(): module = AnsibleModule( argument_spec=dict( domain=dict(required=False, default=None), servers=dict(required=False, type='list', default=None), realm=dict(required=False, default=None), hostname=dict(required=False, default=None), kdc=dict(required=False, default=None), dnsok=dict(required=False, type='bool', default=False), client_domain=dict(required=False, default=None), sssd=dict(required=False, type='bool', default=False), force=dict(required=False, type='bool', default=False), # on_master=dict(required=False, type='bool', default=False), ), supports_check_mode=True, ) module._ansible_debug = True servers = module.params.get('servers') domain = module.params.get('domain') realm = module.params.get('realm') hostname = module.params.get('hostname') kdc = module.params.get('kdc') dnsok = module.params.get('dnsok') client_domain = module.params.get('client_domain') sssd = module.params.get('sssd') force = module.params.get('force') # on_master = module.params.get('on_master') fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) # if options.on_master: # # If on master assume kerberos is already configured properly. # # Get the host TGT. # try: # kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE, # attempts=options.kinit_attempts) # os.environ['KRB5CCNAME'] = CCACHE_FILE # except gssapi.exceptions.GSSError as e: # logger.error("Failed to obtain host TGT: %s", e) # raise ScriptError(rval=CLIENT_INSTALL_ERROR) # else: # Configure krb5.conf fstore.backup_file(paths.KRB5_CONF) configure_krb5_conf(cli_realm=realm, cli_domain=domain, cli_server=servers, cli_kdc=kdc, dnsok=dnsok, filename=paths.KRB5_CONF, client_domain=client_domain, client_hostname=hostname, configure_sssd=sssd, force=force) logger.info("Configured /etc/krb5.conf for IPA realm %s", realm) module.exit_json(changed=True)
def main(): module = AnsibleModule( argument_spec=dict( servers=dict(required=True, type='list'), domain=dict(required=True), realm=dict(required=True), hostname=dict(required=True), on_master=dict(required=False, type='bool'), no_ssh=dict(required=False, type='bool'), no_sshd=dict(required=False, type='bool'), no_sudo=dict(required=False, type='bool'), all_ip_addresses=dict(required=False, type='bool'), fixed_primary=dict(required=False, type='bool'), permit=dict(required=False, type='bool'), enable_dns_updates=dict(required=False, type='bool'), preserve_sssd=dict(required=False, type='bool'), no_krb5_offline_passwords=dict(required=False, type='bool'), ), supports_check_mode=True, ) # ansible_log = AnsibleModuleLog(module, logger) # options.set_logger(ansible_log) module._ansible_debug = True setup_logging() cli_server = module.params.get('servers') cli_domain = module.params.get('domain') cli_realm = module.params.get('realm') hostname = module.params.get('hostname') options.on_master = module.params.get('on_master') options.no_ssh = module.params.get('no_ssh') options.conf_ssh = not options.no_ssh options.no_sshd = module.params.get('no_sshd') options.conf_sshd = not options.no_sshd options.no_sudo = module.params.get('no_sudo') options.conf_sudo = not options.no_sudo options.all_ip_addresses = module.params.get('all_ip_addresses') options.primary = module.params.get('fixed_primary') options.permit = module.params.get('permit') options.dns_updates = module.params.get('enable_dns_updates') options.preserve_sssd = module.params.get('preserve_sssd') options.no_krb5_offline_passwords = module.params.get( 'no_krb5_offline_passwords') options.krb5_offline_passwords = not options.no_krb5_offline_passwords fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) client_domain = hostname[hostname.find(".") + 1:] if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname): module.fail_json("configure_sssd_conf failed") logger.info("Configured /etc/sssd/sssd.conf") module.exit_json(changed=True)
def main(): module = AnsibleModule(argument_spec=dict(backup=dict(required=True), ), ) module._ansible_debug = True backup = module.params.get('backup') fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if not fstore.has_file(backup): fstore.backup_file(backup) module.exit_json(changed=True) module.exit_json(changed=False)
def main(): module = AnsibleModule( argument_spec = dict( servers=dict(required=True, type='list'), realm=dict(required=True), basedn=dict(required=True), allow_repair=dict(required=True, type='bool'), ), ) module._ansible_debug = True servers = module.params.get('servers') realm = module.params.get('realm') basedn = module.params.get('basedn') allow_repair = module.params.get('allow_repair') env = {'PATH': SECURE_PATH} fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE options.ca_cert_file = None options.principal = None options.force = False options.password = None changed = False if not os.path.exists(paths.IPA_CA_CRT): if not allow_repair: module.fail_json( msg="%s missing, enable allow_repair to fix it." % \ paths.IPA_CA_CRT) # Repair missing ca.crt file try: os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG'] = "/etc/krb5.conf" env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] if NUM_VERSION < 40100: get_ca_cert(fstore, options, servers[0], basedn) else: get_ca_certs(fstore, options, servers[0], basedn, realm) changed = True del os.environ['KRB5_CONFIG'] except errors.FileError as e: module.fail_json(msg='%s' % e) except Exception as e: module.fail_json(msg="Cannot obtain CA certificate\n%s" % e) module.exit_json(changed=changed)
def main(): module = AnsibleModule( argument_spec=dict(hostname=dict(required=True), ), supports_check_mode=True, ) module._ansible_debug = True hostname = module.params.get('hostname') fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) tasks.backup_hostname(fstore, statestore) tasks.set_hostname(hostname) module.exit_json(changed=True)
def main(): module = AnsibleModule( argument_spec=dict( servers=dict(required=True, type='list'), no_ssh=dict(required=False, type='bool', default='no'), ssh_trust_dns=dict(required=False, type='bool', default='no'), no_sshd=dict(required=False, type='bool', default='no'), sssd=dict(required=False, type='bool', default='no'), ), supports_check_mode=True, ) module._ansible_debug = True setup_logging() options.servers = module.params.get('servers') options.server = options.servers options.no_ssh = module.params.get('no_ssh') options.conf_ssh = not options.no_ssh options.trust_sshfp = module.params.get('ssh_trust_dns') options.no_sshd = module.params.get('no_sshd') options.conf_sshd = not options.no_sshd options.sssd = module.params.get('sssd') fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) # os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE changed = False if options.conf_ssh: configure_ssh_config(fstore, options) changed = True if options.conf_sshd: configure_sshd_config(fstore, options) changed = True module.exit_json(changed=changed)
def main(): module = AnsibleModule( argument_spec=dict( servers=dict(required=True, type='list'), domain=dict(required=True), realm=dict(required=True), hostname=dict(required=True), kdc=dict(required=True), basedn=dict(required=True), principal=dict(required=False), password=dict(required=False, no_log=True), keytab=dict(required=False), admin_keytab=dict(required=False), ca_cert_file=dict(required=False), force_join=dict(required=False, type='bool'), kinit_attempts=dict(required=False, type='int', default=5), debug=dict(required=False, type='bool'), ), supports_check_mode=True, ) module._ansible_debug = True servers = module.params.get('servers') domain = module.params.get('domain') realm = module.params.get('realm') hostname = module.params.get('hostname') basedn = module.params.get('basedn') kdc = module.params.get('kdc') force_join = module.params.get('force_join') principal = module.params.get('principal') password = module.params.get('password') keytab = module.params.get('keytab') admin_keytab = module.params.get('admin_keytab') ca_cert_file = module.params.get('ca_cert_file') kinit_attempts = module.params.get('kinit_attempts') debug = module.params.get('debug') if password is not None and keytab is not None: module.fail_json(msg="Password and keytab cannot be used together") if password is None and admin_keytab is None: module.fail_json(msg="Password or admin_keytab is needed") client_domain = hostname[hostname.find(".") + 1:] nolog = tuple() env = {'PATH': SECURE_PATH} fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) host_principal = 'host/%s@%s' % (hostname, realm) sssd = True options.ca_cert_file = ca_cert_file options.principal = principal options.force = False options.password = password ccache_dir = None changed = False already_joined = False try: (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) configure_krb5_conf(cli_realm=realm, cli_domain=domain, cli_server=servers, cli_kdc=kdc, dnsok=False, filename=krb_name, client_domain=client_domain, client_hostname=hostname, configure_sssd=sssd, force=False) env['KRB5_CONFIG'] = krb_name ccache_dir = tempfile.mkdtemp(prefix='krbcc') ccache_name = os.path.join(ccache_dir, 'ccache') join_args = [ paths.SBIN_IPA_JOIN, "-s", servers[0], "-b", str(realm_to_suffix(realm)), "-h", hostname ] if debug: join_args.append("-d") env['XMLRPC_TRACE_CURL'] = 'yes' if force_join: join_args.append("-f") if principal is not None: if principal.find('@') == -1: principal = '%s@%s' % (principal, realm) if admin_keytab: join_args.append("-f") if not os.path.exists(admin_keytab): module.fail_json( msg="Keytab file could not be found: %s" % \ admin_keytab) try: kinit_keytab(principal, admin_keytab, ccache_name, config=krb_name, attempts=kinit_attempts) except GSSError as e: module.fail_json(msg="Kerberos authentication failed: %s" % str(e)) else: try: kinit_password(principal, password, ccache_name, config=krb_name) except RuntimeError as e: module.fail_json( msg="Kerberos authentication failed: {}".format(e)) elif keytab: join_args.append("-f") if os.path.exists(keytab): try: kinit_keytab(host_principal, keytab, ccache_name, config=krb_name, attempts=kinit_attempts) except GSSError as e: module.fail_json( msg="Kerberos authentication failed: {}".format(e)) else: module.fail_json( msg="Keytab file could not be found: {}".format(keytab)) elif password: join_args.append("-w") join_args.append(password) nolog = (password, ) env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name # Get the CA certificate try: os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG'] if NUM_VERSION < 40100: get_ca_cert(fstore, options, servers[0], basedn) else: get_ca_certs(fstore, options, servers[0], basedn, realm) del os.environ['KRB5_CONFIG'] except errors.FileError as e: module.fail_json(msg='%s' % e) except Exception as e: module.fail_json(msg="Cannot obtain CA certificate\n%s" % e) # Now join the domain result = run(join_args, raiseonerr=False, env=env, nolog=nolog, capture_error=True) stderr = result.error_output if result.returncode != 0: if result.returncode == 13: already_joined = True module.log("Host is already joined") else: if principal: run([paths.KDESTROY], raiseonerr=False, env=env) module.fail_json(msg="Joining realm failed: %s" % stderr) else: changed = True module.log("Enrolled in IPA realm %s" % realm) # Fail for missing krb5.keytab on already joined host if already_joined and not os.path.exists(paths.KRB5_KEYTAB): module.fail_json( msg= "krb5.keytab missing! Retry with ipaclient_force_join=yes to generate a new one." ) if principal: run([paths.KDESTROY], raiseonerr=False, env=env) # Obtain the TGT. We do it with the temporary krb5.conf, sot # tha only the KDC we're installing under is contacted. # Other KDCs might not have replicated the principal yet. # Once we have the TGT, it's usable on any server. try: kinit_keytab(host_principal, paths.KRB5_KEYTAB, paths.IPA_DNS_CCACHE, config=krb_name, attempts=kinit_attempts) env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE except GSSError as e: # failure to get ticket makes it impossible to login and # bind from sssd to LDAP, abort installation module.fail_json(msg="Failed to obtain host TGT: %s" % e) finally: try: os.remove(krb_name) except OSError: module.fail_json(msg="Could not remove %s" % krb_name) if ccache_dir is not None: try: os.rmdir(ccache_dir) except OSError: pass if os.path.exists(krb_name + ".ipabkp"): try: os.remove(krb_name + ".ipabkp") except OSError: module.fail_json(msg="Could not remove %s.ipabkp" % krb_name) module.exit_json(changed=changed, already_joined=already_joined)
def main(): module = AnsibleModule( argument_spec=dict( servers=dict(required=True, type='list'), domain=dict(required=True), realm=dict(required=True), hostname=dict(required=True), basedn=dict(required=True), principal=dict(required=False), subject_base=dict(required=True), ca_enabled=dict(required=True, type='bool'), mkhomedir=dict(required=False, type='bool'), on_master=dict(required=False, type='bool'), dnsok=dict(required=False, type='bool', default=False), enable_dns_updates=dict(required=False, type='bool'), all_ip_addresses=dict(required=False, type='bool', default=False), ip_addresses=dict(required=False, type='list', default=None), request_cert=dict(required=False, type='bool', default=False), preserve_sssd=dict(required=False, type='bool'), no_ssh=dict(required=False, type='bool'), no_sshd=dict(required=False, type='bool'), no_sudo=dict(required=False, type='bool'), fixed_primary=dict(required=False, type='bool'), permit=dict(required=False, type='bool'), no_krb5_offline_passwords=dict(required=False, type='bool'), no_dns_sshfp=dict(required=False, type='bool', default=False), ), supports_check_mode=True, ) module._ansible_debug = True cli_server = module.params.get('servers') cli_realm = module.params.get('realm') hostname = module.params.get('hostname') cli_basedn = module.params.get('basedn') cli_domain = module.params.get('domain') options.principal = module.params.get('principal') subject_base = module.params.get('subject_base') ca_enabled = module.params.get('ca_enabled') options.mkhomedir = module.params.get('mkhomedir') options.on_master = module.params.get('on_master') dnsok = module.params.get('dnsok') fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE options.dns_updates = module.params.get('enable_dns_updates') options.all_ip_addresses = module.params.get('all_ip_addresses') options.ip_addresses = ansible_module_get_parsed_ip_addresses(module) options.request_cert = module.params.get('request_cert') options.hostname = hostname options.host_name = hostname options.preserve_sssd = module.params.get('preserve_sssd') options.no_ssh = module.params.get('no_ssh') options.conf_ssh = not options.no_ssh options.no_sshd = module.params.get('no_sshd') options.conf_sshd = not options.no_sshd options.no_sudo = module.params.get('no_sudo') options.conf_sudo = not options.no_sudo options.primary = module.params.get('fixed_primary') options.permit = module.params.get('permit') options.no_krb5_offline_passwords = module.params.get( 'no_krb5_offline_passwords') options.krb5_offline_passwords = not options.no_krb5_offline_passwords options.no_dns_sshfp = module.params.get('no_dns_sshfp') options.create_sshfp = not options.no_dns_sshfp options.no_sssd = False options.sssd = not options.no_sssd options.no_ac = False CCACHE_FILE = paths.IPA_DNS_CCACHE api.bootstrap(context='cli_installer', confdir=paths.ETC_IPA, debug=False, delegate=False) api.finalize() api.Backend.rpcclient.connect() try: api.Backend.rpcclient.forward('ping') except errors.KerberosError: # Cannot connect to the server due to Kerberos error, trying with # delegate=True api.Backend.rpcclient.disconnect() api.Backend.rpcclient.connect(delegate=True) api.Backend.rpcclient.forward('ping') ########################################################################## try: # Create IPA NSS database try: create_ipa_nssdb() except ipautil.CalledProcessError as e: raise ScriptError("Failed to create IPA NSS database: %s" % e, rval=CLIENT_INSTALL_ERROR) # Get CA certificates from the certificate store try: ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, ca_enabled) except errors.NoCertificateError: if ca_enabled: ca_subject = DN(('CN', 'Certificate Authority'), subject_base) else: ca_subject = None ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm, ca_subject) ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u)) for (c, n, t, u) in ca_certs] if hasattr(paths, "KDC_CA_BUNDLE_PEM"): x509.write_certificate_list( [c for c, n, t, u in ca_certs if t is not False], paths.KDC_CA_BUNDLE_PEM, # mode=0o644 ) if hasattr(paths, "CA_BUNDLE_PEM"): x509.write_certificate_list( [c for c, n, t, u in ca_certs if t is not False], paths.CA_BUNDLE_PEM, # mode=0o644 ) # Add the CA certificates to the IPA NSS database logger.debug("Adding CA certificates to the IPA NSS database.") ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) for cert, nickname, trust_flags in ca_certs_trust: try: ipa_db.add_cert(cert, nickname, trust_flags) except CalledProcessError: raise ScriptError("Failed to add %s to the IPA NSS database." % nickname, rval=CLIENT_INSTALL_ERROR) # Add the CA certificates to the platform-dependant systemwide CA # store tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) if not options.on_master: client_dns(cli_server[0], hostname, options) configure_certmonger(fstore, subject_base, cli_realm, hostname, options, ca_enabled) if hasattr(paths, "SSH_CONFIG_DIR"): ssh_config_dir = paths.SSH_CONFIG_DIR else: ssh_config_dir = services.knownservices.sshd.get_config_dir() update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp) try: os.remove(CCACHE_FILE) except Exception: pass argspec_save_state = inspect.getargspec(save_state) # Name Server Caching Daemon. Disable for SSSD, use otherwise # (if installed) nscd = services.knownservices.nscd if nscd.is_installed(): if "statestore" in argspec_save_state.args: save_state(nscd, statestore) else: save_state(nscd) nscd_service_action = None try: if options.sssd: nscd_service_action = 'stop' nscd.stop() else: nscd_service_action = 'restart' nscd.restart() except Exception: logger.warning("Failed to %s the %s daemon", nscd_service_action, nscd.service_name) if not options.sssd: logger.warning( "Caching of users/groups will not be available") try: if options.sssd: nscd.disable() else: nscd.enable() except Exception: if not options.sssd: logger.warning( "Failed to configure automatic startup of the %s " "daemon", nscd.service_name) logger.info("Caching of users/groups will not be " "available after reboot") else: logger.warning( "Failed to disable %s daemon. Disable it manually.", nscd.service_name) else: # this is optional service, just log if not options.sssd: logger.info("%s daemon is not installed, skip configuration", nscd.service_name) nslcd = services.knownservices.nslcd if nslcd.is_installed(): if "statestore" in argspec_save_state.args: save_state(nslcd, statestore) else: save_state(nslcd) retcode, conf = (0, None) if not options.no_ac: # Modify nsswitch/pam stack argspec = inspect.getargspec(tasks.modify_nsswitch_pam_stack) if "sudo" in argspec.args: tasks.modify_nsswitch_pam_stack(sssd=options.sssd, mkhomedir=options.mkhomedir, statestore=statestore, sudo=options.conf_sudo) else: tasks.modify_nsswitch_pam_stack(sssd=options.sssd, mkhomedir=options.mkhomedir, statestore=statestore) if hasattr(paths, "AUTHSELECT") and paths.AUTHSELECT is not None: # authselect is used # if mkhomedir, make sure oddjobd is enabled and started if options.mkhomedir: oddjobd = services.service('oddjobd', api) running = oddjobd.is_running() enabled = oddjobd.is_enabled() statestore.backup_state('oddjobd', 'running', running) statestore.backup_state('oddjobd', 'enabled', enabled) try: if not enabled: oddjobd.enable() if not running: oddjobd.start() except Exception as e: logger.critical("Unable to start oddjobd: %s", str(e)) logger.info("%s enabled", "SSSD" if options.sssd else "LDAP") if options.sssd: sssd = services.service('sssd', api) try: sssd.restart() except CalledProcessError: logger.warning("SSSD service restart was unsuccessful.") try: sssd.enable() except CalledProcessError as e: logger.warning( "Failed to enable automatic startup of the SSSD " "daemon: %s", e) if not options.sssd: tasks.modify_pam_to_use_krb5(statestore) logger.info("Kerberos 5 enabled") # Update non-SSSD LDAP configuration after authconfig calls as it # would change its configuration otherways if not options.sssd: for configurer in [configure_ldap_conf, configure_nslcd_conf]: (retcode, conf, filenames) = configurer( fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__]) if retcode: raise ScriptError(rval=CLIENT_INSTALL_ERROR) if conf: logger.info( "%s configured using configuration file(s) %s", conf, filenames) if configure_openldap_conf(fstore, cli_basedn, cli_server): logger.info("Configured /etc/openldap/ldap.conf") else: logger.info("Failed to configure /etc/openldap/ldap.conf") # Check that nss is working properly if not options.on_master: user = options.principal if user is None: user = "******" % cli_domain logger.info( "Principal is not set when enrolling with OTP" "; using principal '%s' for 'getent passwd'", user) elif '@' not in user: user = "******" % (user, cli_domain) n = 0 found = False # Loop for up to 10 seconds to see if nss is working properly. # It can sometimes take a few seconds to connect to the remote # provider. # Particulary, SSSD might take longer than 6-8 seconds. if hasattr(paths, "GETENT"): getent_cmd = paths.GETENT else: getent_cmd = '/usr/bin/getent' while n < 10 and not found: try: ipautil.run([getent_cmd, "passwd", user]) found = True except Exception: time.sleep(1) n = n + 1 if not found: logger.error( "Unable to find '%s' user with 'getent " "passwd %s'!", user.split("@")[0], user) if conf: logger.info("Recognized configuration: %s", conf) else: logger.error( "Unable to reliably detect " "configuration. Check NSS setup manually.") try: hardcode_ldap_server(cli_server) except Exception as e: logger.error( "Adding hardcoded server name to " "/etc/ldap.conf failed: %s", str(e)) except ScriptError as e: module.fail_json(msg=str(e)) ########################################################################## module.exit_json(changed=True, ca_enabled_ra=ca_enabled)
def main(): module = AnsibleModule( argument_spec=dict( # basic ntp_servers=dict(required=False, type='list', default=None), ntp_pool=dict(required=False, default=None), no_ntp=dict(required=False, type='bool', default=False), # force_ntpd=dict(required=False, type='bool', default=False), on_master=dict(required=False, type='bool', default=False), # additional servers=dict(required=False, type='list', default=None), domain=dict(required=False, default=None), ), supports_check_mode=True, ) # module._ansible_debug = True setup_logging() options.ntp_servers = module.params.get('ntp_servers') options.ntp_pool = module.params.get('ntp_pool') options.no_ntp = module.params.get('no_ntp') # options.force_ntpd = module.params.get('force_ntpd') options.on_master = module.params.get('on_master') cli_server = module.params.get('servers') cli_domain = module.params.get('domain') options.conf_ntp = not options.no_ntp options.debug = False fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) synced_ntp = False if sync_time is not None: if options.conf_ntp: # Attempt to configure and sync time with NTP server (chrony). # pylint: disable=deprecated-method argspec = inspect.getargspec(sync_time) # pylint: enable=deprecated-method if "options" not in argspec.args: synced_ntp = sync_time(options.ntp_servers, options.ntp_pool, fstore, statestore) else: synced_ntp = sync_time(options, fstore, statestore) elif options.on_master: # If we're on master skipping the time sync here because it was # done in ipa-server-install logger.info( "Skipping attempt to configure and synchronize time with" " chrony server as it has been already done on master.") else: logger.info("Skipping chrony configuration") else: ntp_srv_servers = [] if not options.on_master and options.conf_ntp: # Attempt to sync time with IPA server. # If we're skipping NTP configuration, we also skip the time sync # here. # We assume that NTP servers are discoverable through SRV records # in the DNS. # If that fails, we try to sync directly with IPA server, # assuming it runs NTP logger.info('Synchronizing time with KDC...') ds = ipadiscovery.IPADiscovery() ntp_srv_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) synced_ntp = False ntp_servers = ntp_srv_servers # use user specified NTP servers if there are any if options.ntp_servers: ntp_servers = options.ntp_servers for _ntp_server in ntp_servers: synced_ntp = timeconf.synconce_ntp(_ntp_server, options.debug) if synced_ntp: break if not synced_ntp and not options.ntp_servers: synced_ntp = timeconf.synconce_ntp(cli_server[0], options.debug) if not synced_ntp: module.warn( "Unable to sync time with NTP " "server, assuming the time is in sync. Please check " "that 123 UDP port is opened.") else: logger.info('Skipping synchronizing time with NTP server.') # Done module.exit_json(changed=synced_ntp)