2021 07 freeipa dep fix (#40)

* removed krb5_server dependency on krb5_client
* replaced the ca_certs role with tasks in tls_install_certs
* added verification for FreeIPA TLS and clients
* corrected note on ca certificates in freeipa docs

Signed-off-by: William Dyson <[email protected]>

Co-authored-by: William Dyson <[email protected]>

Author: WillDyson

docs/freeipa.md

@@ -47,14 +47,6 @@ The playbook will not provision a firewall around the FreeIPA server.
 
 ## FreeIPA CA signed certificates or externally signed certificates?
 
-In both cases, you'll want to refer to each CA certificate used (particularly important if you are using a different CA) by adding entries to `tls_ca_certs` e.g. (IPA CA)
-
-```
-tls_ca_certs:
-  - path: /etc/ipa/ca.crt
-    alias: ipaca
-```
-
 ### FreeIPA CA signed certificates
 
 Here, nothing has to be done.
@@ -67,6 +59,15 @@ In this case, please set `skip_ipa_signing` to `true`.
 
 This will cause the playbook to stop after generating CSRs – identical to the non-FreeIPA case.
 
+You will also need to configure your CA certificate like so (where `/path/to/ca.crt` is a path on the controller host):
+```
+tls_ca_certs:
+  - path: /path/to/ca.crt
+    alias: clusterca
+```
+
+This will ensure that the generated truststore includes your external CA.
+
 ## AutoTLS or playbook configured?
 
 ### AutoTLS

roles/infrastructure/krb5_client/meta/main.yml

@@ -14,4 +14,5 @@
 
 ---
 dependencies:
-  - role: cloudera.cluster.infrastructure.krb5_common
+  - role: cloudera.cluster.infrastructure.krb5_common
+  - role: cloudera.cluster.infrastructure.krb5_conf

roles/infrastructure/krb5_client/tasks/freeipa.yml

@@ -23,12 +23,21 @@
     ipaclient_servers: "{{ groups['krb5_server'] }}"
   when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups"
 
-- name: Set sssd to enumerate users and groups
+- name: Set up renew_lifetime in krb5.conf
   lineinfile:
-    path: /etc/sssd/sssd.conf
-    insertafter: "^\\[domain/.+\\]"
-    regexp: "^enumerate"
-    line: "enumerate = True"
-  when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups"
-  notify:
-    - restart sssd
+    path: /etc/krb5.conf
+    insertafter: "^\\[libdefaults\\]"
+    regexp: "^  renew_lifetime"
+    line: "  renew_lifetime = 7d"
+  when: 
+    - krb5_kdc_type == 'Red Hat IPA'
+    - "'cluster' in group_names or 'cloudera_manager' in group_names"
+
+- name: Remove default_ccache_name in krb5.conf
+  lineinfile:
+    path: /etc/krb5.conf
+    regexp: "^  default_ccache_name"
+    state: absent
+  when: 
+    - krb5_kdc_type == 'Red Hat IPA'
+    - "'cluster' in group_names or 'cloudera_manager' in group_names"

roles/infrastructure/krb5_client/tasks/mit.yml

@@ -22,10 +22,3 @@
     lock_timeout: "{{ (ansible_os_family == 'RedHat') | ternary(60, omit) }}"
     name: "{{ krb5_packages }}"
     state: present
-
-- name: Create krb5.conf
-  template:
-    src: "{{ krb5_conf_template | default('krb5.conf.j2') }}"
-    dest: /etc/krb5.conf
-    backup: yes
-  when: not (skip_krb5_conf_distribution | default(False))

roles/infrastructure/krb5_client/templates/krb5.conf.j2 renamed to roles/infrastructure/krb5_common/templates/krb5.conf.j2

@@ -14,4 +14,4 @@
 
 ---
 dependencies:
-  - role: cloudera.cluster.infrastructure.ca_common
+  - role: cloudera.cluster.infrastructure.krb5_common

roles/infrastructure/ca_certs/meta/main.yml renamed to roles/infrastructure/krb5_conf/meta/main.yml

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 ---
-- name: Clean CA Certs directory
-  file:
-    name: "{{ ca_server_root_path }}"
-    state: absent
+- name: Setup MIT KRB5 Configuration
+  when: krb5_kdc_type != 'Red Hat IPA'
+  ansible.builtin.include_tasks: mit.yml

roles/infrastructure/ca_certs/tasks/clean.yml renamed to roles/infrastructure/krb5_conf/tasks/main.yml

@@ -13,15 +13,10 @@
 # limitations under the License.
 
 ---
-- name: Fetch CA Certs
-  fetch:
-    src: "{{ cert.src }}"
-    dest: "{{ cert.dest }}"
-    flat: yes
-  loop:
-    - src: "{{ ca_server_root_cert_path }}"
-      dest: "{{ local_temp_dir }}/certs/cluster_rootca.pem"
-    - src: "{{ ca_server_intermediate_cert_path }}"
-      dest: "{{ local_temp_dir }}/certs/cluster_intca.pem"
-  loop_control:
-    loop_var: cert
+
+- name: Create krb5.conf
+  template:
+    src: "{{ krb5_conf_template | default('krb5.conf.j2') }}"
+    dest: /etc/krb5.conf
+    backup: yes
+  when: not (skip_krb5_conf_distribution | default(False))

roles/infrastructure/ca_certs/tasks/fetch.yml renamed to roles/infrastructure/krb5_conf/tasks/mit.yml

@@ -0,0 +1,22 @@
+[libdefaults]
+default_realm = {{ krb5_realm|upper }}
+dns_lookup_kdc = false
+dns_lookup_realm = false
+ticket_lifetime = 1d
+renew_lifetime = 7d
+forwardable = true
+default_tgs_enctypes = {{ krb5_enc_types }}
+default_tkt_enctypes = {{ krb5_enc_types }}
+permitted_enctypes = {{ krb5_enc_types }}
+udp_preference_limit = 1
+kdc_timeout = 3000
+
+[realms]
+{{ krb5_realm|upper }} = {
+  kdc = {{ krb5_kdc_host | default(groups['krb5_server'][0]) }}
+  admin_server = {{ krb5_kdc_host | default(groups['krb5_server'][0]) }}
+}
+
+[domain_realm]
+.{{ ansible_domain }} = {{ krb5_realm|upper }}
+{{ ansible_domain }} = {{ krb5_realm|upper }}

roles/infrastructure/krb5_conf/templates/krb5.conf.j2

@@ -14,4 +14,5 @@
 
 ---
 dependencies:
-  - role: cloudera.cluster.infrastructure.krb5_client
+  - role: cloudera.cluster.infrastructure.krb5_common
+  - role: cloudera.cluster.infrastructure.krb5_conf