diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml
--- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
+++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml 2022-10-07 17:12:51.172335899 +0200
@@ -0,0 +1,12 @@
+---
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Set IPA domain netbios name
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml
--- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
+++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml 2022-10-07 17:12:51.172335899 +0200
@@ -0,0 +1,12 @@
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py
--- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py 2022-10-07 17:18:43.193785596 +0200
@@ -148,6 +148,24 @@ options:
required: false
type: list
aliases: ["ipadomainresolutionorder"]
+ enable_sid:
+ description: >
+ New users and groups automatically get a SID assigned.
+ Requires IPA 4.9.8+.
+ required: false
+ type: bool
+ netbios_name:
+ description: >
+ NetBIOS name of the IPA domain.
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ required: false
+ type: string
+ add_sids:
+ description: >
+ Add SIDs for existing users and groups.
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ required: false
+ type: bool
'''
EXAMPLES = '''
@@ -169,6 +187,24 @@ EXAMPLES = '''
ipaadmin_password: SomeADMINpassword
defaultshell: /bin/bash
maxusername: 64
+
+- name: Playbook to enable SID and generate users and groups SIDs
+ hosts: ipaserver
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
+
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
'''
RETURN = '''
@@ -247,6 +283,14 @@ config:
domain_resolution_order:
description: list of domains used for short name qualification
returned: always
+ enable_sid:
+ description: >
+ new users and groups automatically get a SID assigned.
+ Requires IPA 4.9.8+.
+ returned: always
+ netbios_name:
+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
+ returned: if enable_sid is True
'''
@@ -260,6 +304,28 @@ def config_show(module):
return _result["result"]
+def get_netbios_name(module):
+ try:
+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
+ except Exception: # pylint: disable=broad-except
+ return None
+ else:
+ return _result["result"]["ipantflatname"][0]
+
+
+def is_enable_sid(module):
+ """When 'enable-sid' is true admin user and admins group have SID set."""
+ _result = module.ipa_command("user_show", "admin", {"all": True})
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
+ if not sid[0].endswith("-500"):
+ return False
+ _result = module.ipa_command("group_show", "admins", {"all": True})
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
+ if not sid[0].endswith("-512"):
+ return False
+ return True
+
+
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
@@ -313,7 +379,10 @@ def main():
aliases=["ipauserauthtype"]),
ca_renewal_master_server=dict(type="str", required=False),
domain_resolution_order=dict(type="list", required=False,
- aliases=["ipadomainresolutionorder"])
+ aliases=["ipadomainresolutionorder"]),
+ enable_sid=dict(type="bool", required=False),
+ add_sids=dict(type="bool", required=False),
+ netbios_name=dict(type="str", required=False),
),
supports_check_mode=True,
)
@@ -344,7 +413,10 @@ def main():
"pac_type": "ipakrbauthzdata",
"user_auth_type": "ipauserauthtype",
"ca_renewal_master_server": "ca_renewal_master_server",
- "domain_resolution_order": "ipadomainresolutionorder"
+ "domain_resolution_order": "ipadomainresolutionorder",
+ "enable_sid": "enable_sid",
+ "netbios_name": "netbios_name",
+ "add_sids": "add_sids",
}
reverse_field_map = {v: k for k, v in field_map.items()}
@@ -392,11 +464,47 @@ def main():
changed = False
exit_args = {}
- # Connect to IPA API
- with ansible_module.ipa_connect():
+ # Connect to IPA API (enable-sid requires context == 'client')
+ with ansible_module.ipa_connect(context="client"):
+ has_enable_sid = ansible_module.ipa_command_param_exists(
+ "config_mod", "enable_sid")
result = config_show(ansible_module)
+
if params:
+ netbios_name = params.get("netbios_name")
+ if netbios_name:
+ netbios_name = netbios_name.upper()
+ add_sids = params.get("add_sids")
+ enable_sid = params.get("enable_sid")
+ required_sid = any([netbios_name, add_sids])
+ if required_sid and not enable_sid:
+ ansible_module.fail_json(
+ "'enable-sid: yes' required for 'netbios_name' "
+ "and 'add-sids'."
+ )
+ if enable_sid:
+ if not has_enable_sid:
+ ansible_module.fail_json(
+ "This version of IPA does not support 'enable-sid'.")
+ if (
+ netbios_name
+ and netbios_name == get_netbios_name(ansible_module)
+ ):
+ del params["netbios_name"]
+ netbios_name = None
+ if not add_sids and "add_sids" in params:
+ del params["add_sids"]
+ if (
+ not any([netbios_name, add_sids])
+ and is_enable_sid(ansible_module)
+ ):
+ del params["enable_sid"]
+ else:
+ for param in ["enable_sid", "netbios_name", "add_sids"]:
+ if param in params:
+ del params[params]
+
params = {
k: v for k, v in params.items()
if k not in result or result[k] != v
@@ -441,6 +549,10 @@ def main():
raise ValueError(
"Unexpected attribute type: %s" % arg_type)
exit_args[k] = type_map[arg_type](value)
+ # Set enable_sid
+ if has_enable_sid:
+ exit_args["enable_sid"] = is_enable_sid(ansible_module)
+ exit_args["netbios_name"] = get_netbios_name(ansible_module)
# Done
ansible_module.exit_json(changed=changed, config=exit_args)
diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md
--- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/README-config.md 2022-10-07 17:12:51.172335899 +0200
@@ -65,6 +65,9 @@ Example playbook to read config options:
maxusername: 64
```
+
+Example playbook to set global configuration options:
+
```yaml
---
- name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
```
+Example playbook to enable SID and generate users and groups SIDs:
+
+```yaml
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
+```
+
+Example playbook to change IPA domain NetBIOS name:
+
+```yaml
+---
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Set IPA domain netbios name
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
+```
+
Variables
=========
@@ -111,6 +148,9 @@ Variable | Description | Required
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
| `user_auth_type` |
| `domain_resolution_order` |
| `ca_renewal_master_server` |
+ | `enable_sid` |
+ | `netbios_name` |
All returned fields take the same form as their namesake input parameters
diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml
--- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
+++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml 2022-10-07 17:12:51.172335899 +0200
@@ -0,0 +1,70 @@
+---
+- name: Test config
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
+ become: no
+ gather_facts: no
+
+ tasks:
+
+ # GET CURRENT CONFIG
+
+ - name: Return current values of the global configuration options
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ register: previous
+
+ # TESTS
+ - block:
+ - name: Ensure SID is enabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ register: result
+ failed_when: result.failed or previous.config.enable_sid == result.changed
+
+ - name: Ensure SID is enabled, again.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Ensure netbios_name is "IPATESTPLAY"
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Ensure netbios_name is "IPATESTPLAY", again
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: result.failed or result.changed
+
+ # add_sids is not idempotent as it always tries to generate the missing
+ # SIDs for users and groups.
+ - name: Add SIDs to users and groups.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ add_sids: yes
+
+ # REVERT TO PREVIOUS CONFIG
+ always:
+ # Once SID is enabled, it cannot be reverted.
+ - name: Revert netbios_name to original configuration
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
+ enable_sid: yes