From 1bac06030c1576f9dc480289fd4fe7c2e6ee9cfa Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 25 Jun 2025 08:03:02 +0000 Subject: [PATCH] import OL ansible-freeipa-1.14.5-3.el9_6 --- ...tributeError-by-defaulting-dns_over_.patch | 48 +++++++++++++++++++ SPECS/ansible-freeipa.spec | 8 +++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 SOURCES/ansible-freeipa-1.14.5-5b3a472-ipaclient-Fix-AttributeError-by-defaulting-dns_over_.patch diff --git a/SOURCES/ansible-freeipa-1.14.5-5b3a472-ipaclient-Fix-AttributeError-by-defaulting-dns_over_.patch b/SOURCES/ansible-freeipa-1.14.5-5b3a472-ipaclient-Fix-AttributeError-by-defaulting-dns_over_.patch new file mode 100644 index 0000000..032065c --- /dev/null +++ b/SOURCES/ansible-freeipa-1.14.5-5b3a472-ipaclient-Fix-AttributeError-by-defaulting-dns_over_.patch @@ -0,0 +1,48 @@ +From 5b3a4729f03b12589fd5ae5a088f7f545d613fd8 Mon Sep 17 00:00:00 2001 +From: Jose Angel Morena +Date: Tue, 20 May 2025 14:39:32 +0200 +Subject: [PATCH] ipaclient: Fix AttributeError by defaulting dns_over_tls to + False + +This change addresses https://github.com/freeipa/ansible-freeipa/issues/1356#issuecomment-2891804763 by explicitly setting `options.dns_over_tls = False` to ensure the attribute is always defined when running ipaclient ansible role. + +On RHEL 9 systems (or any environment where `ipasssd_enable_dns_updates: true`), the `ipaclient` python module references `dns_over_tls` without first checking its existence, which results in the following `AttributeError: 'installer_obj' object has no attribute 'dns_over_tls'`: + + TASK \[freeipa.ansible\_freeipa.ipaclient : Install - Configure SSSD] \*\*\*\*\*\*\*\*\*\*\*\* + An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: + 'installer\_obj' object has no attribute 'dns\_over\_tls' + fatal: \[vm-test-rhel9]: FAILED! => {"changed": false, "module\_stderr": "Traceback (most recent call last):\n File " + ", line 107, in \n File "", line 99, in \_ansiballz\_main\n File "", line 47, in invoke\_module\n + File "/usr/lib64/python3.9/runpy.py", line 225, in run\_module\n return \_run\_module\_code(code, init\_globals, + run\_name, mod\_spec)\n File "/usr/lib64/python3.9/runpy.py", line 97, in \_run\_module\_code\n \_run\_code(code, + mod\_globals, init\_globals,\n File "/usr/lib64/python3.9/runpy.py", line 87, in \_run\_code\n exec(code, run\_globals)\n + File "/tmp/ansible\_freeipa.ansible\_freeipa.ipaclient\_setup\_sssd\_payload\_zkyct7sn/ansible\_freeipa.ansible\_freeipa.ipacli. ent\_setup\_sssd\_payload.zip/ansible\_collections/freeipa/ansible\_freeipa/plugins/modules/ipaclient\_setup\_sssd.py", + line 190, in \n File "/tmp/ansible\_freeipa.ansible\_freeipa.ipaclient\_setup\_sssd\_payload\_zkyct7sn/ansible\_freeipa.ansible\_freeipa.ipacli. ent\_setup\_sssd\_payload.zip/ansible\_collections/freeipa/ansible\_freeipa/plugins/modules/ipaclient\_setup\_sssd.py", + line 181, in main\n File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 1005, in configure\_sssd\_conf\n + if options.dns\_over\_tls:\nAttributeError: 'installer\_obj' object has no attribute 'dns\_over\_tls'\n", "module\_stdout": "", + "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1} + +To prevent this, the attribute `options.dns_over_tls` is now initialised to false in `roles/ipaclient/library/ipaclient_setup_sssd.py`.This fix is inspired by a similar pattern in [[PR #1340](https://github.com/freeipa/ansible-freeipa/pull/1340/files)](https://github.com/freeipa/ansible-freeipa/pull/1340/files). + +This failure has been observed in versions `1.14.6` and `1.14.5` of the [ansible_freeipa collection](https://galaxy.ansible.com/ui/repo/published/freeipa/ansible_freeipa/) from Ansible Galaxy. + +Signed-off-by: Jose Angel Morena +--- + roles/ipaclient/library/ipaclient_setup_sssd.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/roles/ipaclient/library/ipaclient_setup_sssd.py b/roles/ipaclient/library/ipaclient_setup_sssd.py +index 06eef02..434ec73 100644 +--- a/roles/ipaclient/library/ipaclient_setup_sssd.py ++++ b/roles/ipaclient/library/ipaclient_setup_sssd.py +@@ -174,6 +174,7 @@ def main(): + options.no_krb5_offline_passwords = module.params.get( + 'no_krb5_offline_passwords') + options.krb5_offline_passwords = not options.no_krb5_offline_passwords ++ options.dns_over_tls = False + + fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) + client_domain = hostname[hostname.find(".") + 1:] +-- +2.49.0 + diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec index 30f0760..f62a303 100644 --- a/SPECS/ansible-freeipa.spec +++ b/SPECS/ansible-freeipa.spec @@ -12,11 +12,12 @@ Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Name: ansible-freeipa Version: 1.14.5 -Release: 2%{?dist} +Release: 3%{?dist} URL: https://github.com/freeipa/ansible-freeipa License: GPL-3.0-or-later Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: ansible-freeipa-1.14.5-34dc758-Fix-CA-certificates-iteration.patch +Patch1: ansible-freeipa-1.14.5-5b3a472-ipaclient-Fix-AttributeError-by-defaulting-dns_over_.patch BuildArch: noarch %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 Requires: ansible-core >= 1:2.14.0 @@ -138,6 +139,7 @@ The %{collection_namespace}.%{collection_name} collection, including tests. %setup -q # Do not create backup files with patches %patch0 -p1 +%patch1 -p1 # Fix python modules and module utils: # - Remove shebang # - Remove execute flag @@ -212,6 +214,10 @@ utils/build-galaxy-release.sh -o "%{version}" -p %{buildroot}%{ansible_collectio %{ansible_collections_dir}/%{collection_namespace}/%{collection_name} %changelog +* Tue Jun 17 2025 Thomas Woerner - 1.14.5-3 +- ipaclient: Fix AttributeError by defaulting dns_over_tls to False + Resolves: RHEL-92891 + * Mon Apr 28 2025 Thomas Woerner - 1.14.5-2 - Fix IPA requires unique CA certificate subject names Resolves: RHEL-88216