- Apply 0001-Fix-typo-in-ipapwpolicy.py.patch and 0002-pwpolicy-test-Fix-maxsequence-test.patch patches

2023-08-09 12:02:27 +03:00
8 changed files with 1059 additions and 102 deletions
--- a/.ansible-freeipa.metadata
+++ b/.ansible-freeipa.metadata
@ -0,0 +1 @@
+03f590ebf93439a08c56f8b98e61f38619309556 SOURCES/ansible-freeipa-1.9.2.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/ansible-freeipa-1.12.1.tar.gz
+SOURCES/ansible-freeipa-1.9.2.tar.gz
--- a/SOURCES/0001-Fix-typo-in-ipapwpolicy.py.patch
+++ b/SOURCES/0001-Fix-typo-in-ipapwpolicy.py.patch
@ -0,0 +1,30 @@
+From 1a7b279d78374598d0330718c81c93048d54dd7c Mon Sep 17 00:00:00 2001
+From: Jacob Cutright <cutrightjm@stl.sh>
+Date: Wed, 26 Apr 2023 17:32:50 -0400
+Subject: [PATCH] Fix typo in ipapwpolicy.py
+
+The 'maxsequence' attribute was never applied as there was a typo when
+it was set. By fixing the field name, 'maxsequence' is correclty set.
+
+The failure was not seen before due to missing tests. The tests will be
+added in a separate PR.
+---
+ plugins/modules/ipapwpolicy.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py
+index 3a3eeed..557702f 100644
+--- a/plugins/modules/ipapwpolicy.py
+++ b/plugins/modules/ipapwpolicy.py
+@@ -197,7 +197,7 @@ def gen_args(module,
+     if maxrepeat is not None:
+         _args["ipapwdmaxrepeat"] = maxrepeat
+     if maxsequence is not None:
+-        _args["ipapwdmaxrsequence"] = maxsequence
+        _args["ipapwdmaxsequence"] = maxsequence
+     if dictcheck is not None:
+         if module.ipa_check_version("<", "4.9.10"):
+             # Allowed values: "TRUE", "FALSE", ""
+-- 
+2.39.2
+
--- a/SOURCES/0002-pwpolicy-test-Fix-maxsequence-test.patch
+++ b/SOURCES/0002-pwpolicy-test-Fix-maxsequence-test.patch
@ -0,0 +1,48 @@
+From d04a12e522e4ef9d23673916afb9e57ed032c56e Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Thu, 27 Apr 2023 09:15:09 +0200
+Subject: [PATCH] pwpolicy test: Fix maxsequence test
+
+The maxsequence test was testing maxrepeat. Therefore the typo reported
+with https://github.com/freeipa/ansible-freeipa/pull/1081 was never
+seen.
+
+The test has been fixed.
+---
+ tests/pwpolicy/test_pwpolicy.yml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
+index 871406f..83f1763 100644
+--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
+@@ -223,7 +223,7 @@
+       ipapwpolicy:
+         ipaadmin_password: SomeADMINpassword
+         ipaapi_context: "{{ ipa_context | default(omit) }}"
+-        maxrepeat: 4
+        maxsequence: 4
+       register: result
+       failed_when: not result.changed or result.failed
+ 
+@@ -231,7 +231,7 @@
+       ipapwpolicy:
+         ipaadmin_password: SomeADMINpassword
+         ipaapi_context: "{{ ipa_context | default(omit) }}"
+-        maxrepeat: 4
+        maxsequence: 4
+       register: result
+       failed_when: result.changed or result.failed
+ 
+@@ -239,7 +239,7 @@
+       ipapwpolicy:
+         ipaadmin_password: SomeADMINpassword
+         ipaapi_context: "{{ ipa_context | default(omit) }}"
+-        maxrepeat: 0
+        maxsequence: 0
+       register: result
+       failed_when: not result.changed or result.failed
+ 
+-- 
+2.39.2
+
--- a/SOURCES/ansible-freeipa-1.9.2-ipaclient-Defer-creating-the-final-krb5.conf-on-clients_RHBZ#2189238.patch
+++ b/SOURCES/ansible-freeipa-1.9.2-ipaclient-Defer-creating-the-final-krb5.conf-on-clients_RHBZ#2189238.patch
@ -0,0 +1,727 @@
+From 6b5acd9b0c8de965d9b815f8033a2bace9dd737d Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 22 Feb 2023 13:35:18 +0100
+Subject: [PATCH] ipaclient: Defer creating the final krb5.conf on clients
+
+A temporary krb5 configuration was used to join the domain in
+ipaclient_join. After that the final krkb5 configuration was created
+with enabled DNS discovery and used for the remainaing tasks, where also
+a connection to the IPA API was done.
+
+With several servers the DNS discovery could have picked up a different
+server. If the client deployment was faster than the replication this
+could have lead to an unknown host error.
+
+The issue was seen in performance testing where many simultaneous client
+enrollments have been done..
+
+The goal is to keep server affinity as long as possible within the
+deployment process:
+
+The temporary krb5.conf that was used before in ipaclient_join was
+pulled out into an own module. The generated temporary krb5.conf is now
+used in ipaclient_join and also ipaclient_api.
+
+The generation of the final krb5.conf is moved to the end of the
+deployment process.
+
+Same as: https://pagure.io/freeipa/issue/9228
+
+The setup of certmonger has been pulled out of ipaclient_setup_nss and moved
+to the end of the process after generating the final krb5.conf as it will
+use t will only use /etc/krb5.conf.
+
+Certificate issuance may fail during deployment due to using the final
+krb5.conf, but certmonger will re-try the request in this case.
+
+Same as: https://pagure.io/freeipa/issue/9246
+---
+ roles/ipaclient/library/ipaclient_api.py      |   8 +
+ roles/ipaclient/library/ipaclient_join.py     |  55 ++----
+ .../library/ipaclient_setup_certmonger.py     | 123 +++++++++++++
+ .../ipaclient/library/ipaclient_setup_nss.py  |   4 +-
+ .../ipaclient/library/ipaclient_temp_krb5.py  | 163 ++++++++++++++++++
+ .../library/ipaclient_test_keytab.py          |   6 +
+ roles/ipaclient/tasks/install.yml             |  69 ++++++--
+ 7 files changed, 365 insertions(+), 63 deletions(-)
+ create mode 100644 roles/ipaclient/library/ipaclient_setup_certmonger.py
+ create mode 100644 roles/ipaclient/library/ipaclient_temp_krb5.py
+
+diff --git a/roles/ipaclient/library/ipaclient_api.py b/roles/ipaclient/library/ipaclient_api.py
+index 7d4b829..9193f60 100644
+--- a/roles/ipaclient/library/ipaclient_api.py
+++ b/roles/ipaclient/library/ipaclient_api.py
+@@ -55,6 +55,10 @@ options:
+     type: bool
+     required: no
+     default: no
+  krb_name:
+    description: The krb5 config file name
+    type: str
+    required: yes
+ author:
+     - Thomas Woerner (@t-woerner)
+ '''
+@@ -65,6 +69,7 @@ EXAMPLES = '''
+     servers: ["server1.example.com","server2.example.com"]
+     domain: example.com
+     hostname: client1.example.com
+    krb_name: /tmp/tmpkrb5.conf
+   register: result_ipaclient_api
+ '''
+ 
+@@ -99,6 +104,7 @@ def main():
+             realm=dict(required=True, type='str'),
+             hostname=dict(required=True, type='str'),
+             debug=dict(required=False, type='bool', default="false"),
+            krb_name=dict(required=True, type='str'),
+         ),
+         supports_check_mode=False,
+     )
+@@ -110,9 +116,11 @@ def main():
+     realm = module.params.get('realm')
+     hostname = module.params.get('hostname')
+     debug = module.params.get('debug')
+    krb_name = module.params.get('krb_name')
+ 
+     host_principal = 'host/%s@%s' % (hostname, realm)
+     os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
+    os.environ['KRB5_CONFIG'] = krb_name
+ 
+     ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
+     if 40500 <= NUM_VERSION < 40590:
+diff --git a/roles/ipaclient/library/ipaclient_join.py b/roles/ipaclient/library/ipaclient_join.py
+index 5d41a54..68379ea 100644
+--- a/roles/ipaclient/library/ipaclient_join.py
+++ b/roles/ipaclient/library/ipaclient_join.py
+@@ -46,10 +46,6 @@ options:
+     type: list
+     elements: str
+     required: yes
+-  domain:
+-    description: Primary DNS domain of the IPA deployment
+-    type: str
+-    required: yes
+   realm:
+     description: Kerberos realm name of the IPA deployment
+     type: str
+@@ -58,10 +54,6 @@ options:
+     description: Fully qualified name of this host
+     type: str
+     required: yes
+-  kdc:
+-    description: The name or address of the host running the KDC
+-    type: str
+-    required: yes
+   basedn:
+     description: The basedn of the IPA server (of the form dc=example,dc=com)
+     type: str
+@@ -102,6 +94,10 @@ options:
+     description: Turn on extra debugging
+     type: bool
+     required: no
+  krb_name:
+    description: The krb5 config file name
+    type: str
+    required: yes
+ author:
+     - Thomas Woerner (@t-woerner)
+ '''
+@@ -111,27 +107,25 @@ EXAMPLES = '''
+ - name: Join IPA in force mode with maximum 5 kinit attempts
+   ipaclient_join:
+     servers: ["server1.example.com","server2.example.com"]
+-    domain: example.com
+     realm: EXAMPLE.COM
+-    kdc: server1.example.com
+     basedn: dc=example,dc=com
+     hostname: client1.example.com
+     principal: admin
+     password: MySecretPassword
+     force_join: yes
+     kinit_attempts: 5
+    krb_name: /tmp/tmpkrb5.conf
+ 
+ # Join IPA to get the keytab using ipadiscovery return values
+ - name: Join IPA
+   ipaclient_join:
+     servers: "{{ ipadiscovery.servers }}"
+-    domain: "{{ ipadiscovery.domain }}"
+     realm: "{{ ipadiscovery.realm }}"
+-    kdc: "{{ ipadiscovery.kdc }}"
+     basedn: "{{ ipadiscovery.basedn }}"
+     hostname: "{{ ipadiscovery.hostname }}"
+     principal: admin
+     password: MySecretPassword
+    krb_name: /tmp/tmpkrb5.conf
+ '''
+ 
+ RETURN = '''
+@@ -147,9 +141,9 @@ import tempfile
+ from ansible.module_utils.basic import AnsibleModule
+ from ansible.module_utils.ansible_ipa_client import (
+     setup_logging, check_imports,
+-    SECURE_PATH, sysrestore, paths, options, configure_krb5_conf,
+-    realm_to_suffix, kinit_keytab, GSSError, kinit_password, NUM_VERSION,
+-    get_ca_cert, get_ca_certs, errors, run
+    SECURE_PATH, sysrestore, paths, options, realm_to_suffix, kinit_keytab,
+    GSSError, kinit_password, NUM_VERSION, get_ca_cert, get_ca_certs, errors,
+    run
+ )
+ 
+ 
+@@ -157,10 +151,8 @@ def main():
+     module = AnsibleModule(
+         argument_spec=dict(
+             servers=dict(required=True, type='list', elements='str'),
+-            domain=dict(required=True, type='str'),
+             realm=dict(required=True, type='str'),
+             hostname=dict(required=True, type='str'),
+-            kdc=dict(required=True, type='str'),
+             basedn=dict(required=True, type='str'),
+             principal=dict(required=False, type='str'),
+             password=dict(required=False, type='str', no_log=True),
+@@ -170,6 +162,7 @@ def main():
+             force_join=dict(required=False, type='bool'),
+             kinit_attempts=dict(required=False, type='int', default=5),
+             debug=dict(required=False, type='bool'),
+            krb_name=dict(required=True, type='str'),
+         ),
+         supports_check_mode=False,
+     )
+@@ -179,11 +172,9 @@ def main():
+     setup_logging()
+ 
+     servers = module.params.get('servers')
+-    domain = module.params.get('domain')
+     realm = module.params.get('realm')
+     hostname = module.params.get('hostname')
+     basedn = module.params.get('basedn')
+-    kdc = module.params.get('kdc')
+     force_join = module.params.get('force_join')
+     principal = module.params.get('principal')
+     password = module.params.get('password')
+@@ -192,6 +183,7 @@ def main():
+     ca_cert_file = module.params.get('ca_cert_file')
+     kinit_attempts = module.params.get('kinit_attempts')
+     debug = module.params.get('debug')
+    krb_name = module.params.get('krb_name')
+ 
+     if password is not None and keytab is not None:
+         module.fail_json(msg="Password and keytab cannot be used together")
+@@ -199,12 +191,10 @@ def main():
+     if password is None and admin_keytab is None:
+         module.fail_json(msg="Password or admin_keytab is needed")
+ 
+-    client_domain = hostname[hostname.find(".") + 1:]
+     nolog = tuple()
+     env = {'PATH': SECURE_PATH}
+     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+     host_principal = 'host/%s@%s' % (hostname, realm)
+-    sssd = True
+ 
+     options.ca_cert_file = ca_cert_file
+     options.principal = principal
+@@ -215,19 +205,6 @@ def main():
+     changed = False
+     already_joined = False
+     try:
+-        (krb_fd, krb_name) = tempfile.mkstemp()
+-        os.close(krb_fd)
+-        configure_krb5_conf(
+-            cli_realm=realm,
+-            cli_domain=domain,
+-            cli_server=servers,
+-            cli_kdc=kdc,
+-            dnsok=False,
+-            filename=krb_name,
+-            client_domain=client_domain,
+-            client_hostname=hostname,
+-            configure_sssd=sssd,
+-            force=False)
+         env['KRB5_CONFIG'] = krb_name
+         ccache_dir = tempfile.mkdtemp(prefix='krbcc')
+         ccache_name = os.path.join(ccache_dir, 'ccache')
+@@ -336,27 +313,17 @@ def main():
+                          paths.IPA_DNS_CCACHE,
+                          config=krb_name,
+                          attempts=kinit_attempts)
+-            env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
+         except GSSError as e:
+             # failure to get ticket makes it impossible to login and
+             # bind from sssd to LDAP, abort installation
+             module.fail_json(msg="Failed to obtain host TGT: %s" % e)
+ 
+     finally:
+-        try:
+-            os.remove(krb_name)
+-        except OSError:
+-            module.fail_json(msg="Could not remove %s" % krb_name)
+         if ccache_dir is not None:
+             try:
+                 os.rmdir(ccache_dir)
+             except OSError:
+                 pass
+-        if os.path.exists(krb_name + ".ipabkp"):
+-            try:
+-                os.remove(krb_name + ".ipabkp")
+-            except OSError:
+-                module.fail_json(msg="Could not remove %s.ipabkp" % krb_name)
+ 
+     module.exit_json(changed=changed,
+                      already_joined=already_joined)
+diff --git a/roles/ipaclient/library/ipaclient_setup_certmonger.py b/roles/ipaclient/library/ipaclient_setup_certmonger.py
+new file mode 100644
+index 0000000..5c81b40
+--- /dev/null
+++ b/roles/ipaclient/library/ipaclient_setup_certmonger.py
+@@ -0,0 +1,123 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-client-install code
+#
+# Copyright (C) 2017-2022  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipaclient_setup_certmonger
+short_description: Setup certmonger for IPA client
+description: Setup certmonger for IPA client
+options:
+  realm:
+    description: Kerberos realm name of the IPA deployment
+    type: str
+    required: yes
+  hostname:
+    description: Fully qualified name of this host
+    type: str
+    required: yes
+  subject_base:
+    description: |
+      The certificate subject base (default O=<realm-name>).
+      RDNs are in LDAP order (most specific RDN first).
+    type: str
+    required: yes
+  ca_enabled:
+    description: Whether the Certificate Authority is enabled or not
+    type: bool
+    required: yes
+  request_cert:
+    description: Request certificate for the machine
+    type: bool
+    required: yes
+author:
+    - Thomas Woerner (@t-woerner)
+'''
+
+EXAMPLES = '''
+- name: Setup certmonger for IPA client
+  ipaclient_setup_certmonger:
+    realm: EXAMPLE.COM
+    hostname: client1.example.com
+    subject_base: O=EXAMPLE.COM
+    ca_enabled: true
+    request_cert: false
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_client import (
+    setup_logging, check_imports,
+    options, sysrestore, paths, ScriptError, configure_certmonger
+)
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            realm=dict(required=True, type='str'),
+            hostname=dict(required=True, type='str'),
+            subject_base=dict(required=True, type='str'),
+            ca_enabled=dict(required=True, type='bool'),
+            request_cert=dict(required=True, type='bool'),
+        ),
+        supports_check_mode=False,
+    )
+
+    module._ansible_debug = True
+    check_imports(module)
+    setup_logging()
+
+    cli_realm = module.params.get('realm')
+    hostname = module.params.get('hostname')
+    subject_base = module.params.get('subject_base')
+    ca_enabled = module.params.get('ca_enabled')
+
+    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+
+    options.request_cert = module.params.get('request_cert')
+    options.hostname = hostname
+
+    try:
+        configure_certmonger(fstore, subject_base, cli_realm, hostname,
+                             options, ca_enabled)
+
+    except ScriptError as e:
+        module.fail_json(msg=str(e))
+
+    module.exit_json(changed=True)
+
+
+if __name__ == '__main__':
+    main()
+diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
+index 3dc0dcc..240bc76 100644
+--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
+@@ -177,7 +177,7 @@ from ansible.module_utils.ansible_ipa_client import (
+     options, sysrestore, paths, ansible_module_get_parsed_ip_addresses,
+     api, errors, create_ipa_nssdb, ipautil, ScriptError, CLIENT_INSTALL_ERROR,
+     get_certs_from_ldap, DN, certstore, x509, logger, certdb,
+-    CalledProcessError, tasks, client_dns, configure_certmonger, services,
+    CalledProcessError, tasks, client_dns, services,
+     update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
+     configure_openldap_conf, hardcode_ldap_server, getargspec, NUM_VERSION,
+     serialization
+@@ -350,8 +350,6 @@ def main():
+ 
+         if not options.on_master:
+             client_dns(cli_server[0], hostname, options)
+-            configure_certmonger(fstore, subject_base, cli_realm, hostname,
+-                                 options, ca_enabled)
+ 
+         if hasattr(paths, "SSH_CONFIG_DIR"):
+             ssh_config_dir = paths.SSH_CONFIG_DIR
+diff --git a/roles/ipaclient/library/ipaclient_temp_krb5.py b/roles/ipaclient/library/ipaclient_temp_krb5.py
+new file mode 100644
+index 0000000..cbe652c
+--- /dev/null
+++ b/roles/ipaclient/library/ipaclient_temp_krb5.py
+@@ -0,0 +1,163 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-client-install code
+#
+# Copyright (C) 2017-2022  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipaclient_temp_krb5
+short_description:
+  Create temporary krb5 configuration.
+description:
+  Create temporary krb5 configuration for deferring the creation of the final
+  krb5.conf on clients
+options:
+  servers:
+    description: Fully qualified name of IPA servers to enroll to
+    type: list
+    elements: str
+    required: yes
+  domain:
+    description: Primary DNS domain of the IPA deployment
+    type: str
+    required: yes
+  realm:
+    description: Kerberos realm name of the IPA deployment
+    type: str
+    required: yes
+  hostname:
+    description: Fully qualified name of this host
+    type: str
+    required: yes
+  kdc:
+    description: The name or address of the host running the KDC
+    type: str
+    required: yes
+  on_master:
+    description: Whether the configuration is done on the master or not
+    type: bool
+    required: no
+    default: no
+author:
+    - Thomas Woerner (@t-woerner)
+'''
+
+EXAMPLES = '''
+# Test IPA with local keytab
+- name: Test IPA in force mode with maximum 5 kinit attempts
+  ipaclient_test_keytab:
+    servers: ["server1.example.com","server2.example.com"]
+    domain: example.com
+    realm: EXAMPLE.COM
+    kdc: server1.example.com
+    hostname: client1.example.com
+
+# Test IPA with ipadiscovery return values
+- name: Join IPA
+  ipaclient_test_keytab:
+    servers: "{{ ipadiscovery.servers }}"
+    domain: "{{ ipadiscovery.domain }}"
+    realm: "{{ ipadiscovery.realm }}"
+    kdc: "{{ ipadiscovery.kdc }}"
+    hostname: "{{ ipadiscovery.hostname }}"
+'''
+
+RETURN = '''
+krb_name:
+  description: The krb5 config file name
+  returned: always
+  type: str
+'''
+
+import os
+import tempfile
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_client import (
+    setup_logging, check_imports, configure_krb5_conf
+)
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            servers=dict(required=True, type='list', elements='str'),
+            domain=dict(required=True, type='str'),
+            realm=dict(required=True, type='str'),
+            hostname=dict(required=True, type='str'),
+            kdc=dict(required=True, type='str'),
+            on_master=dict(required=False, type='bool', default=False),
+        ),
+        supports_check_mode=False,
+    )
+
+    module._ansible_debug = True
+    check_imports(module)
+    setup_logging()
+
+    servers = module.params.get('servers')
+    domain = module.params.get('domain')
+    realm = module.params.get('realm')
+    hostname = module.params.get('hostname')
+    kdc = module.params.get('kdc')
+    client_domain = hostname[hostname.find(".") + 1:]
+
+    krb_name = None
+    # Create temporary krb5 configuration
+    try:
+        (krb_fd, krb_name) = tempfile.mkstemp()
+        os.close(krb_fd)
+        configure_krb5_conf(
+            cli_realm=realm,
+            cli_domain=domain,
+            cli_server=servers,
+            cli_kdc=kdc,
+            dnsok=False,
+            filename=krb_name,
+            client_domain=client_domain,
+            client_hostname=hostname,
+            configure_sssd=True,
+            force=False)
+    except Exception as ex:
+        if krb_name:
+            try:
+                os.remove(krb_name)
+            except OSError:
+                module.fail_json(msg="Could not remove %s" % krb_name)
+        module.fail_json(
+            msg="Failed to create temporary krb5 configuration: %s" % str(ex))
+
+    module.exit_json(changed=False,
+                     krb_name=krb_name)
+
+
+if __name__ == '__main__':
+    main()
+diff --git a/roles/ipaclient/library/ipaclient_test_keytab.py b/roles/ipaclient/library/ipaclient_test_keytab.py
+index 3f1c69d..3bebeea 100644
+--- a/roles/ipaclient/library/ipaclient_test_keytab.py
+++ b/roles/ipaclient/library/ipaclient_test_keytab.py
+@@ -244,6 +244,12 @@ def main():
+                 os.remove(krb_name)
+             except OSError:
+                 module.fail_json(msg="Could not remove %s" % krb_name)
+            if os.path.exists(krb_name + ".ipabkp"):
+                try:
+                    os.remove(krb_name + ".ipabkp")
+                except OSError:
+                    module.fail_json(
+                        msg="Could not remove %s.ipabkp" % krb_name)
+ 
+     module.exit_json(changed=False,
+                      krb5_keytab_ok=krb5_keytab_ok,
+diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
+index fa33f89..1b889d0 100644
+--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
+@@ -239,12 +239,19 @@
+       hostname: "{{ result_ipaclient_test.hostname }}"
+     when: not ipaclient_on_master | bool
+ 
+-  - name: Install - Join IPA
+-    ipaclient_join:
+  - name: Install - Create temporary krb5 configuration
+    ipaclient_temp_krb5:
+       servers: "{{ result_ipaclient_test.servers }}"
+       domain: "{{ result_ipaclient_test.domain }}"
+       realm: "{{ result_ipaclient_test.realm }}"
+      hostname: "{{ result_ipaclient_test.hostname }}"
+       kdc: "{{ result_ipaclient_test.kdc }}"
+    register: result_ipaclient_temp_krb5
+
+  - name: Install - Join IPA
+    ipaclient_join:
+      servers: "{{ result_ipaclient_test.servers }}"
+      realm: "{{ result_ipaclient_test.realm }}"
+       basedn: "{{ result_ipaclient_test.basedn }}"
+       hostname: "{{ result_ipaclient_test.hostname }}"
+       force_join: "{{ ipaclient_force_join | default(omit) }}"
+@@ -255,6 +262,7 @@
+       admin_keytab: "{{ ipaadmin_keytab if ipaadmin_keytab is defined and not ipaclient_use_otp | bool else omit }}"
+       # ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
+       kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
+      krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
+     register: result_ipaclient_join
+     when: not ipaclient_on_master | bool and
+           (not result_ipaclient_test_keytab.krb5_keytab_ok or
+@@ -323,26 +331,13 @@
+           "{{ ipassd_no_krb5_offline_passwords
+               | default(ipasssd_no_krb5_offline_passwords) }}"
+ 
+-    - name: Install - Configure krb5 for IPA realm
+-      ipaclient_setup_krb5:
+-        realm: "{{ result_ipaclient_test.realm }}"
+-        domain: "{{ result_ipaclient_test.domain }}"
+-        servers: "{{ result_ipaclient_test.servers }}"
+-        kdc: "{{ result_ipaclient_test.kdc }}"
+-        dnsok: "{{ result_ipaclient_test.dnsok }}"
+-        client_domain: "{{ result_ipaclient_test.client_domain }}"
+-        hostname: "{{ result_ipaclient_test.hostname }}"
+-        sssd: "{{ result_ipaclient_test.sssd }}"
+-        force: "{{ ipaclient_force }}"
+-        # on_master: "{{ ipaclient_on_master }}"
+-      when: not ipaclient_on_master | bool
+-
+     - name: Install - IPA API calls for remaining enrollment parts
+       ipaclient_api:
+         servers: "{{ result_ipaclient_test.servers }}"
+         realm: "{{ result_ipaclient_test.realm }}"
+         hostname: "{{ result_ipaclient_test.hostname }}"
+         # debug: yes
+        krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
+       register: result_ipaclient_api
+ 
+     - name: Install - Fix IPA ca
+@@ -412,6 +407,36 @@
+         domain: "{{ result_ipaclient_test.domain }}"
+         nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
+       when: not ipaclient_no_nisdomain | bool
+
+    - name: Remove temporary krb5.conf
+      ansible.builtin.file:
+        path: "{{ result_ipaclient_temp_krb5.krb_name }}"
+        state: absent
+      when: result_ipaclient_temp_krb5.krb_name is defined
+
+    - name: Install - Configure krb5 for IPA realm
+      ipaclient_setup_krb5:
+        realm: "{{ result_ipaclient_test.realm }}"
+        domain: "{{ result_ipaclient_test.domain }}"
+        servers: "{{ result_ipaclient_test.servers }}"
+        kdc: "{{ result_ipaclient_test.kdc }}"
+        dnsok: "{{ result_ipaclient_test.dnsok }}"
+        client_domain: "{{ result_ipaclient_test.client_domain }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        sssd: "{{ result_ipaclient_test.sssd }}"
+        force: "{{ ipaclient_force }}"
+        # on_master: "{{ ipaclient_on_master }}"
+      when: not ipaclient_on_master | bool
+
+    - name: Install - Configure certmonger
+      ipaclient_setup_certmonger:
+        realm: "{{ result_ipaclient_test.realm }}"
+        hostname: "{{ result_ipaclient_test.hostname }}"
+        subject_base: "{{ result_ipaclient_api.subject_base }}"
+        ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
+        request_cert: "{{ ipaclient_request_cert }}"
+      when: not ipaclient_on_master | bool
+
+   always:
+   - name: Install - Restore original admin password if overwritten by OTP
+     no_log: yes
+@@ -423,3 +448,15 @@
+     ansible.builtin.file:
+       path: "/etc/ipa/.dns_ccache"
+       state: absent
+
+  - name: Remove temporary krb5.conf
+    ansible.builtin.file:
+      path: "{{ result_ipaclient_temp_krb5.krb_name }}"
+      state: absent
+    when: result_ipaclient_temp_krb5.krb_name is defined
+
+  - name: Remove temporary krb5.conf backup
+    ansible.builtin.file:
+      path: "{{ result_ipaclient_temp_krb5.krb_name }}.ipabkp"
+      state: absent
+    when: result_ipaclient_temp_krb5.krb_name is defined
+-- 
+2.39.2
+
--- a/SOURCES/ansible-freeipa-1.9.2-ipaclient-Defer-krb5-configuration-fix_RHBZ#2189238.patch
+++ b/SOURCES/ansible-freeipa-1.9.2-ipaclient-Defer-krb5-configuration-fix_RHBZ#2189238.patch
@ -0,0 +1,152 @@
+From 0ec89eb53cf8771b34528ec210b2614370d9b662 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Thu, 23 Mar 2023 18:13:08 +0100
+Subject: [PATCH] ipaclient: ipaclient_setup_nss also needs krb_name parameter
+
+With the fix to defer creating the final krb5.conf on clients a bug has
+been introduced with ipaclient_setup_nss: The krb_name parameter that
+points to the temporary krb5 configuration was not added to the module.
+
+With a properly configured DNS (like for example IPA DNS) the krb TXT
+records have been present in the DNS configuration. These have been used
+automatically as a fallback and broke server affinity for the client.
+Without the TXT records creating the IPA NSS database failed with
+ "Cannot find KDC for realm ..".
+
+The krb_name parameter has been added to ipaclient_setup_nss and is also
+properly set in tasks/install.yml.
+---
+ roles/ipaclient/library/ipaclient_setup_nss.py | 8 ++++++++
+ roles/ipaclient/tasks/install.yml              | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
+index 74ca9d4..0e8c658 100644
+--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
+@@ -152,6 +152,10 @@ options:
+       The dist of nss_ldap or nss-pam-ldapd files if sssd is disabled
+     required: yes
+     type: dict
+  krb_name:
+    description: The krb5 config file name
+    type: str
+    required: yes
+ author:
+     - Thomas Woerner (@t-woerner)
+ '''
+@@ -167,6 +171,7 @@ EXAMPLES = '''
+     subject_base: O=EXAMPLE.COM
+     principal: admin
+     ca_enabled: yes
+    krb_name: /tmp/tmpkrb5.conf
+ '''
+ 
+ RETURN = '''
+@@ -218,6 +223,7 @@ def main():
+             no_krb5_offline_passwords=dict(required=False, type='bool'),
+             no_dns_sshfp=dict(required=False, type='bool', default=False),
+             nosssd_files=dict(required=True, type='dict'),
+            krb_name=dict(required=True, type='str'),
+         ),
+         supports_check_mode=False,
+     )
+@@ -268,6 +274,8 @@ def main():
+     options.sssd = not options.no_sssd
+     options.no_ac = False
+     nosssd_files = module.params.get('nosssd_files')
+    krb_name = module.params.get('krb_name')
+    os.environ['KRB5_CONFIG'] = krb_name
+ 
+     # pylint: disable=invalid-name
+     CCACHE_FILE = paths.IPA_DNS_CCACHE
+diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
+index 662f09a..1dc6fdf 100644
+--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
+@@ -382,6 +382,7 @@
+               | default(ipasssd_no_krb5_offline_passwords) }}"
+         no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
+         nosssd_files: "{{ result_ipaclient_test.nosssd_files }}"
+        krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
+ 
+     - name: Install - Configure SSH and SSHD
+       ipaclient_setup_ssh:
+-- 
+2.39.2
+
+From 10d072a8c42e6aa91485661d02b31f79bcc89fc0 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 24 Mar 2023 12:40:32 +0100
+Subject: [PATCH] ipaclient: ipaclient_fix_ca also needs krb_name parameter
+
+With the fix to defer creating the final krb5.conf on clients a bug has
+been introduced with ipaclient_fix_ca: The krb_name parameter that
+points to the temporary krb5 configuration was not added to the module
+
+Without this the server affinity is broken for allow_repair and additionally
+ipaclient_fix_ca could fail if krb5 configuration needs to be repraied
+and also CA needs to be fixed.
+
+The krb_name parameter has been added to ipaclient_fix_ca and is also
+properly set in tasks/install.yml.
+---
+ roles/ipaclient/library/ipaclient_fix_ca.py | 8 ++++++++
+ roles/ipaclient/tasks/install.yml           | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/roles/ipaclient/library/ipaclient_fix_ca.py b/roles/ipaclient/library/ipaclient_fix_ca.py
+index 238b316..ede8d56 100644
+--- a/roles/ipaclient/library/ipaclient_fix_ca.py
+++ b/roles/ipaclient/library/ipaclient_fix_ca.py
+@@ -54,6 +54,10 @@ options:
+       the host entry will not be changed on the server
+     type: bool
+     required: yes
+  krb_name:
+    description: The krb5 config file name
+    type: str
+    required: yes
+ author:
+     - Thomas Woerner (@t-woerner)
+ '''
+@@ -65,6 +69,7 @@ EXAMPLES = '''
+     realm: EXAMPLE.COM
+     basedn: dc=example,dc=com
+     allow_repair: yes
+    krb_name: /tmp/tmpkrb5.conf
+ '''
+ 
+ RETURN = '''
+@@ -87,6 +92,7 @@ def main():
+             realm=dict(required=True, type='str'),
+             basedn=dict(required=True, type='str'),
+             allow_repair=dict(required=True, type='bool'),
+            krb_name=dict(required=True, type='str'),
+         ),
+     )
+ 
+@@ -98,6 +104,8 @@ def main():
+     realm = module.params.get('realm')
+     basedn = module.params.get('basedn')
+     allow_repair = module.params.get('allow_repair')
+    krb_name = module.params.get('krb_name')
+    os.environ['KRB5_CONFIG'] = krb_name
+ 
+     env = {'PATH': SECURE_PATH}
+     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
+index 1dc6fdf..7ff2c39 100644
+--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
+@@ -346,6 +346,7 @@
+         realm: "{{ result_ipaclient_test.realm }}"
+         basedn: "{{ result_ipaclient_test.basedn }}"
+         allow_repair: "{{ ipaclient_allow_repair }}"
+        krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
+       when: not ipaclient_on_master | bool and
+             result_ipaclient_test_keytab.krb5_keytab_ok and
+             not result_ipaclient_test_keytab.ca_crt_exists
+-- 
+2.39.2
+
--- a/SOURCES/ansible-freeipa-1.9.2-paclient-Fix-allow_repair-with-removed-krb5.conf-an_RHBZ#2189235.patch
+++ b/SOURCES/ansible-freeipa-1.9.2-paclient-Fix-allow_repair-with-removed-krb5.conf-an_RHBZ#2189235.patch
@ -0,0 +1,74 @@
+From bfeefaf454e3e705e509ed13b2e650ddfd487fa2 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 8 Feb 2023 13:38:12 +0100
+Subject: [PATCH] ipaclient: Fix allow_repair with removed krb5.conf and DNS
+ lookup
+
+The test in ipaclient_test_keytab is at first trying to use an existing
+krb5.conf to test if the host keytab can be used. With working DNS lookup
+an absent krb5.conf is not reported as an error as DNS lookup is
+silently used instead.
+
+A temporary krb5.conf is now used in this test that forces to deactivate
+DNS lookups and also to load /etc/krb5.conf. A missing krb5.conf is now
+detected properly as the kinit call fails now properly. Thanks to Julien
+Rische for this proposal.
+
+ipaclient_test_keytab is now properly returning the state of usable or
+not usable krb5.conf in krb5_conf_ok. This fixes the handling of this
+case later on in the role.
+---
+ .../library/ipaclient_test_keytab.py          | 27 +++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/roles/ipaclient/library/ipaclient_test_keytab.py b/roles/ipaclient/library/ipaclient_test_keytab.py
+index a86b237..3f1c69d 100644
+--- a/roles/ipaclient/library/ipaclient_test_keytab.py
+++ b/roles/ipaclient/library/ipaclient_test_keytab.py
+@@ -159,11 +159,29 @@ def main():
+     ca_crt_exists = os.path.exists(paths.IPA_CA_CRT)
+     env = {'PATH': SECURE_PATH, 'KRB5CCNAME': paths.IPA_DNS_CCACHE}
+ 
+-    # First try: Validate krb5 keytab with system krb5 configuraiton
+    # First try: Validate with temporary test krb5.conf that forces
+    # 1) no DNS lookups and
+    # 2) to load /etc/krb5.conf:
+    #
+    # [libdefaults]
+    # dns_lookup_realm = false
+    # dns_lookup_kdc = false
+    # include /etc/krb5.conf
+    #
+     try:
+        (krb_fd, krb_name) = tempfile.mkstemp()
+        os.close(krb_fd)
+        content = "\n".join([
+            "[libdefaults]",
+            "dns_lookup_realm = false",
+            "dns_lookup_kdc = false",
+            "include /etc/krb5.conf"
+        ])
+        with open(krb_name, "w") as outf:
+            outf.write(content)
+         kinit_keytab(host_principal, paths.KRB5_KEYTAB,
+                      paths.IPA_DNS_CCACHE,
+-                     config=paths.KRB5_CONF,
+                     config=krb_name,
+                      attempts=kinit_attempts)
+         krb5_keytab_ok = True
+         krb5_conf_ok = True
+@@ -177,6 +195,11 @@ def main():
+             pass
+     except GSSError:
+         pass
+    finally:
+        try:
+            os.remove(krb_name)
+        except OSError:
+            module.fail_json(msg="Could not remove %s" % krb_name)
+ 
+     # Second try: Validate krb5 keytab with temporary krb5
+     # configuration
+-- 
+2.39.2
+
--- a/SPECS/ansible-freeipa.spec
+++ b/SPECS/ansible-freeipa.spec
@ -7,11 +7,21 @@

 Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
 Name: ansible-freeipa
-Version: 1.12.1
-Release: 1%{?dist}
+Version: 1.9.2
+Release: 3%{?dist}.alma
 URL: https://github.com/freeipa/ansible-freeipa
-License: GPL-3.0-or-later
+License: GPLv3+
 Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch1: ansible-freeipa-1.9.2-paclient-Fix-allow_repair-with-removed-krb5.conf-an_RHBZ#2189235.patch
+Patch2: ansible-freeipa-1.9.2-ipaclient-Defer-creating-the-final-krb5.conf-on-clients_RHBZ#2189238.patch
+Patch3: ansible-freeipa-1.9.2-ipaclient-Defer-krb5-configuration-fix_RHBZ#2189238.patch
+
+# Patches was generated from upstream commits:
+# https://github.com/freeipa/ansible-freeipa/commit/d04a12e522e4ef9d23673916afb9e57ed032c56e
+# https://github.com/freeipa/ansible-freeipa/commit/1a7b279d78374598d0330718c81c93048d54dd7c
+Patch1001: 0001-Fix-typo-in-ipapwpolicy.py.patch
+Patch1002: 0002-pwpolicy-test-Fix-maxsequence-test.patch
+
 BuildArch: noarch

 %description
@ -35,7 +45,6 @@ Features
 - Modules for automount key management
 - Modules for automount location management
 - Modules for automount map management
- Modules for certificate management
 - Modules for config management
 - Modules for delegation management
 - Modules for dns config management
@ -48,11 +57,7 @@ Features
 - Modules for hbacsvcgroup management
 - Modules for host management
 - Modules for hostgroup management
- Modules for idoverridegroup management
- Modules for idoverrideuser management
- Modules for idp management
 - Modules for idrange management
- Modules for idview management
 - Modules for location management
 - Modules for netgroup management
 - Modules for permission management
@ -90,7 +95,7 @@ Supported Distributions
 Requirements

  Controller
-  - Ansible version: 2.13+
+  - Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)

  Node
  - Supported FreeIPA version (see above)
@ -118,6 +123,12 @@ to get the needed requrements to run the tests.
 %prep
 %setup -q
 # Do not create backup files with patches
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
+%patch1001 -p1
+%patch1002 -p1

 # Fix python modules and module utils:
 # - Remove shebang
@ -125,14 +136,12 @@ to get the needed requrements to run the tests.
 for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py;
 do
    sed -i '1{/\/usr\/bin\/python*/d;}' $i
-    sed -i '1{/\/usr\/bin\/env python*/d;}' $i
    chmod a-x $i
 done

 for i in utils/*.py utils/new_module utils/changelog utils/ansible-doc-test;
 do
    sed -i '{s@/usr/bin/python*@%{python}@}' $i
-    sed -i '{s@/usr/bin/env python*@%{python}@}' $i
 done


@ -183,98 +192,14 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
 %{_datadir}/ansible-freeipa/requirements-tests.txt

 %changelog
-* Mon Feb 12 2024 Thomas Woerner <twoerner@redhat.com> - 1.12.1-1
- Update to version 1.12.1
-  https://github.com/freeipa/ansible-freeipa/releases/tag/v1.12.1
-  Resolves: RHEL-13746
- ipauser module lacks the "rename" field.
-  Resolves: RHEL-4963
- Add missing support for rename in ipagroup module
-  Resolves: RHEL-13759
- The IDP module does not support the modification of IDP options
-  Resolves: RHEL-17955
- The IDP module does not support resetting IDP options
-  Resolves: RHEL-17958
- ipauser is not idempotent when random is defined
-  Resolves: RHEL-4934
- ipasudorule: Allow setting groups for runasuser
-  Resolves: RHEL-19129
- Idempotency fixes
-  Resolves: RHEL-13755
- ipadnszone: Add support for per-zone privilege delegation
-  Resolves: RHEL-19133
- Handle data type or empty string in module_utils
-  Resolves: RHEL-19135
- ipa-server installation failing
-  Resolves: RHEL-23633
+* Wed Aug 09 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.9.2-3.alma
+- Apply 0001-Fix-typo-in-ipapwpolicy.py.patch and 0002-pwpolicy-test-Fix-maxsequence-test.patch patches

-* Tue Nov 28 2023 Thomas Woerner <twoerner@redhat.com> - 1.12.0-2
- Fix test_pwpolicy for https://pagure.io/freeipa/issue/9297
-  Related: RHEL-13746
-
-* Mon Nov 27 2023 Thomas Woerner <twoerner@redhat.com> - 1.12.0-1
- Update to version 1.12.0
-  https://github.com/freeipa/ansible-freeipa/releases/tag/v1.12.0
-  Resolves: RHEL-13746
- New idoverridegroup management module.
-  Resolves: RHEL-16935
- New idoverrideuser management module.
-  Resolves: RHEL-16941
- New idview management module.
-  Resolves: RHEL-16933
- New idp management module.
-  Resolves: RHEL-16938
- idoverride{user,group}: Fix delete_continue with state absent
-  Resolves: RHEL-16682
-
-* Mon Jul 24 2023 Thomas Woerner <twoerner@redhat.com> - 1.11.1-1
- Update to version 1.11.1
-  https://github.com/freeipa/ansible-freeipa/releases/tag/v1.11.1
-  Resolves: RHBZ#2170371
- ipaautomountmap: add support for indirect maps
-  Resolves: RHBZ#2050158
- ipauser: Add support to modify GECOS field
-  Resolves: RHBZ#2168022
- ipauser: Add support for parameter "street"
-  Resolves: RHBZ#2215532
- ipauser: Add support for SMB attributes
-  Resolves: RHBZ#2215534
- ipauser: Support for External IdP attributes
-  Resolves: RHBZ#2215539
- Fix handling of ipapwpolicy attributes usercheck and dictcheck
-  Resolves: RHBZ#2215543
- Update authtypes authind
-  Resolves: RHBZ#2215540
-
-* Mon Jun 12 2023 Thomas Woerner <twoerner@redhat.com> - 1.11.0-1
- Update to version 1.11.0
-  https://github.com/freeipa/ansible-freeipa/releases/tag/v1.11.0
-  Resolves: RHBZ#2170371
- Multiple service management
-  Resolves: RHBZ#2175769
- New ipacert module
-  Resolves: RHBZ#2127906
- Fix maxsequence handling in ipapwpolicy module
-  Resolves: RHBZ#2214295
-
-* Wed Apr  5 2023 Thomas Woerner <twoerner@redhat.com> - 1.10.0-1
- Update to version 1.10.0
-  https://github.com/freeipa/ansible-freeipa/releases/tag/v1.10.0
-  Resolves: RHBZ#2170371
- ipareplica/server: Enable removal from domain with undeployment
-  Resolves: RHBZ#2127901
- ipagroup: Allow multiple group management
-  Resolves: RHBZ#2175762
- ipaserver: Allow deployments with random serial numbers
-  Resolves: RHBZ#2127904
- ipagroup: Fix ensuring external group members (without trust-ad)
-  Resolves: RHBZ#2183820
- ipaclient: Add subid option to select the sssd profile with-subid
-  Resolves: RHBZ#2175766
+* Mon Apr 24 2023 Thomas Woerner <twoerner@redhat.com> - 1.9.2-2
 - ipaclient: Fix allow_repair with removed krb5.conf and DNS lookup
-  Resolves: RHBZ#1759785
- ipaclient: Keep server affinity while deploying as long as possible
-  Resolves: RHBZ#2175755
+  Resolves: RHBZ#2189235
+- ipaclient: Defer creating the final krb5.conf on clients
+  Resolves: RHBZ#2189238

 * Tue Jan 31 2023 Thomas Woerner <twoerner@redhat.com> - 1.9.2-1
 - Update to version 1.9.2
				`@ -0,0 +1 @@`
				`03f590ebf93439a08c56f8b98e61f38619309556 SOURCES/ansible-freeipa-1.9.2.tar.gz`