ipa/client: Make checking for groups more robust

The `ipa` command needs a valid Kerberos ticket for the IPA admin user
which might be present or not. This probably worked most of the time
because other tasks in the playbook acquired a ticket as a side effect.

Use `getent group ...` instead which doesn't query IPA directly. This
has the additional benefit that it verifies the groups in question are
POSIX groups, which is what we want for shell access and sudo.

Signed-off-by: Nils Philippsen <nils@redhat.com>

roles/ipa/client/tasks/hbac.yml

@@ -1,7 +1,7 @@
 ## Cluster-wide rules
 
 - name: Check that sysadmin-main group exists
-  command: "ipa group-show --no-members sysadmin-main"
+  command: "getent group sysadmin-main"
   changed_when: False
 
 - name: "Give members of group sysadmin-main access to anything, anywhere"
@@ -68,7 +68,7 @@
       - sshd
 
 - name: Check that shell access user groups exist
-  command: "ipa group-show --no-members {{ item }}"
+  command: "getent group {{ item }}"
   changed_when: False
   loop: "{{ (ipa_client_shell_groups | default([])) | list }}"
 

roles/ipa/client/tasks/sudo.yml

@@ -1,5 +1,5 @@
 - name: Check that configured sudo groups exist
-  command: "ipa group-show --no-members {{ item }}"
+  command: "getent group {{ item }}"
   changed_when: False
   loop: "{{ (ipa_client_sudo_groups | default([])) + (ipa_client_sudo_nopasswd_groups | default([])) | list }}"