ipa/client: repair nsswitch.conf post-FAS

The `fas_client` role installed a version of nsswitch.conf which doesn't
delegate to sss. For some reason, ipa-client-install doesn't ensure this
is brought back. This prepends `sss` to lines where it would be missing
otherwise. Also, run the cleanup tasks before the enrollment task.

Signed-off-by: Nils Philippsen <nils@redhat.com>

roles/ipa/client/tasks/cleanup.yml

@@ -1,5 +1,15 @@
 ---
-# REMOVEME: As soon as all (affected) hosts have been migrated over from fas_client, 2fa_client to
+# Repair nsswitch.conf, the fas_client role installed a version which didn't include sss
+
+- name: Ensure SSSD is consulted when looking up users and groups
+  replace:
+    path: /etc/nsswitch.conf
+    regexp: >-
+      ^(?P<dbchunk>\s*(?:passwd|group|services|netgroup|automount)\s*:\s*)(?P<specchunk>(?:(?!sss(\s|$)).)*)$
+    replace: >-
+      \g<dbchunk>sss \g<specchunk>
+
+# REMOVEME: After all affected hosts have been migrated over from fas_client, 2fa_client to
 # ipa/client, this can go away.
 #
 # Restore pristine sudo configuration, TOTPCGI configuration messes with IPA integration

roles/ipa/client/tasks/main.yml

@@ -8,6 +8,14 @@
     - ipa/client
     - packages
 
+- name: Clean up annoying remnants of previous FAS client installations
+  import_tasks: cleanup.yml
+  # don't muck with prod for now
+  when: env == 'staging'
+  tags:
+    - ipa/client
+    - fas-client-cleanup
+
 - name: Enroll system as IPA client
   command:
     cmd: ipa-client-install
@@ -22,14 +30,6 @@
     - ipa/client
     - config
 
-- name: Clean up annoying remnants of previous FAS client installations
-  import_tasks: cleanup.yml
-  # don't muck with prod for now
-  when: env == 'staging'
-  tags:
-    - ipa/client
-    - fas-client-cleanup
-
 - name: Prepare IPA-related information to make the following more efficient
   delegate_to: localhost
   import_tasks: prepare-ipa-info.yml