ipa/client: clean up old 2FA sudo configuration

The old, TOTPCGI-enabled sudo configuration breaks when it should be
verifying password and OTP token against what's stored in IPA.

If found, or /etc/pam.d/sudo or the sudo package are missing, reinstall
the sudo package to fix.

Signed-off-by: Nils Philippsen <nils@redhat.com>

roles/ipa/client/tasks/cleanup.yml

@@ -0,0 +1,39 @@
+# REMOVEME: As soon as all (affected) hosts have been migrated over from fas_client, 2fa_client to
+# ipa/client, this can go away.
+#
+# Restore pristine sudo configuration, TOTPCGI configuration messes with IPA integration
+
+- name: Check if /etc/pam.d/sudo exists
+  stat:
+    path: /etc/pam.d/sudo
+  register: pam_sudo_stat
+
+- name: Check if /etc/pam.d/sudo needs to be restored
+  lineinfile:
+    name: /etc/pam.d/sudo
+    regexp: 'pam_url\.so'
+    state: absent
+  check_mode: yes
+  changed_when: false
+  register: pam_sudo_pam_url_so
+  when: pam_sudo_stat.stat.exists and not pam_sudo_stat.stat.islnk
+
+- name: Remove butchered sudo pam.d file
+  file:
+    name: /etc/pam.d/sudo
+    state: absent
+  when: pam_sudo_stat.stat.exists and pam_sudo_pam_url_so.found
+
+- name: Uninstall sudo package, but not any dependencies
+  command:
+    cmd: rpm -e --nodeps sudo
+    # We really don't want to use yum/dnf here
+    warn: no
+  failed_when: false
+  when: not pam_sudo_stat.stat.exists or pam_sudo_pam_url_so.found
+
+- name: (Re)install sudo package
+  package:
+    name: sudo
+    state: present
+  when: not pam_sudo_stat.stat.exists or pam_sudo_pam_url_so.found

roles/ipa/client/tasks/main.yml

@@ -21,6 +21,14 @@
     - ipa/client
     - config
 
+- name: Clean up annoying remnants of previous FAS client installations
+  import_tasks: cleanup.yml
+  # don't muck with prod for now
+  when: env == 'staging'
+  tags:
+    - ipa/client
+    - fas-client-cleanup
+
 - name: Basic configuration for client on IPA cluster
   delegate_to: "{{ ipa_server }}"
   import_tasks: common.yml