Use ansible_domain everywhere and bail out if it is empty.

roles/lan-client/defaults/main.yml

@@ -1,6 +1,5 @@
 lan_homes:  /home/lan
-ldap_domain: "{{ ansible_domain | default('intern', true) }}"
-basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
 ldap_server: ldap
 krb_server: kerberos
 nfs_server: nfs

roles/lan-client/tasks/main.yml

@@ -1,9 +1,12 @@
 ---
+- fail: msg="The machine's domain must not be empty."
+  when: ansible_domain | length == 0 
+
 - name: preseed krb5-config realm
   debconf:
     name: krb5-config
     question: krb5-config/default_realm
-    value: "{{ ldap_domain | upper }}"
+    value: "{{ ansible_domain | upper }}"
     vtype: string
 
 - name: preseed krb5-config kerberos servers
@@ -43,12 +46,12 @@
 
 ## Activate machine after installation:
 - name: create machine principal
-  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
+  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
   no_log: true
   when: not run_in_installer|default(false)|bool
 
 - name: add principal to keytab
-  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
+  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
   args:
     creates: /etc/krb5.keytab
   no_log: true

roles/lan-client/templates/sssd.conf.j2

@@ -16,7 +16,7 @@ ldap_search_base = {{ basedn }}
 
 auth_provider = krb5
 krb5_server = {{ krb_server }}
-krb5_realm = {{ ldap_domain | upper }}
+krb5_realm = {{ ansible_domain | upper }}
 cache_credentials = true
 
 min_id = 10000