Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPA Client OTP enrollment failing, likely due to mismatch in code #518

Open
justchris1 opened this issue Mar 16, 2021 · 1 comment
Open

IPA Client OTP enrollment failing, likely due to mismatch in code #518

justchris1 opened this issue Mar 16, 2021 · 1 comment

Comments

@justchris1
Copy link

justchris1 commented Mar 16, 2021
edited

I have installed the ansible collection 0.3.5 and set the following ansible variable to 'yes': ipaclient_use_otp. I am trying to run the iparelipca role on the replica. Installation of the master (on the master, of course) went great.

In roles/ipaclient/tasks/install.yml:

- name: Install - Get One-Time Password for client enrollment
      no_log: yes
      freeipa.ansible_freeipa.ipaclient_get_otp:
        state: present
        principal: "{{ ipaadmin_principal | default(omit) }}"
        password: "{{ ipaadmin_password | default(omit) }}"
        keytab: "{{ ipaadmin_keytab | default(omit) }}"
        fqdn: "{{ result_ipaclient_test.hostname }}"
        lifetime: "{{ ipaclient_lifetime | default(omit) }}"
        random: True
      register: result_ipaclient_get_otp
      # If the host is already enrolled, this command will exit on error
      # The error can be ignored
      failed_when: result_ipaclient_get_otp is failed and
                   "Password cannot be set on enrolled host" not
                       in result_ipaclient_get_otp.msg
      delegate_to: "{{ result_ipaclient_test.servers[0] }}"
      ignore_errors: yes

However, plugins/modules/ipaclient_get_otp.py has the following signature for the module:

module = AnsibleModule(
        argument_spec=dict(
            principal=dict(default='admin'),
            ccache=dict(required=False, type='path'),
            fqdn=dict(required=True),
            certificates=dict(required=False, type='list'),
            sshpubkey=dict(required=False),
            ipaddress=dict(required=False),
            random=dict(default=False, type='bool'),
            state=dict(default='present', choices=['present', 'absent']),
        ),

Unless I am missing something, there is no way this can succeed since we are passing in password, keytab, and lifetime which aren't supported by the module. The exact error I get is: (I have substituted my hostname for my-host.local, but I am using a 'real' FQDN)

TASK [freeipa.ansible_freeipa.ipaclient : Install IPA client] *********************************************************
included: /home/justchris1/.ansible/collections/ansible_collections/freeipa/ansible_freeipa/roles/ipaclient/tasks/install.yml for my-host.local

TASK [freeipa.ansible_freeipa.ipaclient : Install - Ensure that IPA client packages are installed] ********************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Set ipaclient_servers] ********************************************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Set ipaclient_servers from cluster inventory] *********************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Check that either principal or keytab is set] *********************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Set default principal if no keytab is given] **********************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - IPA client test] **************************************************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Cleanup leftover ccache] ******************************************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Configure NTP] ****************************************************
changed: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Make sure One-Time Password is enabled if it's already defined] ***
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Disable One-Time Password for on_master] **************************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Test if IPA client has working krb5.keytab] ***********************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Disable One-Time Password for client with working krb5.keytab] ****
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Keytab or password is required for getting otp] *******************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Get One-Time Password for client enrollment] **********************
fatal: [my-host.local -> apple.0a.org]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
...ignoring

TASK [freeipa.ansible_freeipa.ipaclient : Install - Report error for OTP generation] **********************************
fatal: [my-host.local]: FAILED! => {
    "msg": "Unsupported parameters for (freeipa.ansible_freeipa.ipaclient_get_otp) module: password Supported parameters include: ccache, certificates, fqdn, ipaddress, principal, random, sshpubkey, state"
}
@t-woerner
Copy link
Member

PR #987 is changing the code for OTP. The action plugin is removed and the OTP is generated on the first entry in the server list returned by ipaclient_test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t-woerner @justchris1