Not 100% sure where to send this. Am trying to write an Ansible playbook to install SSSD and enroll the host in a domain.
The problem starts when the host exists in the domain and ipa-client is already installed.
We can use Ansible's delegate module to remove host from domain enrollment (would be more ideal to test if it's enrolled, then unenroll if test returns true). And we can use ipa-client-install --uninstall to if ipa-client is already configured. But neither of these commands provide easy answers quickly.
ipa host-find {{ host }} | grep matched | cut -d " " -f 1
will turn ipa host-find into something usable. A switch that just returned the number matched would be ideal, but it's workable currently.
More interestingly, once a host is unenrolled from the domain (ie, ipa host-del <host> runs successfully on the IPA server), it doesn't, and probably shouldn't, uninstall ipa-client on the host itself.
But there doesn't seem to be any way to check ipa-client --install/--uninstall for it's opposite.
IE, if ipa-client is installed, and is run again, one is urged to uninstall first:
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
if ipa-client is not installed, and you run
ipa-client --uninstall
The message returned is:
IPA client is not configured on this system. The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information
Have I missed a true/false return value cli arg for ipa-client-install?
ipa-client-install --exists ipa-client-install --configured
or something like that?
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
cheers L.
------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at https://github.com/freeipa/ansible-freeipa instead of creating new ones?
On 23 April 2018 at 17:00, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at https://github.com/freeipa/ansible-freeipa instead of creating new ones?
To my shame - not only did I not, I've even got that tab open. Closing tabs. I should be closing tabs. Thanks Alexander.
Cheers L.
On 23 April 2018 at 17:53, Lachlan Musicman datakid@gmail.com wrote:
On 23 April 2018 at 17:00, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at https://github.com/freeipa/ansible-freeipa instead of creating new ones?
Initial impression: it's a very smooth process using the Ansible scripts. Unfortunately I can reproducibly not login when using it. If ipa-client-install manually I can login.
I will have to work through the install-client playbook line by line - there's a lot in the playbook I don't recognise as part of the process. Also, I'm on CentOS which isn't officially supported.
But it does install ipa-client very easily.
cheers L.
On ti, 24 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
On 23 April 2018 at 17:53, Lachlan Musicman datakid@gmail.com wrote:
On 23 April 2018 at 17:00, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at https://github.com/freeipa/ansible-freeipa instead of creating new ones?
Initial impression: it's a very smooth process using the Ansible scripts. Unfortunately I can reproducibly not login when using it. If ipa-client-install manually I can login.
I will have to work through the install-client playbook line by line - there's a lot in the playbook I don't recognise as part of the process. Also, I'm on CentOS which isn't officially supported.
I'd suggest to open issues at github for ansible-freeipa when you see them.
On 24 April 2018 at 14:46, Lachlan Musicman datakid@gmail.com wrote:
On 23 April 2018 at 17:53, Lachlan Musicman datakid@gmail.com wrote:
On 23 April 2018 at 17:00, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at https://github.com/freeipa/ansible-freeipa instead of creating new ones?
Initial impression: it's a very smooth process using the Ansible scripts. Unfortunately I can reproducibly not login when using it. If ipa-client-install manually I can login.
I will have to work through the install-client playbook line by line - there's a lot in the playbook I don't recognise as part of the process. Also, I'm on CentOS which isn't officially supported.
But it does install ipa-client very easily.
I should clarify. The client seems to install successfully. From the client I can `id user@domain` and get the results I'm looking for. But actual login fails. I tried debug_level = 7 and debug_level = 9 but there were no errors thrown or obvious failures?
Cheers L.
On 24 April 2018 at 15:43, Lachlan Musicman datakid@gmail.com wrote:
On 23 April 2018 at 17:00, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at https://github.com/freeipa/ansible-freeipa instead of creating new ones?
Initial impression: it's a very smooth process using the Ansible scripts. Unfortunately I can reproducibly not login when using it. If ipa-client-install manually I can login.
I will have to work through the install-client playbook line by line - there's a lot in the playbook I don't recognise as part of the process. Also, I'm on CentOS which isn't officially supported.
But it does install ipa-client very easily.
I should clarify. The client seems to install successfully. From the client I can `id user@domain` and get the results I'm looking for. But actual login fails. I tried debug_level = 7 and debug_level = 9 but there were no errors thrown or obvious failures?
For those that come looking after me, I found the problem. For reasons that I lack the skills to dive into properly, the ansible playbook for install-client sets two vars in /etc/krb5.conf to false which are set to true when I run ipa-client-install manually.
By over-riding these two vars to true in the playbook
dns_lookup_realm: true dns_lookup_kdc: true
I could get it to work as expected.
Cheers L.
Hi,
For our servers, I test in Puppet for the existence of files under /var/lib/ipa (for IPA servers) or /var/lib/ipa-client/ (for everything else).
Specifically, /var/lib/ipa{-client}/sysrestore/sysrestore.index should exist if IPA setup has been run, and should not exist if IPA uninstall has been run.
Try it on one of your hosts to confirm.
Cheers, Dagan McGregor
On April 23, 2018 6:19:53 AM UTC, Lachlan Musicman via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Not 100% sure where to send this. Am trying to write an Ansible playbook to install SSSD and enroll the host in a domain.
The problem starts when the host exists in the domain and ipa-client is already installed.
We can use Ansible's delegate module to remove host from domain enrollment (would be more ideal to test if it's enrolled, then unenroll if test returns true). And we can use ipa-client-install --uninstall to if ipa-client is already configured. But neither of these commands provide easy answers quickly.
ipa host-find {{ host }} | grep matched | cut -d " " -f 1
will turn ipa host-find into something usable. A switch that just returned the number matched would be ideal, but it's workable currently.
More interestingly, once a host is unenrolled from the domain (ie, ipa host-del <host> runs successfully on the IPA server), it doesn't, and probably shouldn't, uninstall ipa-client on the host itself.
But there doesn't seem to be any way to check ipa-client --install/--uninstall for it's opposite.
IE, if ipa-client is installed, and is run again, one is urged to uninstall first:
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
if ipa-client is not installed, and you run
ipa-client --uninstall
The message returned is:
IPA client is not configured on this system. The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information
Have I missed a true/false return value cli arg for ipa-client-install?
ipa-client-install --exists ipa-client-install --configured
or something like that?
Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).
cheers L.
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
freeipa-users@lists.fedorahosted.org