freeipa / ansible-freeipa Goto Github PK
View Code? Open in Web Editor NEWAnsible roles and modules for FreeIPA
License: GNU General Public License v3.0
Ansible roles and modules for FreeIPA
License: GNU General Public License v3.0
when ipaclient_use_otp is set to true and the client does not yet have a dns entry in the ipa dns, it fails.
fatal: [ipaclient.example.com -> ipa01.example.com]: FAILED! => {
"changed": false,
"failed_when_result": true,
"invocation": {
"module_args": {
"ansible_python_interpreter": "/usr/bin/python2",
"ccache": "/root/.ansible/tmp/ansible-tmp-1555507414.4304569-5411027979932/ccache",
"certificates": null,
"fqdn": "ipaclient.example.com",
"ipaddress": null,
"principal": "admin",
"random": true,
"sshpubkey": null,
"state": "present"
}
},
"msg": "ipaclient_get_otp module failed : Host 'ipaclient.example.com' does not have corresponding DNS A/AAAA record"
}
Rob
As of now, there are two NTP related settings in the defaults for the ipaclient
role, namely:
ipaclient_ntp: no
ipaclient_no_ntp: no
Only the latter is documented:
The ipaclient_no_ntp bool value defines if NTP will not be configured and enabled. ipaclient_no_ntp defaults to no.
Checking where these settings are used in the tasks file, it can be seen they are parameters of the ipadiscovery
and ipaextras
modules, where the relevant options are documented as follows:
---
module: ipadiscovery
no_ntp:
description: Do not sync time and do not detect time servers
required: false
default: false
type: bool
default: no
and
---
module: ipaextras
ntp:
description: Set to no to not configure and enable NTP
required: false
type: bool
default: no
It is a bit confusing (at least for me) what each one accomplishes, if they do the same, i.e. configure the NTP service for the client
If they don't, ipaclient_ntp
is missing from the docs.
The ipa-client-install
CLI utility only has one of the options:
-N, --no-ntp do not configure ntp
Hi,
I am getting this error during replica installation, and I cannot figure out why:
TASK [ipareplica : Install - Replica preparation] ******************************************************************************************************************************************************************************************
fatal: [rhel-waf-01.ams.ims.telekom.de]: FAILED! => {"changed": false, "module_stderr": "Shared connection to rhel-waf-01.ams.ims.telekom.de closed.\r\n", "module_stdout": "\r\nTraceback (most recent call last):\r\n File \"/home/admin/.ansible/tmp/ansible-tmp-1552559895.9566212-6191780865347/AnsiballZ_ipareplica_prepare.py\", line 113, in <module>\r\n _ansiballz_main()\r\n File \"/home/admin/.ansible/tmp/ansible-tmp-1552559895.9566212-6191780865347/AnsiballZ_ipareplica_prepare.py\", line 105, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/admin/.ansible/tmp/ansible-tmp-1552559895.9566212-6191780865347/AnsiballZ_ipareplica_prepare.py\", line 48, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_ipareplica_prepare_payload_YYChTx/__main__.py\", line 692, in <module>\r\n File \"/tmp/ansible_ipareplica_prepare_payload_YYChTx/__main__.py\", line 599, in main\r\n File \"/usr/lib/python2.7/site-packages/ipaserver/install/dns.py\", line 142, in install_check\r\n for reverse_zone in options.reverse_zones:\r\nTypeError: 'NoneType' object is not iterable\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Looks like options.reverse_zones
is not filled in...?
So, at the "replica preparation" stage it has the following call:
- name: Install - Replica preparation
ipareplica_prepare:
ipareplica_prepare
module cannot accept "reverse_zones" as an argument.
So I am not sure how reverse_zones is supposed to be filled in, to make it work...
My vars are:
[ipareplicas:vars]
ipaadmin_password=***
ipadm_password=***
ipareplica_setup_dns=yes
ipareplica_auto_forwarders=yes
ipareplica_setup_firewalld=no
ipaserver_domain=***
ipaserver_realm=***
I tried adding ipareplica_auto_reverse=yes
and ipaserver_auto_reverse=yes
, it didn't help...
Hi guys,
During the freeipa replica installation I get the following error:
fatal: [ipareplica01]: FAILED! => {"changed": false, "msg": "empty DNS label"}
Anyone knows what's this about and how could I solve it?
Thanks
If I run the script ipa-ca-install
, I can set the name of the CA certificate using the --ca-subject
option.
It appears that I should be able to do the equivalent with Ansible by setting variable ipaserver_ca_subject
. However, this fails, because ipaserver_test.py
calls an undefined function, subject_validator()
, on this value.
If I comment out this line in ipaserver_test.py
, the installation appears to proceed successfully.
As of now, this repository can't be pulled using ansible-galaxy
.
I propose to split this repository in separate repositories, one per role.
It's my understanding that some of the roles are basically dependencies of the, let's say, entrypoint roles (ipaserver, ipaclient, ipareplica), and could be pulled by listing them in the dependencies
section of the meta files.
Eventually, publish on Galaxy and/or move roles to linux-system-roles(?)
Traceback (most recent call last):
File \"/tmp/ansible_k4i2cvbx/ansible_module_ipaserver_test.py\", line 787, in <module>
main()
File \"/tmp/ansible_k4i2cvbx/ansible_module_ipaserver_test.py\", line 730, in main
adtrust.install_check(False, options, api)
File \"/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py\", line 408, in install_check
if not options.add_sids:
AttributeError: 'options_obj' object has no attribute 'add_sids'
Fedora Server 28, with the latest commit (b2583f7)
It seems the playbooks has been written to run on fedora or rhle, what should I change to make it work on ubutnu server?
'Spin-off' of #36 to keep the reports uncluttered, since the original issue there was resolved by my patch before I hit the one below. Quoting myself from there:
Fedora Server 28, latest commit (b2583f7) + my patch from #36.
TASK [ipaserver : Install - Setup ADTRUST] *************************************************************************************************************************************************************************************************** fatal: [lacedaemon]: FAILED! => {"changed": false, "module_stderr": "Shared connection to lacedaemon.[domain] closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_5by0h0gv/ansible_module_ipaserver_setup_adtrust.py\", line 88, in <module>\r\n main()\r\n File \"/tmp/ansible_5by0h0gv/ansible_module_ipaserver_setup_adtrust.py\", line 76, in main\r\n api_Backend_ldap2_connect(options.host_name, options.setup_ca)\r\nNameError: name 'api_Backend_ldap2_connect' is not defined\r\n", "msg": "MODULE FAILURE", "rc": 1}
I would like to help fix this error, but I am a bit out of my depth here. The only comparable use of such a call is here (l. 44), though spelled with "." instead of "_". That file has a statement:
from ipalib import api
Would something like this be needed here as well?
Grasping at straws, I adapted above's example to ipaserver_setup_adtrust.py (see new patch), and this is the result:
TASK [ipaserver : Install - Setup ADTRUST] ************************************* fatal: [lacedaemon]: FAILED! => {"changed": false, "module_stderr": "Shared connection to lacedaemon.cds-infra.de closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_id5psz9x/ansible_module_ipaserver_setup_adtrust.py\", line 91, in <module>\r\n main()\r\n File \"/tmp/ansible_id5psz9x/ansible_module_ipaserver_setup_adtrust.py\", line 79, in main\r\n api.Backend.ldap2.connect(options.host_name, options.setup_ca)\r\nAttributeError: 'API' object has no attribute 'Backend'\r\n", "msg": "MODULE FAILURE", "rc": 1}
Per Ansible docs:
end_play (added in 2.2) causes the play to end without failing the host(s). Note that this affects all hosts.
This also breaks the ability to include the ipa roles from other roles which may take additional pre and post install steps for further customization.
or will this require significant changes on the tasks themselves? the reason I'm asking is because a lot of hosts are going to be registered after being provisioned and use another play to configure them that includes this role. They are other workaround like using add_host again to create the proper groups but, that can be dirty.
Please add configuration / variables for using external CA
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-server-external-ca
Hello,
When enabling ipaserver_setup_adtrust it fails on the default smb.conf
It complains there is already a smb.conf and that it would break the existing samba configuration.
Since this is a clean install this should not happen (ie there was no samba installed/configured before running this play)
Rob
There is no LICENSE for the project. Might want to include it.
hello.
there is a typo in ipaclient/tasks/install.yml
line 163
and (ipaclient_keytab is undefined or ipaclient_keytab|lenth == 0)
should be
and (ipaclient_keytab is undefined or ipaclient_keytab|length == 0)
after replacing that it now fails with :
"msg": "The conditional check 'not result_ipaclient_test_keytab.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password|length == 0) and (ipaclient_keytab is undefined or ipaclient_keytab|length == 0)' failed. The error was: Unexpected templating type error occurred on ({% if not result_ipaclient_test_keytab.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password|length == 0) and (ipaclient_keytab is undefined or ipaclient_keytab|length == 0) %} True {% else %} False {% endif %}): object of type 'AnsibleVaultEncryptedUnicode' has no len()
changing lines 162,163
from
(ipaadmin_password is undefined or ipaadmin_password|length == 0)
and (ipaclient_keytab is undefined or ipaclient_keytab|lenth == 0)
to
(ipaadmin_password is undefined or ipaadmin_password == "") and
(ipaclient_keytab is undefined or ipaclient_keytab == "")
fixes that. ( undoing an old commit #93f9b90)
Rob
Ansible host: FC28, Ansible v. 2.7.9, Python 2.7.15/3.6.8
Target: FC29, Python 3.7.2
Commit: #387f555
Running install-server.yml (with both ansible-playbook-2 and ansible-playbook-3) gives:
TASK [ipaserver : Install - Server installation test] ********************************************************************************************************************************************************* task path: /etc/ansible/roles/ipaserver/tasks/install.yml:28 <target> ESTABLISH SSH CONNECTION FOR USER: ansible-user <target> SSH: EXEC sshpass -d9 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=ansible-user -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/fa531c6114 target '/bin/sh -c '"'"'echo ~ansible-user && sleep 0'"'"'' <target> (0, '/home/ansible-user\n', 'OpenSSH_7.8p1, OpenSSL 1.1.0i-fips 14 Aug 2018\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 2: Including file /etc/crypto-policies/back-ends/openssh.config depth 1\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]\r\ndebug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 12344\r\ndebug3: mux_client_request_session: session request sent\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n') <target> ESTABLISH SSH CONNECTION FOR USER: ansible-user <target> SSH: EXEC sshpass -d9 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=ansible-user -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/fa531c6114 target '/bin/sh -c '"'"'( umask 77 && mkdir -p "
echo /home/ansible-user/.ansible/tmp/ansible-tmp-1554476429.16-190527893568211 " && echo ansible-tmp-1554476429.16-190527893568211="
echo /home/ansible-user/.ansible/tmp/ansible-tmp-1554476429.16-190527893568211 " ) && sleep 0'"'"'' <target> (0, 'ansible-tmp-1554476429.16-190527893568211=/home/ansible-user/.ansible/tmp/ansible-tmp-1554476429.16-190527893568211\n', 'OpenSSH_7.8p1, OpenSSL 1.1.0i-fips 14 Aug 2018\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 2: Including file /etc/crypto-policies/back-ends/openssh.config depth 1\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]\r\ndebug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 12344\r\ndebug3: mux_client_request_session: session request sent\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n') fatal: [target]: FAILED! => { "msg": "Could not find imported module support code for ipaserver_test. Looked for either *.py or ansible_ipa_server.py"
Hi
Im struggling to get pass this error
fatal: [10.30.10.90]: FAILED! => {
"changed": false,
"module_stderr": "Shared connection to 10.30.10.90 closed.\r\n",
"module_stdout": "Traceback (most recent call last):\r\n File "/tmp/ansible_SJhcL4/ansible_module_ipaserver_test.py", line 787, in \r\n main()\r\n File "/tmp/ansible_SJhcL4/ansible_module_ipaserver_test.py", line 261, in main\r\n check_zone_overlap(options.domain_name, False)\r\n File "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 348, in check_zone_overlap\r\n zone = DNSName(zone).make_absolute()\r\n File "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 55, in init\r\n super(DNSName, self).init(labels)\r\n File "/usr/lib/python2.7/site-packages/dns/name.py", line 143, in init\r\n super(Name, self).setattr('labels', tuple(labels))\r\nTypeError: 'NoneType' object is not iterable\r\n",
"msg": "MODULE FAILURE",
"rc": 1
}
Im using Centos 7
please assist - i have installed the following for pythondns
python-pydns-2.3.6-2.el7.noarch
python-dns-1.12.0-4.20150617git465785f.el7.noarch
python34-dns-1.15.0-7.el7.noarch
python2-dns-1.12.0-0.el7.noarch
It'd be nice to see a requirements.txt file or more comprehensive requirements for running this.
During client setup, using the freeipa-client
for Centos7.6 node this error appears:
When I try to disable ntp setup with ipaclient_ntp: no
this results in the same issue:
ansible-playbook -i inventory install-client.yml
using vars:
[ipaclients:vars]
ipa_ansible_python_interpreter=/usr/bin/python2
ipaclient_no_dns_lookup=yes
ipaclient_domain=admin.lab
ipaclient_realm=ADMIN.LAB
ipaadmin_principal=admin
ipaadmin_password=****
ipaclient_use_otp=yes
ipaclient_ntp=no
ipaclient_mkhomedir=yes
TASK [ipaclient : Install - Configure NTP] ***************************************************************************************************************************************************************************************
fatal: [awx2.admin.lab]: FAILED! => {"changed": false, "module_stderr": "Shared connection to awx2.admin.lab closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1556029445.194679-60442685518602/AnsiballZ_ipaclient_setup_ntp.py\", line 113, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1556029445.194679-60442685518602/AnsiballZ_ipaclient_setup_ntp.py\", line 105, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1556029445.194679-60442685518602/AnsiballZ_ipaclient_setup_ntp.py\", line 48, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_ipaclient_setup_ntp_payload_pHWgUa/__main__.py\", line 175, in <module>\r\n File \"/tmp/ansible_ipaclient_setup_ntp_payload_pHWgUa/__main__.py\", line 157, in main\r\nNameError: global name 'ntpconf' is not defined\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
ldap_connection_expire_timeout
is set to 15 minutes. With an automated setup of several clients, all these clients will have the same or a very similar time frame where the krb5 tickets timeout occurs.
A possible solution could be to add a randomization offset to the timeout value so this re-connections will be spread over time.
Hello everyone,
We're using this playbook to install a FreeIPA server (master) on an Ubuntu 18.04LTS.
Everything goes well until I hit the task TASK [ipaserver : Install - Setup CA]
.
This is the output:
TASK [ipaserver : Install - Setup CA] ********************************************************************************************************************************************************************************************************
fatal: [10.0.254.201]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 10.0.254.201 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/XXX/.ansible/tmp/ansible-tmp-1555423433.79043-184703110138725/AnsiballZ_ipaserver_setup_ca.py\", line 113, in <module>\r\n _ansiballz_main()\r\n File \"/home/XXX/.ansible/tmp/ansible-tmp-1555423433.79043-184703110138725/AnsiballZ_ipaserver_setup_ca.py\", line 105, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/XXX/.ansible/tmp/ansible-tmp-1555423433.79043-184703110138725/AnsiballZ_ipaserver_setup_ca.py\", line 48, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_ipaserver_setup_ca_payload_fJcQp3/__main__.py\", line 239, in <module>\r\n File \"/tmp/ansible_ipaserver_setup_ca_payload_fJcQp3/__main__.py\", line 209, in main\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/install/ca.py\", line 326, in install_step_0\r\n use_ldaps=standalone)\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py\", line 473, in configure_instance\r\n self.start_creation(runtime=runtime)\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/install/service.py\", line 555, in start_creation\r\n run_step(full_msg, method)\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/install/service.py\", line 541, in run_step\r\n method()\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py\", line 1791, in migrate_profiles_to_ldap\r\n _create_dogtag_profile(profile_id, profile_data, overwrite=False)\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py\", line 1797, in _create_dogtag_profile\r\n with api.Backend.ra_certprofile as profile_api:\r\n File \"/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py\", line 1296, in __enter__\r\n method='GET'\r\n File \"/usr/lib/python2.7/dist-packages/ipapython/dogtag.py\", line 167, in https_request\r\n method=method, headers=headers)\r\n File \"/usr/lib/python2.7/dist-packages/ipapython/dogtag.py\", line 229, in _httplib_request\r\n raise NetworkError(uri=uri, error=str(e))\r\nipalib.errors.NetworkError: cannot connect to 'https://freeipa-master-01.XXX.YY:8443/ca/rest/account/login': [Errno 111] Connection refused\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
to retry, use: --limit @/Users/XXX/ansible-freeipa/install-server.retry
Basically, the error is:
...
cannot connect to 'https://freeipa-master-01.XXX.YY:8443/ca/rest/account/login
...
AFAIK, there's a known issue on Ubuntu. For example, you can look for 8443 here https://themeanti.me/technology/2018/02/21/installing-freeipa.html
.
It says to modify /usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py
adding a timeout in two methods:
from __future__ import print_function
...
import time
...
...
def __import_ca_chain(self):
time.sleep(10)
...
...
def migrate_profiles_to_ldap():
time.sleep(10)
...
Unfortunately, I can't find any __import_ca_chain(self):
method. I've tried to add the timeout in the latter, but the error keeps showing up.
Any idea how can I fix the issue and move forward?
Thanks,
-Luca
ansible --version
ansible 2.7.6
Some modules does not work in current ansible version, I guess.
e.g. error:
module (ipaserver_master_password) is missing interpreter line
Root cause of that is including module file from another role:
ipaserver_master_password.py in ipareplica role contents:
../../ipaserver/library/ipaserver_master_password.py
One big repo is really not good and confuses me sometimes (related to #53)
When we try to install ipareplica with CA enabled we get this error:
{ "_ansible_parsed": false, "_ansible_no_log": false, "module_stderr": "Shared connection to 10.0.0.17 closed.\r\n", "changed": false, "module_stdout": "/bin/sh: line 1: 6799 Killed /usr/bin/python2 /root/.ansible/tmp/ansible-tmp-1554730404.21-152770540051987/AnsiballZ_ipareplica_setup_ca.py\r\n", "rc": 137, "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error" }
Ansible invoked command on target host:
ansible-ipareplica_setup_ca Invoked with _ca_subject=CN=Certificate Authority,O=MYDOMAIN.NET config_ips=['<ip address>'] subject_base=O=MYDOMAIN.NET _ca_enabled=True setup_kra=False config_setup_ca=True config_master_host_name=master_fqdn _dirsrv_pkcs12_info=None _ca_file=/etc/ipa/ca.crt _subject_base=O=MYDOMAIN.NET no_ui_redirect=False ccache=/tmp/krbccumgMqV/ccache setup_ca=True _pkinit_pkcs12_info= _top_dir=/tmp/tmpEy9vbcipa dirman_password=NOT_LOGGING_PARAMETER no_pkinit=False config_ca_host_name=fqdn
LOG:
Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.200927314 +0300] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.226849794 +0300] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend ipaca, attempting to create one... Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.232190475 +0300] - INFO - attrcrypt_cipher_init - Key for cipher AES successfully generated and stored Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.233149332 +0300] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.238261671 +0300] - INFO - attrcrypt_cipher_init - Key for cipher 3DES successfully generated and stored Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.240822282 +0300] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend ipaca is coming online; checking domain level and init shared topology Apr 8 13:33:41 opsv0017 ns-slapd: [08/Apr/2019:16:33:41.245317398 +0300] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=leoncorp,dc=net--no CoS Templates found, which should be added before the CoS Definition. Apr 8 13:33:42 opsv0017 ns-slapd: [08/Apr/2019:16:33:42.052665393 +0300] - ERR - ipa-topology-plugin - ipa_topo_be_state_changebackend ipaca is going offline; inactivate plugin Apr 8 13:33:42 opsv0017 ns-slapd: [08/Apr/2019:16:33:42.053848721 +0300] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica o=ipaca is going offline; disabling replication Apr 8 13:33:42 opsv0017 ns-slapd: [08/Apr/2019:16:33:42.373883249 +0300] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=caToopsv0015.leoncorp.net" (opsv0015:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. Apr 8 13:33:42 opsv0017 ns-slapd: [08/Apr/2019:16:33:42.456481660 +0300] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=leoncorp,dc=net--no CoS Templates found, which should be added before the CoS Definition. Apr 8 13:33:42 opsv0017 ns-slapd: [08/Apr/2019:16:33:42.470582558 +0300] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.379584202 +0300] - INFO - import_monitor_threads - import ipaca: Workers finished; cleaning up... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.581146230 +0300] - INFO - import_monitor_threads - import ipaca: Workers cleaned up. Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.581978393 +0300] - INFO - import_main_offline - import ipaca: Indexing complete. Post-processing... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.582771112 +0300] - INFO - import_main_offline - import ipaca: Generating numsubordinates (this may take several minutes to complete)... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.585722725 +0300] - INFO - import_main_offline - import ipaca: Generating numSubordinates complete. Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.586774522 +0300] - INFO - ldbm_get_nonleaf_ids - import ipaca: Gathering ancestorid non-leaf IDs... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.587588463 +0300] - INFO - ldbm_get_nonleaf_ids - import ipaca: Finished gathering ancestorid non-leaf IDs. Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.588851294 +0300] - INFO - ldbm_ancestorid_new_idl_create_index - import ipaca: Creating ancestorid index (new idl)... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.590696770 +0300] - INFO - ldbm_ancestorid_new_idl_create_index - import ipaca: Created ancestorid index (new idl). Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.591385711 +0300] - INFO - import_main_offline - import ipaca: Flushing caches... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.592031961 +0300] - INFO - import_main_offline - import ipaca: Closing files... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.601809680 +0300] - INFO - import_main_offline - import ipaca: Import complete. Processed 209 entries in 4 seconds. (52.25 entries/sec) Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.609833289 +0300] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend ipaca is coming online; checking domain level and init shared topology Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.611160933 +0300] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica o=ipaca is coming online; enabling replication Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.618637686 +0300] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=leoncorp,dc=net--no CoS Templates found, which should be added before the CoS Definition. Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.621916742 +0300] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.622697101 +0300] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.623652824 +0300] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... Apr 8 13:33:46 opsv0017 ns-slapd: [08/Apr/2019:16:33:46.624060731 +0300] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) Apr 8 13:33:48 opsv0017 ns-slapd: [08/Apr/2019:16:33:48.947602220 +0300] - ERR - NSMMReplicationPlugin - abort_csn_callback - csnplRemove failed Apr 8 13:33:48 opsv0017 ns-slapd: [08/Apr/2019:16:33:48.947602220 +0300] - ERR - NSMMReplicationPlugin - abort_csn_callback - csnplRemove failed Apr 8 13:33:51 opsv0017 systemd: Reloading. Apr 8 13:33:53 opsv0017 systemd: Reloading. Apr 8 13:33:53 opsv0017 systemd: Created slice system-pki\x2dtomcatd.slice. Apr 8 13:33:53 opsv0017 systemd: Starting PKI Tomcat Server pki-tomcat... Apr 8 13:33:54 opsv0017 pkidaemon: ----------------------- Apr 8 13:33:54 opsv0017 pkidaemon: Banner is not installed Apr 8 13:33:54 opsv0017 pkidaemon: ----------------------- Apr 8 13:33:54 opsv0017 pkidaemon: ---------------------- Apr 8 13:33:54 opsv0017 pkidaemon: Enabled all subsystems Apr 8 13:33:54 opsv0017 pkidaemon: ---------------------- Apr 8 13:33:54 opsv0017 pkidaemon: 'pki-tomcat' must still be CONFIGURED! Apr 8 13:33:54 opsv0017 pkidaemon: (see /var/log/pki-tomcat-install.log) Apr 8 13:33:54 opsv0017 systemd: Started PKI Tomcat Server pki-tomcat. Apr 8 13:33:54 opsv0017 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Apr 8 13:33:54 opsv0017 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Apr 8 13:33:54 opsv0017 server: main class used: org.apache.catalina.startup.Bootstrap Apr 8 13:33:54 opsv0017 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Apr 8 13:33:54 opsv0017 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Apr 8 13:33:54 opsv0017 server: arguments used: start Apr 8 13:33:54 opsv0017 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://opsv0017.leoncorp.net:8080/ca/ocsp' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '7200' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '14400' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_1:tls1_2' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Apr 8 13:33:55 opsv0017 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Apr 8 13:34:00 opsv0017 server: CMS Warning: FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Apr 8 13:34:00 opsv0017 server: CA is started.
This step executed to many times:
systemd: Stopping PKI Tomcat Server pki-tomcat... Apr 8 13:35:05 opsv0017 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Apr 8 13:35:05 opsv0017 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Apr 8 13:35:05 opsv0017 server: main class used: org.apache.catalina.startup.Bootstrap Apr 8 13:35:05 opsv0017 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Apr 8 13:35:05 opsv0017 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Apr 8 13:35:05 opsv0017 server: arguments used: stop Apr 8 13:35:06 opsv0017 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Apr 8 13:35:06 opsv0017 systemd: Stopped PKI Tomcat Server pki-tomcat. Apr 8 13:35:06 opsv0017 systemd: Reloading. Apr 8 13:35:06 opsv0017 systemd: Starting PKI Tomcat Server pki-tomcat... Apr 8 13:35:07 opsv0017 pkidaemon: ----------------------- Apr 8 13:35:07 opsv0017 pkidaemon: Banner is not installed Apr 8 13:35:07 opsv0017 pkidaemon: ----------------------- Apr 8 13:35:07 opsv0017 pkidaemon: ---------------------- Apr 8 13:35:07 opsv0017 pkidaemon: Enabled all subsystems Apr 8 13:35:07 opsv0017 pkidaemon: ---------------------- Apr 8 13:35:07 opsv0017 pkidaemon: SUCCESS: Successfully archived '/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20190408163507' Apr 8 13:35:07 opsv0017 pkidaemon: SUCCESS: Successfully backed up '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak' Apr 8 13:35:07 opsv0017 systemd: Started PKI Tomcat Server pki-tomcat. Apr 8 13:35:07 opsv0017 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Apr 8 13:35:07 opsv0017 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Apr 8 13:35:07 opsv0017 server: main class used: org.apache.catalina.startup.Bootstrap Apr 8 13:35:07 opsv0017 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Apr 8 13:35:07 opsv0017 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Apr 8 13:35:07 opsv0017 server: arguments used: start Apr 8 13:35:07 opsv0017 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://opsv0017.leoncorp.net:8080/ca/ocsp' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '7200' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '14400' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_1:tls1_2' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Apr 8 13:35:08 opsv0017 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Apr 8 13:35:13 opsv0017 server: CMSEngine.initializePasswordStore() begins Apr 8 13:35:13 opsv0017 server: CMSEngine.initializePasswordStore(): tag=internaldb Apr 8 13:35:13 opsv0017 server: testLDAPConnection connecting to opsv0017.leoncorp.net:389 Apr 8 13:35:13 opsv0017 server: CMSEngine.initializePasswordStore(): tag=replicationdb Apr 8 13:35:13 opsv0017 server: testLDAPConnection connecting to opsv0017.leoncorp.net:389 Apr 8 13:35:13 opsv0017 server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-opsv0017.leoncorp.net-pki-tomcat,cn=config does not exist Apr 8 13:35:14 opsv0017 server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. Apr 8 13:35:16 opsv0017 server: CA is started. Apr 8 13:35:21 opsv0017 systemd: Reloading. Apr 8 13:35:21 opsv0017 systemd: Stopping PKI Tomcat Server pki-tomcat...
Thanks for your help!
There are no docs for the individual roles in the roles/ directory. this would be useful.
Was receiving this error:
save_state(nscd, statestore)\r\nTypeError: save_state() takes exactly 1 argument (2 given)\r\n"
I got around it by modifying ibrary/ipanss.py to save_state(nscd) and save_state(nslcd)
When attempting to install on a server with Python 2 as the default (as it is on CentOS/RHEL), I hit the following two errors:
fatal: [test.replica.1.example.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to fd00:4888:2000:251::116 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1554322814.486027-242908761338260/AnsiballZ_ipaclient_test.py\", line 113, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1554322814.486027-242908761338260/AnsiballZ_ipaclient_test.py\", line 105, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1554322814.486027-242908761338260/AnsiballZ_ipaclient_test.py\", line 48, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_ipaclient_test_payload_62OwBw/__main__.py\", line 887, in <module>\r\n File \"/tmp/ansible_ipaclient_test_payload_62OwBw/__main__.py\", line 330, in main\r\nTypeError: validate_domain_name() got an unexpected keyword argument 'entity'\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
I checked validate_domain_name() which is missing that parameter
I then removed it from the files as per:
diff --git a/roles/ipaclient/library/ipaclient_test.py b/roles/ipaclient/library/ipaclient_test.py
index 457857b..8edda10 100644
--- a/roles/ipaclient/library/ipaclient_test.py
+++ b/roles/ipaclient/library/ipaclient_test.py
@@ -327,7 +327,7 @@ def main():
validate_domain_name(options.domain_name)
if options.realm_name:
- validate_domain_name(options.realm_name, entity="realm")
+ validate_domain_name(options.realm_name)
### ClientInstallInterface ###
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 880e641..0608b52 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -567,7 +567,7 @@ def main():
options.realm_name = options.realm_name.upper()
if NUM_VERSION >= 40690:
try:
- validate_domain_name(options.realm_name, entity="realm")
+ validate_domain_name(options.realm_name)
except ValueError as e:
raise ScriptError("Invalid realm name: {}".format(unicode(e)))
However, I'm now hitting:
fatal: [test.replica.1.example.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to IP closed.\r\n", "module_stdout": "This program will set up FreeIPA client.\r\nVersion 4.6.4\r\n\r\nTraceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1554323260.8378623-142998461041160/AnsiballZ_ipaclient_test.py\", line 113, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1554323260.8378623-142998461041160/AnsiballZ_ipaclient_test.py\", line 105, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1554323260.8378623-142998461041160/AnsiballZ_ipaclient_test.py\", line 48, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_ipaclient_test_payload_morCaK/__main__.py\", line 887, in <module>\r\n File \"/tmp/ansible_ipaclient_test_payload_morCaK/__main__.py\", line 484, in main\r\nTypeError: 'NoneType' object is not callable\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Partial duplicate of #61 since it hits the same initial error
Target server has:
python2-ipalib-4.6.4-10.el7_6.3.noarch
Hi!
I know this is more a discussion/question than an issue, as I understand this is work in progress and that no official release is still available.
I was (still am, tbh) incredibly excited when I first found this project, and even more when, from the content of roles/ipaserver/vars/ it would seem like it supported RHEL 7. Well, it turns out it seems to require FreeIPA 4.6, which is not available even on RHEL 7.4. I tried to force the bar a bit and changed 40600 to 40500 in module_utils/ansible_ipa_server.py, and when I tried to run again it complains:
fatal: [ipa1.test.local]: FAILED! => {"changed": false, "module_stderr": "Shared connection to ipa1.test.local closed.\r\n", "module_stdout": "ipa: INFO: Checking DNS domain test.local., please wait ...\r\nipa: INFO: Checking DNS domain 7.20.10.in-addr.arpa., please wait ...\r\nipa: WARNING: Invalid IP address fe80::7143:416:27fa:18f8 for ipa1.test.local: cannot use link-local IP address fe80::7143:416:27fa:18f8\r\nTraceback (most recent call last):\r\n File \"/tmp/ansible_pXzngc/ansible_module_ipaserver_prepare.py\", line 263, in <module>\r\n main()\r\n File \"/tmp/ansible_pXzngc/ansible_module_ipaserver_prepare.py\", line 223, in main\r\n dns.install_check(False, api, False, options, options.host_name)\r\n File \"/usr/lib/python2.7/site-packages/ipaserver/install/dns.py\", line 312, in install_check\r\n reverse_zones_unattended_check, search_reverse_zones\r\n File \"/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py\", line 458, in check_reverse_zones\r\n if not options.allow_zone_overlap:\r\nAttributeError: 'options_obj' object has no attribute 'allow_zone_overlap'\r\n", "msg": "MODULE FAILURE", "rc": 0}
Which at least is now a different error...
Before spending too much time on this, could you confirm if there are plans to make this compatible with older releases (like 4.5 found on RHEL 7)? if so, I might go ahead and troubleshoot this and maybe help a bit.
Thanks in advance!
Ildefonso
When executing the ipaserver role, the following error occurs when executing "TASK [ipaclient : Install - IPA client test]"
Logs show ansible-ipaclient_test was invoked with correct domain setting.
Traceback (most recent call last):
File "<stdin>", line 113, in <module>
File "<stdin>", line 105, in _ansiballz_main
File "<stdin>", line 48, in invoke_module
File "/tmp/ansible_ipaclient_test_payload_zc2iAK/__main__.py", line 890, in <module>
File "/tmp/ansible_ipaclient_test_payload_zc2iAK/__main__.py", line 333, in main
TypeError: validate_domain_name() got an unexpected keyword argument 'entity'
System is running the following versions:
ipa-client-common-4.6.4-10.el7.centos.3.noarch
ipa-server-4.6.4-10.el7.centos.3.x86_64
ipa-server-common-4.6.4-10.el7.centos.3.noarch
ipa-client-4.6.4-10.el7.centos.3.x86_64
ansible-2.7.9-1.el7.noarch
ipa-server-dns-4.6.4-10.el7.centos.3.noarch
Hello,
I'm trying to integrate these roles in a global playbook, in order to get all the code in one place. In order to do so, I've added the requested entries in my ansible.cfg (see #11), created an "ipa" local role pointing to the right ipaserver/ipareplica depending on a host var. Overall, here's what my things look like:
inventory.yaml:
all:
hosts:
master:
ipa_master: yes
other: variables
replica1:
ipa_master: no
....
roles/ipa/tasks/main.yaml
- name: deploy ipaserver
when: ipa_master|bool
import_role:
role: ipaserver
- name: deploy ip replica
when: not ipa_master|bool
import_role:
role: ipareplica
playbook.yaml:
- hosts: all
roles:
- common
- ipa
In order to get a nice env, I've pushed a couple of variables in a local "env.yaml" file:
ipaserver_domain: example.com
ipaserver_realm: EXAMPLE.COM
ipaserver_setup_dns: yes
In addition, ipaadmin_password
and ipadm_password
are in vault (dedicated file).
I then run the command:
ansible-playbook playbook.yaml -e @vars.yaml -e @private-vars.yaml
But it fails, saying ipaserver_test has no domain attribute
What's wrong with my way of doing things? I would really love to NOT have hardcoded password nor information in the playbook and keep them in a var file - but I suspect this isn't possible due to the way the roles are done... ?
Any hint?
Cheers,
C.
Hi
I am running the playbook under AWX and this error occur when I try to check the playbook with install-server.yml. This is the error:
TASK [ipaserver : Set python interpreter to 3] *********************************
task path: /var/lib/awx/projects/ansible-freeipa/roles/ipaserver/tasks/python_2_3_test.yml:8
fatal: [ipaserver.lab.com]: FAILED! => {
"msg": "The conditional check 'py3test.rc == 0' failed. The error was: error while evaluating conditional (py3test.rc == 0): 'dict object' has no attribute 'rc'\n\nThe error appears to have been in '/var/lib/awx/projects/ansible-freeipa/roles/ipaserver/tasks/python_2_3_test.yml': line 8, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Set python interpreter to 3\n ^ here\n"
}
In at least the krb5 and the sssd roles you find _packages variables in both files:
this should be unified into vars/ only.
A number of the examples given in the documentation use a group named ipaserver
(singular), whereas some of the tasks expect there to be a special group named ipaservers
(plural) to use when setting up clients and replicas. Confusing!
IPA CA is not created by default when setting up server
Inventory used
[ipaserver]
ipaserver2.example.com
[ipaserver:vars]
ipaserver_domain=example.com
ipaserver_realm=EXAMPLE.COM
ipaadmin_password=....
ipadm_password=...
]# ipa config-show
ipa: ERROR: invalid 'CA renewal master': all masters must have CA server role enabled
We have a working one way trust with an AD installation.
When I install ipa-client via ipa-client-install, I have a system in which I can login to successfully.
When I install ipa-client via ansible install-client.yml, I have a system into which I can't login successfully.
First diff found was in /var/log/sssd/sssd_pam.log.
On the working system:
(Tue May 8 10:54:20 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue May 8 10:54:20 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [14 (Cannot make/remove an entry for the specified session)][company.com]
(Tue May 8 10:54:20 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [14]: Cannot make/remove an entry for the specified session.
(Tue May 8 10:54:20 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue May 8 10:54:20 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 32
On the not working system:
(Tue May 8 11:14:22 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue May 8 11:14:22 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [9 (Authentication service cannot retrieve authentication info)][company.com]
(Tue May 8 11:14:22 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9]: Authentication service cannot retrieve authentication info.
(Tue May 8 11:14:22 2018) [sssd[pam]] [pam_reply] (0x0020): Unknown PAM call [249].
(Tue May 8 11:14:22 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue May 8 11:14:22 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 32
(Tue May 8 11:14:23 2018) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
After following some dead ends I worked through each stanza of the -vv verbose anisble output and saw /etc/krb.conf
When comparing the two, there are significant differences (this playbook is very comprehensive by comparison).
Most importantly, it was the two default values
krb5_dns_lookup_realm: "false"
krb5_dns_lookup_kdc: "false"
that were causing the issue. This differs from a standard installation which normally has them as true.
From what I can see, this is set in this install.yml when ipadiscovery.dnsok
fails.
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
include_role:
name: krb5
vars:
krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
krb5_realm: "{{ ipadiscovery.realm }}"
krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
Why does this happen in the ansible playbook but not a regular ipa-client-install?
It looks like ipadiscovery.dnsok is set by library/ipadiscovery.py on line 348
else:
# Only set dnsok to True if we were not passed in one or more servers
# and if DNS discovery actually worked.
if not opt_servers:
(server, domain) = ds.check_domain(
ds.domain, set(), "Validating DNS Discovery")
if server and domain:
module.debug("DNS validated, enabling discovery")
dnsok = True
Why does this not work for ansible but it does for ipa-client-install?
With the same settings it is needed to get to the same results with the command line and also using the ansible installers. Compatibility is essential not only in mixed installation environments.
Automated tests are needed that will be run with every new freeipa and also ansible-freeipa milestone and version. At best also regularity. Runs after each commit for freeipa and ansible-freeipa might not be possible though.
When ipareplica_setup_dns is set to yes, ipareplia role fails with the following
Failed to connect to the host via ssh: Traceback (most recent call last):
File "<stdin>", line 113, in <module>
File "<stdin>", line 105, in _ansiballz_main
File "<stdin>", line 48, in invoke_module
File "/tmp/ansible_ipareplica_setup_dns_payload_QNZPhQ/__main__.py", line 150, in <module>
File "/tmp/ansible_ipareplica_setup_dns_payload_QNZPhQ/__main__.py", line 140, in main
File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 341, in install
bind.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 724, in create_instance
self.start_creation()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 964, in __setup_server_configuration
idnsforwarders=[unicode(f) for f in self.forwarders],
TypeError: 'NoneType' object is not iterable
This happens when ipareplica_forwarders, as well as ipaservers_forwarders is set correctly.
ipareplia role fails with following message when ipareplica_setup_kra is set to yes
The full traceback is:
Traceback (most recent call last):
File "<stdin>", line 113, in <module>
File "<stdin>", line 105, in _ansiballz_main
File "<stdin>", line 48, in invoke_module
File "/tmp/ansible_ipareplica_setup_kra_payload_WR8ZEw/__main__.py", line 235, in <module>
File "/tmp/ansible_ipareplica_setup_kra_payload_WR8ZEw/__main__.py", line 228, in main
File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 97, in install
replica_config.dirman_password)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 325, in get_kra_keys
self._get_keys(cacerts_file, cacerts_pwd, data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 280, in _get_keys
value = cli.fetch_key(os.path.join(prefix, nickname), False)
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 105, in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found
Fedora Server 28, latest commit plus my patches (silanea@1482f8d).
While debugging #39 I tried running install-server.yml with
ipaserver_setup_adtrust: no
and hit this:
TASK [ipaclient : Install - IPA API calls for remaining enrollment parts] *****************************************
fatal: [redacted]: FAILED! => {"changed": false, "msg": "Cannot get subject base from server: invalid 'CA renewal master': all masters must have CA server role enabled"}
TASK [ipaclient : Cleanup leftover ccache] ************************************************************************
changed: [redacted]
to retry, use: --limit @/etc/ansible/ipa-servers.retry
PLAY RECAP ********************************************************************************************************
redacted : ok=30 changed=16 unreachable=0 failed=1
ipaserver_setup_ca: yes
is set explicitly, though it should be the default anyway.
ipa-replica-install command defaults to not setting up KRA or DNS, however after the replica is setup you can run "ipa-kra-install" or "ipa-dns-install" to add those roles/functionality.
ansible-freeipa should support the same ability
Currently if ipareplica is run, then ipareplica_setup_dns and ipareplica_setup_kra are changed to yes, and ansible is rerun, ipareplica role will fail with the following message "IPA server is already configured on this system.\nIf you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall"
Expected results would be KRA and DNS roles are added to existing configured replica.
I am getting this error while attempting to install freeipa-server onto a centos7 VM.
fatal: [ipa01.ipa.home.lab]: FAILED! => {
"changed": false,
"module_stderr": "Shared connection to ipa01.ipa.home.lab closed.\r\n",
"module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_sOWkeO/ansible_module_ipaserver_setup_ds.py\", line 175, in <module>\r\n main()\r\n File \"/tmp/ansible_sOWkeO/ansible_module_ipaserver_setup_ds.py\", line 129, in main\r\n tasks.create_tmpfiles_dirs(IPAAPI_USER)\r\nTypeError: create_tmpfiles_dirs() takes exactly 1 argument (2 given)\r\n",
"msg": "MODULE FAILURE",
"rc": 0
}
I am very confused as to why this is happening. I looked at the line given and it appears that the function is only being given 1 argument.
Here is the output of ansible --version
ansible 2.4.2.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/seep1959/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.14 (default, Jan 17 2018, 14:28:32) [GCC 7.2.1 20170915 (Red Hat 7.2.1-2)]
Centos7 VM uname output
Linux ipa01.ipa.home.lab 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
getting this error while running freeipa client playbook on ubuntu.
{"changed": false, "item": "krb5-workstation", "msg": "No package matching 'krb5-workstation' is available"}
Attempting to install cluster. Get error:
ERROR! 'max_concurrent' is not a valid attribute for a Task
The error appears to have been in './ansible-freeipa/roles/ipareplica/tasks/install.yml': line 406, column 5, but may
be elsewhere in the file depending on the exact syntax problem.
Commenting out max_concurrent (line 429) resolves the problem. I'm running ansible 2.7.1. I also only have 1 replica!
I'm trying to install a freeipa replica using the replica playbook and I am getting the error "freeipa version '4.5.4" is too old". This is a fresh centos-7 image, the replica readme lists 4.5+ supported.
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_zn5TjK/ansible_module_ipareplica_test.py", line 53, in <module>
from ansible.module_utils.ansible_ipa_replica import *
File "/tmp/ansible_zn5TjK/ansible_modlib.zip/ansible/module_utils/ansible_ipa_replica.py", line 119, in <module>
Exception: freeipa version '4.5.4' is too old
fatal: [ipa03.dev.domain.tld]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_zn5TjK/ansible_module_ipareplica_test.py\", line 53, in <module>\n from ansible.module_utils.ansible_ipa_replica import *\n File \"/tmp/ansible_zn5TjK/ansible_modlib.zip/ansible/module_utils/ansible_ipa_replica.py\", line 119, in <module>\nException: freeipa version '4.5.4' is too old\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 1
}
I got this error every time I run the ipaserver installation on vagrant!
ERROR! Unexpected Exception, this is probably a bug: No module named gssapi
There is no setup.py that would help with installation, nor there is documentation on how to install this.
I get this error while running install-server.yml playbook
"module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_k_kngm/ansible_module_ipaserver_setup_ca.py\", line 236, in <module>\r\n main()\r\n File \"/tmp/ansible_k_kngm/ansible_module_ipaserver_setup_ca.py\", line 192, in main\r\n custodia = custodiainstance.get_custodia_instance(\r\nAttributeError: 'module' object has no attribute 'get_custodia_instance'\r\n", "msg": "MODULE FAILURE", "rc": 1}
Am I missing a module?
Hi there, I came across this minor issue:
there are a few instances where the call to ansible_module.fail_json(...)
has a string as argument but without the needed msg=
.
I have a PR for the fix coming along soon anyways ๐
It's my way of saying thank you... also... along the same lines, I'd like to help more, perhaps with the external_ca
workflow... if that's appreciated please let me know!
Best
A number of include
tasks use the static: yes
option. This causes the following warning in Ansible 2.6:
[DEPRECATION WARNING]: The use of 'static' has been deprecated. Use
'import_tasks' for static inclusion, or 'include_tasks' for dynamic inclusion.
This feature will be removed in a future release. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
Ansible 2.3, the last version before import_tasks
was added, is now end of life, so it seems reasonable to move over to the new way of doing things.
Calls to api.Backend.rpcclient.forward include INFO logging in stdout in causing ipaclient_api module to fail
This happens with IPA 4.6.4-10.el7
See "module_stdout" below:
fatal: [infra2.example.com]: FAILED! => {
"changed": false,
"module_stderr": "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 104: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 13733
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 0
Shared connection to infra2.example.com closed.
",
"module_stdout": "trying https://infra1.example.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://infra1.example.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://infra1.example.com/ipa/json'
[try 1]: Forwarding 'config_show/1' to json server 'https://infra1.example.com/ipa/json'
{\"ca_enabled\": true, \"invocation\": {\"module_args\": {\"debug\": false, \"hostname\": \"infra2.example.com\", \"realm\": \"EXAMPLE.COM\", \"servers\": [\"infra1.example.com\"]}}, \"changed\": true, \"subject_base\": \"O=EXAMPLE.COM\"}
",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 0
}
Hi Everyone,
I'd like to use ansible to connect to my freeipa container to configure it.
There's guidelines in place for such roles, they're called "container-enabled roles".
Would you consider making (some) roles here in this repo container-enabled?
Cheers,
Chris
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.