Comments (12)
t-woerner
commented on August 15, 2024
Please try again with latest ansible-freeipa version. I just pushed a fix for adtrust setup.
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
yep, that fixes that
but now the addreplica fails, I'm still digging into that to see why
Rob
from ansible-freeipa.
t-woerner
commented on August 15, 2024
The new commit should fix the issue for replica.
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
Hello
It stil breaks at this task:
ipareplica : Install - DS enable SSL
Traceback (most recent call last):
File "/root/.ansible/tmp/ansible-tmp-1555586842.4990764-62135770002703/AnsiballZ_ipareplica_ds_enable_ssl.py", line 113, in
_ansiballz_main()
File "/root/.ansible/tmp/ansible-tmp-1555586842.4990764-62135770002703/AnsiballZ_ipareplica_ds_enable_ssl.py", line 105, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/root/.ansible/tmp/ansible-tmp-1555586842.4990764-62135770002703/AnsiballZ_ipareplica_ds_enable_ssl.py", line 48, in invoke_module
imp.load_module('main', mod, module, MOD_DESC)
File "/tmp/ansible_ipareplica_ds_enable_ssl_payload_USSGXL/main.py", line 191, in
File "/tmp/ansible_ipareplica_ds_enable_ssl_payload_USSGXL/main.py", line 184, in main
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 358, in enable_ssl
self.start_creation()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 855, in __enable_ssl
resubmit_timeout=api.env.replication_wait_timeout
File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 356, in request_and_wait_for_cert
"Certificate issuance failed ({}: {})".format(state, ca_error)
RuntimeError: Certificate issuance failed (CA_UNCONFIGURED: Error setting up ccache for "host" service on client using default keytab: Keytab contains no suitable keys for host/localhost@.)
from ansible-freeipa.
t-woerner
commented on August 15, 2024
Which FreeIPA version are you using? And which configuration settings are you using additionally?
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
FreeIPA, version: 4.6.4
And no additional config (yet) just running your roles inside two dedicated vm's.
i've got the following settings:
in the group vars folder:
file all.yml
ipa_domain: linux.example.poc
ipa_realm: '{{ ipa_domain | upper }}'
contents of ipaserver.yml:
ipaserver_install_packages: true
ipaserver_setup_firewalld: true
ipaserver_reverse_zones: 122.168.192.in-addr.arpa
ipaserver_auto_reverse: true
ipaserver_allow_zone_overlap: true
ipaserver_domain: "{{ ipa_domain }}"
ipaserver_realm: '{{ ipa_realm }}'
ipaserver_setup_adtrust: true
ipaserver_setup_dns: true
ipaserver_no_forwarders: true
contents of ipareplicas.yml
ipareplica_domain: "{{ ipa_domain }}"
ipareplica_realm: '{{ ipa_realm }}'
ipareplica_setup_adtrust: true
ipareplica_setup_dns: true
ipareplica_auto_reverse: true
ipareplica_no_forwarders: true
ipareplica_setup_ca: true
contents of ipaclients.yml
ipaclient_mkhomedir: true
ipaclient_use_otp: false
ipaadmin_principal: admin
ipassd_enable_dns_updates: true
ipaclient_domain: '{{ ipa_domain }}'
ipaclient_realm: '{{ ipa_realm }}'
the primary server is a member of ipaserver,ipacluster,ipaclients
the replica server is a member of ipareplicas,ipacluster,ipaclients
your ansible-freeipa roles are all symlinked to $HOME/.ansible/roles
authentication is with pubkey for the root user
I use this play:
-
name: setup ipa server
hosts: ipaserver
become: false
remote_user: rootroles:
- role: ipaserver
state: present
- role: ipaserver
-
name: setup ipa replicas
hosts: ipareplicas
become: false
remote_user: rootpre_tasks:
-
name: set dns to ipa01
nmcli:
conn_name: eth0
dns4: 192.168.122.2
state: present
type: ethernet
notify: restart NetworkManager -
meta: flush_handlers
roles:
- role: ipareplica
state: present
handlers:
- name: restart NetworkManager
systemd:
name: NetworkManager
state: restarted
-
Rob
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
duh ...ofcourse it says present with ipareplica
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
hello,
I've just tested your latest commit 4d759b6
ipareplica now works, with a workaround
-
ipareplica issue:
task: ipareplica : Install - Replica preparation
fails because the primary ipa server cannot resolve the ipareplica fqdn
which I solved by running ipaclient play before the ipareplica playbook -
ipaclient play issue 1:
the ipaclient fails on task: ipaclient : Install - IPA client test
the /etc/resolv.conf does not have the correct dns config, so it cannot find the ipaserver
ensure the dns setup points to the ipa servers
(i used the nmcli module, but it's not idempotent) -
ipaclient play issue 2:
the dns update is not run so the ipaserver still cannot resolve the ipareplica fqdn
which is easely solved by adding a handler restarting sssd
after this the ipareplica play works
cheers
Rob
from ansible-freeipa.
t-woerner
commented on August 15, 2024
hello,
I've just tested your latest commit 4d759b6
ipareplica now works, with a workaround
* ipareplica issue: task: ipareplica : Install - Replica preparation fails because the primary ipa server cannot resolve the ipareplica fqdn which I solved by running ipaclient play before the ipareplica playbook
This is exactly what ipareplica role is doing internally. The ipaclient role is run as one of the first steps after the replica test has been done (before replica preparation). Have you been using other settings for the client deploment?
* ipaclient play issue 1: the ipaclient fails on task: ipaclient : Install - IPA client test the /etc/resolv.conf does not have the correct dns config, so it cannot find the ipaserver ensure the dns setup points to the ipa servers (i used the nmcli module, but it's not idempotent)
The modification of resolv.conf is not done while deploying a client. I thought about this as an additional feature compared to the command line installer, but it would be an behaviour change if this is enabled by default.
* ipaclient play issue 2: the dns update is not run so the ipaserver still cannot resolve the ipareplica fqdn which is easely solved by adding a handler restarting sssd
Where was it needed to restart sssd?
I have made several tests using ipa-4.6.4 on CentOS-7.6. Only if there was a DNS server conflicting with the zone that the server should handle, I ran into issues with name resolving especially reverse mapping. This was happening for me with the ansible-freeipa roles and also the normal command line installers.
after this the ipareplica play works
cheers
Rob
from ansible-freeipa.
t-woerner
commented on August 15, 2024
Please do not use the adtrust ticket to report other issues. Please open an extra ticket for DNS issues.
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
Hello,
I'll have to test it again, I'll let you know when done.
Rob
from ansible-freeipa.
RobVerduijn
commented on August 15, 2024
Hello,
I've found the time to test it and it does indeed work as you describe.
Only thing that still fails is the length issue I mentioned in issue #77
Rob
from ansible-freeipa.
Related Issues (20)
- msg: cannot import name 'kinit_password' from 'ipapython.ipautil HOT 7
- ipaclient: Configure DNS resolver always reports as changed HOT 1
- batch command support HOT 2
- [Install - Setup CA] Error
- ipareplica - the variable ipareplica_auto_forwarders=yes does not work
- ipareplica: Does not pass ipareplica_ip_addresses to client
- ipaserver: FreeIPA >= 4.12.0 fails to install HOT 5
- Bug in ipauser.py module related to certmap data HOT 1
- [ipaserver] Role does not handle company-signed LDAPS and HTTPS services
- [ipasmartcard_server] Role does not include configuration of SSLOCSPEnable and SSLProtocol in ssl.conf HOT 1
- [ipasmartcard_client] Role does not include configuration of the PAM SSH agent
- [ipasmartcard_client] Role does not enable smart card auth in cockpit configuration
- Key length - how to change HOT 3
- ipapermission gives invalid changed status in check mode and fails in execute mode
- FreeIPA server in docker container unable to use ipauser module HOT 2
- [ipaclient][ipareplica] Include open port checks
- ipaclient install role hostname returned does not match external DNS. CLI install with --hostname option works fine. HOT 2
- [role/ipaclient] Bug for ipaclient_servers in roles/ipaclient/tasks/install.yml
- [role/ipasmartcard_client] Password leaking in cleartext
- install-client playbook - No module named 'ipapython' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-freeipa.