ansible-freeipa icon indicating copy to clipboard operation
ansible-freeipa copied to clipboard

Published 20 hours ago verified publisher icon freeipa

Unsupported parameters for (freeipa.ansible_freeipa.ipaclient_get_otp) module: keytab

Open dsroark-dt opened this issue 5 years ago • 3 comments

when i try to run the Install - Get One-Time Password for client enrollment task for an ipaclient enrollment, I get the following error:

msg: 'Unsupported parameters for (freeipa.ansible_freeipa.ipaclient_get_otp) module: keytab Supported parameters include: ccache, certificates, fqdn, ipaddress, principal, random, sshpubkey, state'

I invoked the task with:

  invocation:
    module_args:
      fqdn: ipaclient-host.example.com
      keytab: /etc/krb5.keytab
      principal: admin
      random: true
      state: present

And looking at the module, it appears that this parameter is indeed not a part of it. Is this as designed? Should I avoid using a keytab when enrolling hosts?

Running ansible version 2.9.11 and the ansible-freeipa galaxy collection.

The controller is running MacOS Catalina and the target client host is running the latest CentOS 7. My IPA cluster is up and running fine, installed through the same collection and I can generate a keytab using the admin principal.

The controller's (my mac's) virtualenv:

(ins) ~/code/ansible (0) $ pip freeze
ansible==2.9.11
ansible-lint==4.2.0
appdirs==1.4.4
arrow==0.15.7
attrs==19.3.0
bcrypt==3.1.7
binaryornot==0.4.4
boto3==1.14.25
botocore==1.17.25
Cerberus==1.3.2
certifi==2020.6.20
cffi==1.14.0
chardet==3.0.4
click==7.1.2
click-completion==0.5.2
click-help-colors==0.8
colorama==0.4.3
cookiecutter==1.7.2
cryptography==3.0
distlib==0.3.1
dnspython==2.0.0
docker==4.2.2
docutils==0.15.2
fasteners==0.15
filelock==3.0.12
idna==2.10
Jinja2==2.11.2
jinja2-time==0.2.0
jmespath==0.10.0
jsonxs==0.6
lxml==4.5.2
Mako==1.1.3
MarkupSafe==1.1.1
molecule==3.0.6
monotonic==1.5
more-itertools==8.4.0
nsx-policy-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-policy-python-sdk/nsx_policy_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
nsx-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-python-sdk/nsx_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
nsx-vmc-aws-integration-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-vmc-aws-integration-python-sdk/nsx_vmc_aws_integration_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
nsx-vmc-policy-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-vmc-policy-python-sdk/nsx_vmc_policy_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
packaging==20.4
paramiko==2.7.1
pathspec==0.8.0
pexpect==4.8.0
pipenv==2020.6.2
pluggy==0.13.1
poyo==0.5.0
ptyprocess==0.6.0
py==1.9.0
pyasn1==0.4.8
pycparser==2.20
PyNaCl==1.4.0
pyOpenSSL==19.1.0
pyparsing==2.4.7
pytest==5.4.3
python-dateutil==2.8.1
python-gilt==1.2.3
python-gssapi==0.6.4
python-slugify==4.0.1
pyvmomi==7.0
PyYAML==5.3.1
requests==2.24.0
ruamel.yaml==0.16.10
ruamel.yaml.clib==0.2.0
s3transfer==0.3.3
sh==1.13.1
shellingham==1.3.2
six==1.15.0
suds-jurko==0.6
tabulate==0.8.7
testinfra==5.2.2
text-unidecode==1.3
tree-format==0.1.2
urllib3==1.25.9
ushlex==0.99.1
vapi-client-bindings @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vapi-client-bindings/vapi_client_bindings-3.3.0-py2.py3-none-any.whl
vapi-common-client @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vapi-common-client/vapi_common_client-2.15.0-py2.py3-none-any.whl
vapi-runtime @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vapi-runtime/vapi_runtime-2.15.0-py2.py3-none-any.whl
virtualenv==20.0.27
virtualenv-clone==0.5.4
vmc-client-bindings @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vmc-client-bindings/vmc_client_bindings-1.26.0-py2.py3-none-any.whl
vmc-draas-client-bindings @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vmc-draas-client-bindings/vmc_draas_client_bindings-1.9.0-py2.py3-none-any.whl
vSphere-Automation-SDK @ git+https://github.com/vmware/vsphere-automation-sdk-python.git@a18a979c25083567ff39198ed611fdd31aa36c28
wcwidth==0.2.5
websocket-client==0.57.0
yamllint==1.24.2

dsroark-dt avatar Jul 24 '20 18:07 dsroark-dt

update: similar error when I try to get an OTP using ipaadmin_password instead of ipaadmin_keytab

dsroark-dt avatar Jul 24 '20 19:07 dsroark-dt

Yes, the combination of ipaadmin_keytab and ipaclient_get_otp is not supported by the module. I do not understand why you have issues with ipaadmin_password though. Have you been trying to use the module outside of the ipaclient role? Have you modified the ipaclient role?

t-woerner avatar Jul 27 '20 08:07 t-woerner

PR https://github.com/freeipa/ansible-freeipa/pull/987 is changing the code for OTP. The action plugin is removed and the OTP is generated on the first entry in the server list returned by ipaclient_test.

t-woerner avatar Nov 23 '22 14:11 t-woerner