ansible-freeipa icon indicating copy to clipboard operation
ansible-freeipa copied to clipboard

Published 20 hours ago verified publisher icon freeipa

IPA-Client-Test FAILED! => {"changed": false, "msg": "Failed to verify that xxx xxx is an IPA Server

Open dicalleson opened this issue 5 years ago • 10 comments

I am using the same inventory as I used for installing a server and replica. I want to now add clients. I added the following entries in my inventory. I confirmed that I can kinit to the ipaadmin_principal and password works. [ipaclients:vars] ipaclient_allow_repair=yes ipaadmin_principal=ipa-service ipaadmin_password=xxxxx ipaclient_allow_repair=yes ipaclient_domain=example.com ipaclient_realm=EXAMPLE.COM ipaclient_mkhomedir=yes ipaclient_force_join=yes ipaclient_no_dns_lookup=yes ipaclient_ntp_servers=ipaserver1.example.com ipaserver2.example.com ipaclient_servers=ipaserver1.example.com ipaserver2.example.com

Ansible works up until: TASK [ipaclient : Install - IPA client test] *************************************************************************** Monday 03 August 2020 18:51:12 +0000 (0:00:00.079) 0:00:10.269 ********* fatal: [login.silicondev.us-cert.gov]: FAILED! => {"changed": false, "msg": "Failed to verify thatipaserver1.example.com ipaserver2.example.com is an IPA Server."}

dicalleson avatar Aug 03 '20 18:08 dicalleson

Sorry... worked through this... principal needed to be in admins group.

However now I am not getting both ipa servers in sssd.conf and ntp.conf is not getting configured and started.

dicalleson avatar Aug 03 '20 19:08 dicalleson

ipaclient_servers=ipaserver1.example.com,ipaserver2.example.com A comma should fix your issue. ^^^

t-woerner avatar Sep 03 '20 13:09 t-woerner

The full traceback is: WARNING: The below traceback may not be related to the actual failure. File "/tmp/ansible_freeipa.ansible_freeipa.ipaclient_test_payload_8q4egV/ansible_freeipa.ansible_freeipa.ipaclient_test_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaclient_test.py", line 643, in main fatal: [ipaclient2.vr-dev.local]: FAILED! => { "changed": false, "invocation": { "module_args": { "all_ip_addresses": false, "ca_cert_files": null, "configure_firefox": false, "domain": "vr-dev.local", "enable_dns_updates": false, "firefox_dir": null, "force_ntpd": false, "hostname": "ipa-client2.vr-dev.local", "ip_addresses": null, "kinit_attempts": 5, "nisdomain": null, "no_nisdomain": false, "no_ntp": false, "ntp_pool": null, "ntp_servers": null, "on_master": false, "realm": "VR-DEV.LOCAL", "servers": [ "ipa.vr-dev.local", "ipa-replica.vr-dev.local" ] } }, "msg": "Failed to verify that ipa.vr-dev.local, ipa-replica.vr-dev.local is an IPA Server." }

i see this error, you can help me, client is Debian OS

this is inventory, that is my issue ? thank you

[ipaclients] ipaclient1.vr-dev.local ansible_host=123.456.789.101 ipaclient2.vr-dev.local ansible_host=123.456.789.101

[ipaclients:vars] ansible_user=root ipaclient_keytab=/tmp/krb5.keytab ipaclient_domain=vr-dev.local ipaclient_realm=VR-DEV.LOCAL ipaadmin_principal=admin ipaadmin_password=______ ipaclient_use_otp=no ipaclient_force_join=yes #ipaclient_kinit_attempts=3 #ipaclient_mkhomedir=yes ipaclient_no_dns_lookup=yes ipaclient_install_packages=yes ipaclient_allow_repair=yes ipaclient_extraargs=[ '--kinit-attempts=3', '--mkhomedir'] ipaclient_principal=admin ipaclient_password=________ ipaclient_servers=ipa.vr-dev.local,ipa-replica.vr-dev.local

brandcomsrl avatar Oct 23 '20 13:10 brandcomsrl

I'm running into this on my test cluster. I'm able to install the IPA client manually from individual machines, but running the playbook causes every client to return "Failed to verify that x.y.z is an IPA server."

ElTimablo avatar Feb 04 '21 18:02 ElTimablo

I do have the same issue

EDIT six days later: It turned out that ansible-freeipa needs the FQDN, e.g. freeipa1.your.domain. Using freeipa1 only in ipaclient_servers does not work. Having a warning for this case would be useful.

Hoeze avatar Mar 14 '21 00:03 Hoeze

I've got this same error, is there any solution?

alireza1371 avatar Apr 13 '24 09:04 alireza1371

I've got this same error, is there any solution?

In my case on RHEL 9 with Ansible Automation Platform installed, the python3-cryptography library installed from AAP repos was too recent and I needed to downgrade:

dnf downgrade python3-cryptography-36.0.1-1.el9_0

Your versions might be different, check with:

dnf --showduplicates list python3-cryptography

kmaris avatar Sep 18 '24 16:09 kmaris

IPA does not support python3-cryptography versions coming outside of the main repository.

PyCA does regularly extend their classes with new APIs and does it in a way that makes old code broken. They add these extensions into an abstract base class which makes pre-existing users be broken because they don't implement these abstract methods (even when they don't use them themselves).

abbra avatar Sep 19 '24 06:09 abbra

Yeah I figured as much. And I decided to leave my earlier comment as another avenue for people to consider their problems might be related to other software on their systems as was the case for me.

kmaris avatar Sep 19 '24 15:09 kmaris

@abbra I think we should enforce the exact (major?) version of python3-cryptography for new ipa builds to prevent this.

t-woerner avatar Sep 23 '24 11:09 t-woerner