ansible-freeipa
ansible-freeipa copied to clipboard
freeipa
ipareplica 'Env' object has no attribute 'realm'
Hello, i have issue in installation replicas for IPA:
FAILED! => {"changed": false, "module_stderr": "Shared connection to xxxxxx closed.\r\n", "module_stdout": "\u001b[?1034hTraceback (most recent call last):\r\n File "/home/ansible/.ansible/tmp/ansible-tmp-1601377658.15-31083-114544541605838/AnsiballZ_ipareplica_prepare.py", line 102, in
p task.args {'_ansible_check_mode': False, '_ansible_debug': False, '_ansible_diff': False, '_ansible_keep_remote_files': False, '_ansible_module_name': u'ipareplica_prepare', '_ansible_no_log': False, '_ansible_remote_tmp': u'~/.ansible/tmp', '_ansible_selinux_special_fs': ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p', 'vfat'], '_ansible_shell_executable': u'/bin/sh', '_ansible_socket': None, '_ansible_string_conversion_action': u'warn', '_ansible_syslog_facility': u'LOG_USER', '_ansible_tmpdir': u'/home/ansible/.ansible/tmp/ansible-tmp-1601377658.15-31083-114544541605838/', '_ansible_verbosity': 0, '_ansible_version': '2.9.10', u'allow_zone_overlap': False, u'auto_forwarders': False, u'auto_reverse': False, u'ca_cert_files': [], u'dirsrv_cert_files': [], u'domain': u'', u'enable_compat': False, u'force_join': False, u'forwarders': [], u'hostname': u'xxxxxxxxxxxxxx.xxxx.xx', u'http_cert_files': [], u'ip_addresses': [], u'mkhomedir': False, u'no_dns_sshfp': False, u'no_dnssec_validation': False, u'no_forwarders': False, u'no_host_dns': False, u'no_ntp': False, u'no_reverse': False, u'no_ssh': False, u'no_sshd': False, u'password': u'xxxxxxxxxxxxx', u'pkinit_cert_files': [], u'principal': u'admin', u'realm': u'xxxxxxxxxxxx', u'reverse_zones': [], u'server': u'', u'setup_adtrust': False, u'setup_ca': False, u'setup_dns': False, u'setup_kra': False, u'skip_conncheck': False, u'ssh_trust_dns': False}
i tried the follow arguments, nothing helps. ipareplica_domain ipaserver_domain ipareplica_realm ipaserver_realm ipaadmin_principal
my OS is Centos 7
I'm experiencing this same issue.
Error: An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'Env' object has no attribute 'realm'
Ansible 2.10.6 Collection 0.3.6
Playbook:
---
- name: Playbook to configure IPA replicas
hosts: ipareplicas
remote_user: "{{ ipa_remote_user }}"
become: yes
vars:
- ipaadmin_password: "{{ ipa_admin_password }}"
roles:
- role: ipareplica
state: present
Vars:
---
mgmt_domain: our.domain.com
# Base
ipaserver_hostname: ipaprd01.{{ mgmt_domain }}
ipaserver_domain: "{{ mgmt_domain }}"
ipaserver_realm: "{{ mgmt_domain | upper }}"
ipa_remote_user: admin
ipa_admin_password: !vaulted
ipadm_password: !vaulted
adjoin_password: !vaulted
# Server
ipaserver_setup_adtrust: yes
ipaserver_setup_dns: yes
ipaserver_no_hbac_allow: no
ipaserver_no_ui_redirect: no
ipaserver_forward_policy: first
# Replicas
ipareplica_setup_dns: yes
ipareplica_setup_adtrust: yes
ipareplica_forward_policy: first
ipareplica_realm: "{{ ipaserver_realm }}"
ipareplica_domain: "{{ ipaserver_domain }}"
I've seen the previously merged PRs that were supposed to have taken care of this issue by defaulting to the ipaserver_ vars, but I decided to set those vars separately anyway, just in case, and am still getting the same result.
More information: I inserted 3 debugging statements, which clearly show the vars are being set correctly. There seems to be an issue with the ipareplica_prepare module.
Code (ipareplica/tasks/install.yml):
- name: Why you broken?!?
debug:
msg: "ipareplica_domain is {{ ipareplica_domain }}. ipareplica_realm is {{ ipareplica_realm }}"
- name: Install - Replica installation test
ipareplica_test:
### basic ###
# dm_password: "{{ ipadm_password | default(omit) }}"
# password: "{{ ipaadmin_password | default(omit) }}"
ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
domain: "{{ ipareplica_domain | default(ipaserver_domain) |
default(omit) }}"
servers: "{{ ipareplica_servers | default(omit) }}"
realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}"
hostname: "{{ ipareplica_hostname | default(ansible_facts['fqdn']) }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
skip_mem_check: "{{ not ipareplica_mem_check }}"
### server ###
setup_adtrust: "{{ ipareplica_setup_adtrust }}"
setup_ca: "{{ ipareplica_setup_ca }}"
setup_kra: "{{ ipareplica_setup_kra }}"
setup_dns: "{{ ipareplica_setup_dns }}"
no_pkinit: "{{ ipareplica_no_pkinit }}"
dirsrv_config_file: "{{ ipareplica_dirsrv_config_file | default(omit) }}"
### ssl certificate ###
dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"
http_cert_files: "{{ ipareplica_http_cert_files | default([]) }}"
pkinit_cert_files: "{{ ipareplica_pkinit_cert_files | default([]) }}"
### client ###
no_ntp: "{{ ipaclient_no_ntp }}"
ntp_servers: "{{ ipaclient_ntp_servers | default([]) }}"
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
### dns ###
no_reverse: "{{ ipareplica_no_reverse }}"
auto_reverse: "{{ ipareplica_auto_reverse }}"
forwarders: "{{ ipareplica_forwarders | default([]) }}"
no_forwarders: "{{ ipareplica_no_forwarders }}"
auto_forwarders: "{{ ipareplica_auto_forwarders }}"
forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"
no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
register: result_ipareplica_test
- name: Why you broken?!?
debug:
var: result_ipareplica_test
- block:
# This block is executed only when
# not ansible_check_mode and
# not (result_ipareplica_test.client_already_configured is defined or
# result_ipareplica_test.server_already_configured is defined)
- name: Install - Setup client
include_role:
name: ipaclient
vars:
state: present
ipaclient_domain: "{{ result_ipareplica_test.domain | default(omit) }}"
ipaclient_realm: "{{ result_ipareplica_test.realm | default(omit) }}"
ipaclient_servers: "{{ ipareplica_servers | default(omit) }}"
ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"
ipaclient_no_ntp: "{{ result_ipareplica_test.ipa_python_version
< 40690 }}"
ipaclient_install_packages: "{{ ipareplica_install_packages }}"
when: not result_ipareplica_test.client_enrolled
- name: Install - Configure firewalld
command: >
firewall-cmd
--permanent
--zone="{{ ipareplica_firewalld_zone if ipareplica_firewalld_zone is
defined else '' }}"
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
else "" }}
{{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipareplica_setup_firewalld | bool
- name: Install - Configure firewalld runtime
command: >
firewall-cmd
--zone="{{ ipareplica_firewalld_zone if ipareplica_firewalld_zone is
defined else '' }}"
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
else "" }}
{{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipareplica_setup_firewalld | bool
- name: Why you broken?!?
debug:
msg: "result_ipareplica_test.realm is {{ result_ipareplica_test.realm }}.
result_ipareplica_test.domain is {{ result_ipareplica_test.domain }}"
- name: Install - Replica preparation
ipareplica_prepare:
### basic ###
password: "{{ ipaadmin_password | default(omit) }}"
ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
domain: "{{ result_ipareplica_test.domain }}"
realm: "{{ result_ipareplica_test.realm }}"
Resulting logs:
TASK [ipareplica : Why you broken?!?] ************************************************************************************************************************************************************************
ok: [ipaprd02.our.domain.com] => {
"msg": "ipareplica_domain is our.domain.com. ipareplica_realm is OUR.DOMAIN.COM"
}
TASK [ipareplica : Install - Replica installation test] ******************************************************************************************************************************************************
ok: [ipaprd02.our.domain.com]
TASK [ipareplica : Why you broken?!?] ************************************************************************************************************************************************************************
ok: [ipaprd02.our.domain.com] => {
"result_ipareplica_test": {
"change_master_for_certmonger": true,
"changed": false,
"client_enrolled": true,
"domain": "our.domain.com",
"failed": false,
"hostname": "ipaprd02.our.domain.com",
"ipa_python_version": 40902,
"realm": "OUR.DOMAIN.COM",
"server": null,
"setup_adtrust": true,
"setup_kra": false
}
}
TASK [Install - Setup client] ********************************************************************************************************************************************************************************
skipping: [ipaprd02.our.domain.com]
TASK [ipareplica : Install - Configure firewalld] ************************************************************************************************************************************************************
changed: [ipaprd02.our.domain.com]
TASK [ipareplica : Install - Configure firewalld runtime] ****************************************************************************************************************************************************
changed: [ipaprd02.our.domain.com]
TASK [ipareplica : Why you broken?!?] ************************************************************************************************************************************************************************
ok: [ipaprd02.our.domain.com] => {
"msg": "result_ipareplica_test.realm is OUR.DOMAIN.COM. result_ipareplica_test.domain is our.domain.com"
}
TASK [ipareplica : Install - Replica preparation] ************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'Env' object has no attribute 'realm'
fatal: [ipaprd02.our.domain.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to ipaprd02.our.domain.com closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/admin/.ansible/tmp/ansible-tmp-1625669047.072227-29380-105255660661912/AnsiballZ_ipareplica_prepare.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/home/admin/.ansible/tmp/ansible-tmp-1625669047.072227-29380-105255660661912/AnsiballZ_ipareplica_prepare.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/admin/.ansible/tmp/ansible-tmp-1625669047.072227-29380-105255660661912/AnsiballZ_ipareplica_prepare.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible.modules.ipareplica_prepare', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\r\n mod_name, mod_spec, pkg_name, script_name)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_ipareplica_prepare_payload_1lezcd1e/ansible_ipareplica_prepare_payload.zip/ansible/modules/ipareplica_prepare.py\", line 856, in <module>\r\n File \"/tmp/ansible_ipareplica_prepare_payload_1lezcd1e/ansible_ipareplica_prepare_payload.zip/ansible/modules/ipareplica_prepare.py\", line 393, in main\r\nAttributeError: 'Env' object has no attribute 'realm'\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
What do you have in /etc/ipa/default.conf? Was the client part already deployed before using the replica role? Was the machine clean before?
This was a freshly-created RHEL8 instance. I've only used the collection to attempt to finish this installation. There is no /etc/ipa/default.conf file. The collection/process has never made it past this point.
After ipareplica_test the client is installed before the firewall is configured and ipareplica_prepare is used. The client role is creating /etc/ipa/default.conf. The client installation part is only skipped if the client is already deployed.
I do see where that task was skipped, but the fact remains that there is no /etc/ipa/default.conf file. I do see where a previous attempt to create the replica left entries in /var/log/ipaclient-install.log.
[root@gr-ipaprd02 ~]# cat /etc/ipa/default.conf
cat: /etc/ipa/default.conf: No such file or directory
[root@gr-ipaprd02 ~]# ll /etc/ipa
total 0
drwx------. 2 root root 6 May 26 10:09 custodia
drwxr-xr-x. 2 root root 6 May 26 10:09 dnssec
drwxr-xr-x. 2 root root 53 Jun 30 11:13 html
drwxr-xr-x. 2 root root 27 Jun 30 11:13 kdcproxy
drwxr-xr-x. 2 root root 6 May 26 10:08 nssdb
Here are the final entries for the client install log:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = OUR.DOMAIN.COM
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
OUR.DOMAIN.COM = {
kdc = ipaprd01.our.domain.com:88
master_kdc = ipaprd01.our.domain.com:88
admin_server = ipaprd01.our.domain.com:749
kpasswd_server = ipaprd01.our.domain.com:464
default_domain = our.domain.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.our.domain.com = OUR.DOMAIN.COM
our.domain.com = OUR.DOMAIN.COM
ipaprd02.our.domain.com = OUR.DOMAIN.COM
2021-06-30T15:18:51Z DEBUG Writing configuration file /tmp/tmptpc8w_hf
2021-06-30T15:18:51Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = OUR.DOMAIN.COM
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
OUR.DOMAIN.COM = {
kdc = ipaprd01.our.domain.com:88
master_kdc = ipaprd01.our.domain.com:88
admin_server = ipaprd01.our.domain.com:749
kpasswd_server = ipaprd01.our.domain.com:464
default_domain = our.domain.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.our.domain.com = OUR.DOMAIN.COM
our.domain.com = OUR.DOMAIN.COM
ipaprd02.our.domain.com = OUR.DOMAIN.COM
2021-06-30T15:18:51Z DEBUG Initializing principal host/[email protected] using keytab /etc/krb5.keytab
2021-06-30T15:18:51Z DEBUG using ccache /etc/ipa/.dns_ccache
It was not a clean machine then. Please use either replica or better client role with state: absent to get the machine into a clean state again.
Or you can try to use the client role in repair mode ipaclient_allow_repair: yes (https://github.com/freeipa/ansible-freeipa/tree/master/roles/ipaclient#special-variables). After the client is successfully deployed you can try to deploy the replica using the client deployment.
@t-woerner - just letting you know that I just ran into this issue again. Again, it was a failed client install, but this time, I captured the error:
TASK [freeipa.ansible_freeipa.ipaclient : Install - IPA client test] ***********************************************************************************************************************************************
fatal: [gr-ipaprd02.dev.ourdomain.com]: FAILED! => changed=false
msg: 'invalid hostname: not fully qualified'
Not sure why it thinks that the name's not an FQDN...
Also, I was able to use the client role with state: absent to get rolling again.