ansible-freeipa
ansible-freeipa copied to clipboard
freeipa
ipauser fails with "The password is not set"
When I try running the playbook after a user is already once created (re-running), the ipauser tasks always fails with
TASK [Create users] ********************************************************************************************************************************
Friday 14 January 2022 13:37:52 +0200 (0:00:02.096) 0:00:02.139 ********
fatal: [rh-idm-01.cool.lab]: FAILED! => {"changed": false, "msg": "The password is not set"}
This is the task:
- name: Create users
freeipa.ansible_freeipa.ipauser:
state: present
update_password: on_create
users:
- name: ikke
first: Ilkka
last: Tengvall
uid: 10001
gid: 10001
password: "coolpw-changeme123"
# passwordexpiration: "2025-12-31 23:59:59"
# yamllint disable-line rule:line-length
sshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC577GzJaVha0u0byNEFLDbGQhMkPSyXeT9gqIfZMKIxgh9PhOjpHl739lcdbsbgiUVAjZYI7M3PwuGghYTZpk2amJEZXUrul2MQudEc5tUX9wbpdKx9PEhzCywynRN+ZWGK15R5uVyc8mhqbvE0xQnkX0d+/eh+K8reFw451rPJuXrbbk13x/KBs/WqjEGCe6Yto/BotRRadpxTP5gPTxs/MIZ9LZC5EjmuOxDVt1xNROUNdD7gdK8DdpAHK72OoaT5ooc3Zq9uum4sYhCc611IGMNy2yjaYsJWWiVpDFy+APs5u9oK7wdtYFZwhf6B1O3U1X21CoaU8nJsFxJmI1g32IaAfh18sGiTBKKu8vYfF1y2eHa0I/App5WI+H5BS9WV7QyW5s7FQQ9R0okZ3kWbiGj8tVcVdTviwKmNm/7FtED6vPDe9ji+ou56YyzX7sd8ZFZjCX4rG9ZfpCzwsCCRdYHcKEyTIM5is9aggSUVWIkhdD9IKKsJEuW2ZCo8zpVMqSKm4G05tieIAGGr546m1OiTVBFVzuhYuTmwGuVfR0szoDCV6nOc1vcZMLyWYM5zWZRMuCw6NMzMuL+ot0JXyVKtgfFt4q5Q+Ha87jYXsiLOezsTiycgG1c/HmF4NxfWHt8nkDP/hQI0ESb1AKqxqp3++mCciHd1PlE/Y1CaQ==
Why can't I rerun it?
I don't also get what's the purpose os action variable. What is it used for? The module documentation miss an example for it.
This got solved. It's the case of this module failing if there is no keytab at the idm server. So my kerberos ticket for admin had expired at idm. I didn't know this module depends on it, especially while it knows the ipaadmin_password.
I think there would be two fixes:
- going around the problem, and adding kinit instructions to examples, and to mention it is required:
- fixing it so that the module will do kinit if it's expired. Or in any case.
This is the temporary fix I got tipped:
- name: Ensure admin keytab is valid
shell: "echo {{ ipaadmin_password }} | kinit admin"
naturally the option 2 would be the preferred way. Or at least to have a proper warning about kerberos ticket expiry, where as now I thought its about user password.
@ikke-t, it seem you are missing ipaadmin_password in the task (and, optionally ipaadmin_principal, which defaults to admin). With the password in place, the module use GSSAPI to authenticate. All examples in the README have this option set, and both variables are explained on it.
By default, an existing TGT will be used, if not, authentication will be performed with the provided credentials.
No I do not. It comes from vault. See how I use it now with kinit above. And principal is the default, admin.
If there is no valid credential, then there is a kinit call internally. The test before using kinit is failing with the error "The password is not set" if the password is not set.
If you are using kinit admin on the server is it asking for a new admin password?
Using the module depends on either having valid credentials or providing ipaadmin_password for the module task.
I'm just a bit surpriced why doesn't it pick it from the host variables. I have verified with debug it is set correctly in the playbook.
Maybe the same issue: I would like to use ipauser with my Kerberos credentials from login. When system login creates a credential cache and sets KRB5CCNAME environment variable, everything works as expected. When system login creates a default credential cache and does not set KRB5CCNAME, ipauser fails with "The password is not set". (Using ansible-freeipa-0.3.8-1.el8.noarch)
