ansible-freeipa
ansible-freeipa copied to clipboard
Published
20 hours ago •
freeipa
freeipa
Restart sssd on change
Hi!
I'm using the freeipa client role to enroll the client on ubuntu 20.04 machines mainly and most parts work flawlessly.
But somehow the sssd configuration only becomes active when I restart the service manually. No configuration changes are necessary, just a systemctl restart sssd. This is a bit annoying and could be avoided in my opinion.
Would it be possible to add a handler to the task that configures sssd, so the service gets automatically restarted on a change?
sssd should be restarted in ipaclient_setup_nss. Is there an error in /var/log/ipaclient-install.log?
Thanks a lot for the reply. Unfortunately I can't find any error in the install log.
$ cat /var/log/ipaclient-install.log
2022-05-25T22:03:07Z INFO This program will set up FreeIPA client.
2022-05-25T22:03:07Z INFO Version 4.8.6
2022-05-25T22:03:07Z INFO
2022-05-25T22:03:07Z DEBUG Starting external process
2022-05-25T22:03:07Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-25T22:03:07Z DEBUG Process execution failed
2022-05-25T22:03:07Z INFO WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
2022-05-25T22:03:07Z INFO
2022-05-25T22:03:07Z DEBUG Deleting invalid keytab: '/etc/krb5.keytab'.
2022-05-25T22:03:07Z DEBUG [IPA Discovery]
2022-05-25T22:03:07Z DEBUG Starting IPA discovery with domain=mydomain.intra, servers=None, hostname=newserver.mydomain.intra
2022-05-25T22:03:07Z DEBUG Search for LDAP SRV record in mydomain.intra
2022-05-25T22:03:07Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.intra
2022-05-25T22:03:07Z DEBUG DNS record found: 0 100 389 ipa.mydomain.intra.
2022-05-25T22:03:07Z DEBUG [Kerberos realm search]
2022-05-25T22:03:07Z DEBUG Kerberos realm forced
2022-05-25T22:03:07Z DEBUG Search DNS for SRV record of _kerberos._udp.mydomain.intra
2022-05-25T22:03:07Z DEBUG DNS record found: 0 100 88 ipa.mydomain.intra.
2022-05-25T22:03:07Z DEBUG [LDAP server check]
2022-05-25T22:03:07Z DEBUG Verifying that ipa.mydomain.intra (realm MYDOMAIN.INTRA) is an IPA server
2022-05-25T22:03:07Z DEBUG Init LDAP connection to: ldap://ipa.mydomain.intra:389
2022-05-25T22:03:07Z DEBUG Search LDAP server for IPA base DN
2022-05-25T22:03:07Z DEBUG Check if naming context 'dc=mydomain,dc=intra' is for IPA
2022-05-25T22:03:07Z DEBUG Naming context 'dc=mydomain,dc=intra' is a valid IPA context
2022-05-25T22:03:07Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain,dc=intra (sub)
2022-05-25T22:03:07Z DEBUG Found: cn=MYDOMAIN.INTRA,cn=kerberos,dc=mydomain,dc=intra
2022-05-25T22:03:07Z DEBUG Discovery result: Success; server=ipa.mydomain.intra, domain=mydomain.intra, kdc=ipa.mydomain.intra, basedn=dc=mydomain,dc=intra
2022-05-25T22:03:07Z DEBUG Validated servers: ipa.mydomain.intra
2022-05-25T22:03:07Z DEBUG will use discovered domain: mydomain.intra
2022-05-25T22:03:07Z DEBUG Start searching for LDAP SRV record in "mydomain.intra" (Validating DNS Discovery) and its sub-domains
2022-05-25T22:03:07Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.intra
2022-05-25T22:03:07Z DEBUG DNS record found: 0 100 389 ipa.mydomain.intra.
2022-05-25T22:03:07Z DEBUG DNS validated, enabling discovery
2022-05-25T22:03:07Z DEBUG will use discovered server: ipa.mydomain.intra
2022-05-25T22:03:07Z INFO Discovery was successful!
The sssd service doesn't show any error at that time either. I can only see a few connection errors in the journalctl, when I had a dns outage the other day but that doesn't correlate. :)
$ journalctl -u sssd --since "2022-05-25 21:00:00" --until "2022-05-25 23:00:00"
May 25 21:46:55 newserver systemd[1]: Condition check resulted in System Security Services Daemon being skipped.
May 25 21:46:57 newserver systemd[1]: Condition check resulted in System Security Services Daemon being skipped.
-- Reboot --
May 25 22:00:55 newserver systemd[1]: Condition check resulted in System Security Services Daemon being skipped.
May 25 22:03:47 newserver.mydomain.intra systemd[1]: Starting System Security Services Daemon...
May 25 22:03:47 newserver.mydomain.intra sssd[9952]: Starting up
May 25 22:03:47 newserver.mydomain.intra sssd_ssh[9956]: Starting up
May 25 22:03:47 newserver.mydomain.intra sssd_pac[9958]: Starting up
May 25 22:03:47 newserver.mydomain.intra sssd_be[9953]: GSSAPI client step 1
May 25 22:03:47 newserver.mydomain.intra sssd_be[9953]: GSSAPI client step 1
May 25 22:03:47 newserver.mydomain.intra systemd[1]: Started System Security Services Daemon.
According to the logs everything should work correctly imo but everytime I'm enrolling a new server, I have to do a manual login and execute a systemctl restart sssd and (just to be sure) a sss_cache -E in order to be able to use sudo with an ldap account.
What do you have in the ansible log for the "Install - Create IPA NSS database" task? It might be needed to enable verbose mode to get more information. Which ansible-freeipa version are you using?
Unfortunately I can't find anything beside "changed" in the ansible log, so I'll have to test an installation with verbose mode enabled as you suggested. However I just saw that I'm using an outdated version (v1.6.2). Thanks for this hint, I somehow missed the last two updates completely. I'll update the collection and see if this fixes things.
Using ansible-freeipa v1.6.2 unfortunately didn't help. These are the logs from the "Install - Create IPA NSS database" task.
2022-06-14 22:11:23,181 p=739856 u=jonah n=ansible | TASK [freeipa.ansible_freeipa.ipaclient : Install - Create IPA NSS database] **************************************************************************************************************************************************************************************************
2022-06-14 22:11:23,206 p=742853 u=jonah n=ansible | <192.168.1.10> ESTABLISH SSH CONNECTION FOR USER: ansibleuser
2022-06-14 22:11:23,207 p=742853 u=jonah n=ansible | <192.168.1.10> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/home/jonah/.ssh/ansibleuser"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=10 -o 'ControlPath="/home/jonah/.ansible/cp/e0e51af42c"' 192.168.1.10 '/bin/sh -c '"'"'echo ~ansibleuser && sleep 0'"'"''
2022-06-14 22:11:23,267 p=742853 u=jonah n=ansible | <192.168.1.10> (0, b'/home/ansibleuser\n', b"OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022\r\ndebug1: Reading configuration data /home/jonah/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 192.168.1.10 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jonah/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jonah/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 740703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n")
2022-06-14 22:11:23,268 p=742853 u=jonah n=ansible | <192.168.1.10> ESTABLISH SSH CONNECTION FOR USER: ansibleuser
2022-06-14 22:11:23,268 p=742853 u=jonah n=ansible | <192.168.1.10> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/home/jonah/.ssh/ansibleuser"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=10 -o 'ControlPath="/home/jonah/.ansible/cp/e0e51af42c"' 192.168.1.10 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansibleuser/.ansible/tmp `"&& mkdir "` echo /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145 `" && echo ansible-tmp-1655237483.2679412-742853-95481071525145="` echo /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145 `" ) && sleep 0'"'"''
2022-06-14 22:11:23,336 p=742853 u=jonah n=ansible | <192.168.1.10> (0, b'ansible-tmp-1655237483.2679412-742853-95481071525145=/home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145\n', b"OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022\r\ndebug1: Reading configuration data /home/jonah/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 192.168.1.10 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jonah/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jonah/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 740703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n")
2022-06-14 22:11:23,424 p=742853 u=jonah n=ansible | Using module file /home/jonah/.ansible/collections/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaclient_setup_nss.py
2022-06-14 22:11:23,424 p=742853 u=jonah n=ansible | <192.168.1.10> PUT /home/jonah/.ansible/tmp/ansible-local-739856yen57ov0/tmppg2g8rgq TO /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py
2022-06-14 22:11:23,425 p=742853 u=jonah n=ansible | <192.168.1.10> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/home/jonah/.ssh/ansibleuser"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=10 -o 'ControlPath="/home/jonah/.ansible/cp/e0e51af42c"' '[192.168.1.10]'
2022-06-14 22:11:23,909 p=742853 u=jonah n=ansible | <192.168.1.10> (0, b'sftp> put /home/jonah/.ansible/tmp/ansible-local-739856yen57ov0/tmppg2g8rgq /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py\n', b'OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022\r\ndebug1: Reading configuration data /home/jonah/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 192.168.1.10 is address\r\ndebug3: expanded UserKnownHostsFile \'~/.ssh/known_hosts\' -> \'/home/jonah/.ssh/known_hosts\'\r\ndebug3: expanded UserKnownHostsFile \'~/.ssh/known_hosts2\' -> \'/home/jonah/.ssh/known_hosts2\'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 740703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug2: Remote version: 3\r\ndebug2: Server supports extension "[email protected]" revision 1\r\ndebug2: Server supports extension "[email protected]" revision 2\r\ndebug2: Server supports extension "[email protected]" revision 2\r\ndebug2: Server supports extension "[email protected]" revision 1\r\ndebug2: Server supports extension "[email protected]" revision 1\r\ndebug2: Server supports extension "[email protected]" revision 1\r\ndebug2: Sending SSH2_FXP_REALPATH "."\r\ndebug3: Sent message fd 3 T:16 I:1\r\ndebug3: SSH2_FXP_REALPATH . -> /home/ansibleuser\r\ndebug3: Looking up /home/jonah/.ansible/tmp/ansible-local-739856yen57ov0/tmppg2g8rgq\r\ndebug2: Sending SSH2_FXP_STAT "/home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py"\r\ndebug3: Sent message fd 3 T:17 I:2\r\ndebug1: stat remote: No such file or directory\r\ndebug2: do_upload: upload local "/home/jonah/.ansible/tmp/ansible-local-739856yen57ov0/tmppg2g8rgq" to remote "/home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py"\r\ndebug2: Sending SSH2_FXP_OPEN "/home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py"\r\ndebug3: Sent dest message SSH2_FXP_OPEN I:3 P:/home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py M:0x001a\r\ndebug3: Sent message SSH2_FXP_WRITE I:5 O:0 S:32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 5 32768 bytes at 0\r\ndebug3: Sent message SSH2_FXP_WRITE I:6 O:32768 S:32768\r\ndebug3: Sent message SSH2_FXP_WRITE I:7 O:65536 S:32768\r\ndebug3: Sent message SSH2_FXP_WRITE I:8 O:98304 S:32768\r\ndebug3: Sent message SSH2_FXP_WRITE I:9 O:131072 S:8917\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 6 32768 bytes at 32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 7 32768 bytes at 65536\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 8 32768 bytes at 98304\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 9 8917 bytes at 131072\r\ndebug3: Sent message SSH2_FXP_CLOSE I:4\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')
2022-06-14 22:11:23,909 p=742853 u=jonah n=ansible | <192.168.1.10> ESTABLISH SSH CONNECTION FOR USER: ansibleuser
2022-06-14 22:11:23,910 p=742853 u=jonah n=ansible | <192.168.1.10> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/home/jonah/.ssh/ansibleuser"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=10 -o 'ControlPath="/home/jonah/.ansible/cp/e0e51af42c"' 192.168.1.10 '/bin/sh -c '"'"'chmod u+x /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/ /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py && sleep 0'"'"''
2022-06-14 22:11:23,973 p=742853 u=jonah n=ansible | <192.168.1.10> (0, b'', b"OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022\r\ndebug1: Reading configuration data /home/jonah/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 192.168.1.10 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jonah/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jonah/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 740703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n")
2022-06-14 22:11:23,974 p=742853 u=jonah n=ansible | <192.168.1.10> ESTABLISH SSH CONNECTION FOR USER: ansibleuser
2022-06-14 22:11:23,974 p=742853 u=jonah n=ansible | <192.168.1.10> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/home/jonah/.ssh/ansibleuser"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=10 -o 'ControlPath="/home/jonah/.ansible/cp/e0e51af42c"' -tt 192.168.1.10 '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=kwygmzsyjwzmkaeygshaagpsstfrrvxl] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-kwygmzsyjwzmkaeygshaagpsstfrrvxl ; /usr/bin/python3 /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/AnsiballZ_ipaclient_setup_nss.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
2022-06-14 22:11:24,126 p=742853 u=jonah n=ansible | Escalation succeeded
2022-06-14 22:11:30,698 p=742853 u=jonah n=ansible | <192.168.1.10> (0, b'\r\n/tmp/ansible_freeipa.ansible_freeipa.ipaclient_setup_nss_payload_dsbtbro3/ansible_freeipa.ansible_freeipa.ipaclient_setup_nss_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaclient_setup_nss.py:326: DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()\r\n/tmp/ansible_freeipa.ansible_freeipa.ipaclient_setup_nss_payload_dsbtbro3/ansible_freeipa.ansible_freeipa.ipaclient_setup_nss_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaclient_setup_nss.py:390: DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()\r\n\r\n{"changed": true, "ca_enabled_ra": true, "invocation": {"module_args": {"servers": ["ipa.mydomain.intra"], "domain": "mydomain.intra", "realm": "MYDOMAIN.INTRA", "basedn": "dc=mydomain,dc=intra", "hostname": "newserver.mydomain.intra", "subject_base": "O=MYDOMAIN.INTRA", "principal": "admin", "mkhomedir": true, "ca_enabled": true, "on_master": false, "dnsok": true, "enable_dns_updates": true, "all_ip_addresses": false, "request_cert": false, "preserve_sssd": false, "no_ssh": false, "no_sshd": true, "no_sudo": false, "fixed_primary": false, "permit": false, "no_krb5_offline_passwords": false, "no_dns_sshfp": false, "nosssd_files": {}, "ip_addresses": null}}}\r\n', b"OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022\r\ndebug1: Reading configuration data /home/jonah/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 192.168.1.10 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jonah/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jonah/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 740703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\nShared connection to 192.168.1.10 closed.\r\n")
2022-06-14 22:11:30,698 p=742853 u=jonah n=ansible | <192.168.1.10> ESTABLISH SSH CONNECTION FOR USER: ansibleuser
2022-06-14 22:11:30,699 p=742853 u=jonah n=ansible | <192.168.1.10> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/home/jonah/.ssh/ansibleuser"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=10 -o 'ControlPath="/home/jonah/.ansible/cp/e0e51af42c"' 192.168.1.10 '/bin/sh -c '"'"'rm -f -r /home/ansibleuser/.ansible/tmp/ansible-tmp-1655237483.2679412-742853-95481071525145/ > /dev/null 2>&1 && sleep 0'"'"''
2022-06-14 22:11:30,780 p=742853 u=jonah n=ansible | <192.168.1.10> (0, b'', b"OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022\r\ndebug1: Reading configuration data /home/jonah/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 192.168.1.10 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jonah/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jonah/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 740703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n")
2022-06-14 22:11:30,782 p=739856 u=jonah n=ansible | changed: [newserver] => {
"ca_enabled_ra": true,
"changed": true,
"invocation": {
"module_args": {
"all_ip_addresses": false,
"basedn": "dc=mydomain,dc=intra",
"ca_enabled": true,
"dnsok": true,
"domain": "mydomain.intra",
"enable_dns_updates": true,
"fixed_primary": false,
"hostname": "newserver.mydomain.intra",
"ip_addresses": null,
"mkhomedir": true,
"no_dns_sshfp": false,
"no_krb5_offline_passwords": false,
"no_ssh": false,
"no_sshd": true,
"no_sudo": false,
"nosssd_files": {},
"on_master": false,
"permit": false,
"preserve_sssd": false,
"principal": "admin",
"realm": "MYDOMAIN.INTRA",
"request_cert": false,
"servers": [
"ipa.mydomain.intra"
],
"subject_base": "O=MYDOMAIN.INTRA"
}
}
}
According to the logs everything should work correctly imo but everytime I'm enrolling a new server, I have to do a manual login and execute a
systemctl restart sssdand (just to be sure) asss_cache -Ein order to be able to use sudo with an ldap account.
I didn't look much into this issue, but sudo is somewhat annoying due to caches in sssd, and clearing sssd cache is sometimes required. This is indeed annoying, but something I also had to do with manual installation of FreeIPA. I don't know why it happens, and, in my case, reproduces somewhat randomly.
You could add a few tasks to your playbook to clear sssd cache:
tasks:
- block:
- name: Stop SSSD
ansible.builtin.systemd:
name: sssd
state: stopped
- name: Clear SSSD cache
ansible.builtin.command: sss_cache -E
- name: Start SSSD
ansible.builtin.systemd:
name: sssd
state: started
become: yes
