OTP client enrollment fails with freeipa-container

[adalsa91]

I am trying to enroll a client to a freeipa-container server using ipaclient role and I got an error (No module named 'ipalib'") in task Install - Get One-Time Password for client enrollment. I suppose the problem is related to using freeipa-container and that probably ipalib is installed in host along freeipa package in regular installations. As exposing freeipa-container ssh doesn't seem like the best approach there is any other way to make it work? I read something about ipa_context variable but I am not sure if it is used on ipaclient role as I haven't found any reference.

Inventory file:

[ipaserver]
freeipa-master.foo.com ansible_user=admin

[ipaserver:vars]
ipaadmin_password=supersecretpassword
ipadm_password=supersecretpassword
ipaserver_domain=foo.com
ipaserver_realm=foo.com

[ipareplicas]
freeipa-replica.foo.com ansible_user=admin

[ipareplicas:vars]
ipaadmin_password=supersecretpassword
ipadm_password=supersecretpassword
ipaserver_domain=foo.com
ipaserver_realm=FOO.COM

[ipaclients]
freeipa-client.foo.com ansible_user=admin

[ipaclients:vars]
ipaclient_use_otp=yes
ipaclient_no_dns_lookup=yes
ipaclient_configure_dns_resolver=yes
ipaclient_dns_servers=192.168.1.1 #freeipa master IP
ipaclient_cleanup_dns_resolver=yes
ipaclient_domain=foo.com
ipaadmin_password=supersecretpassword

The command I used:

ansible-playbook -vvv -i hosts ansible-freeipa/playbooks/install-client.yml

The error I got:

TASK [ipaclient : Install - Get One-Time Password for client enrollment]
fatal: [freeipa-client.foo.com -> freeipa-master.foo.com]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "hostname": "freeipa-client.foo.com",
            "ipaadmin_keytab": null,
            "ipaadmin_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "ipaadmin_principal": "admin"
        }
    },
    "msg": "No module named 'ipalib'"
}

[rjeffman]

Which OS version is running on the target node ? Which ansible-freeipa version are you using? Did you check /var/log/ipaclient-install.log for errors?

[adalsa91]

The host is running Ubuntu 22.04.2 LTS but as I'm using freeipa-container the real OS version where Freeipa is running is Fedora release 37. I checked /var/log/ipaclient-install.log but found nothing interesting.

I think the problem here is that the task Install - Get One-Time Password for client enrollment is trying to obtain the OTP by executing the ipaclient_get_otp.py on FreeIPA server which assumes that it's running on a host but that not the case with freeipa-container.

To workaround this I tried to fix this installing the ipalib and ipaserver ,using pip, on the host server (ubuntu) and the error changed to:

TASK [ipaclient : Install - Get One-Time Password for client enrollment] *******************************************************************************************************************
fatal: [freeipa-client.foo.com -> freeipa-master.foo.com]: FFAILED! => {"changed": false, "msg": "cannot import name 'kinit_password' from 'ipapython.ipautil' (/usr/local/lib/python3.10/dist-packages/ipapython/ipautil.py)"}

Maybe I have not installed the correct modules?

[rjeffman]

@adalsa91 I need to know which is the target OS for the target node you are trying to deploy the client to.

I see "/usr/local/lib/python3.10/dist-packages/ipapython/ipautil.py" which is not a path we usually see when deploying IPA.

On RHEL we only support platform python which would be something like /usr/lib/pythonX.Y on any RedHat-derived hoste. The /usr/local path prefix is not something we often see, and I wonder if you either have a broken package or a broken environment.

I don't think ipaclient_get_otp assmes it's running on a host. If it's on a container it should be isolated enough to work.

[rjeffman]

Are you trying to enroll the container host in the IPA server runnig on the container guest?

[adalsa91]

Sorry I misunderstood you. I'm using ansible-freeipa v1.11.0, the target OS is Ubuntu 22.04.2 LTS too and it's a different host that the one that is running freeipa-server container. I enrolled identical hosts without using OTP without any problem.

I don't think ipaclient_get_otp assmes it's running on a host. If it's on a container it should be isolated enough to work.

Sure, I'm not saying that it makes any difference between executing ipaclient_get_otp on a host or on a container. The problem is that the freeipa-server container is not exposing its ssh service because this is not a common practice in containers and therefore when ansible tries to execute task ipaclient_get_otp it's accessing the host machine not the freeipa-server container guest as both share the same FQDN. I know that one possible solution it's to expose the container ssh service and point ansible inventory to this port but I wonder if there is any way to do this OTP tasks using something like ipa_context as with another tasks. If I am not mistaken that was the purpose of this option:

https://github.com/freeipa/ansible-freeipa/pull/631 https://github.com/freeipa/ansible-freeipa/issues/602

[t-woerner]

ipaclient_get_otp is using the API from ipalib to be able to connect to the server. The use of ipaclient_get_otp without installed ipa packages is not possible.

[adalsa91]

Sorry, I forgot this issue. Yes. I assume ipa packages are needed on target machine. I only wanted to use a host other than the freeipa server to perform this action as you can do with ipaapi_context in other modules . But digging in the code of ipaclient_get_otp it seems that context is hardcoded to server. Anyway, in the end I ended up using another method, so we can close this issue. Maybe in the future it can be implemented as an improvement. Thank you all for helping me!

[rjeffman]

@adalsa91 the internal modules on the roles are not to be used except within the roles, so ipaclient_* modules cannot be used as the other modules.

[rjeffman]

And for the other modules, the target host must be an IPA server or client host.