Closed adalsa91 closed 10 months ago
Which OS version is running on the target node ? Which ansible-freeipa version are you using?
Did you check /var/log/ipaclient-install.log
for errors?
The host is running Ubuntu 22.04.2 LTS but as I'm using freeipa-container the real OS version where Freeipa is running is Fedora release 37. I checked /var/log/ipaclient-install.log
but found nothing interesting.
I think the problem here is that the task Install - Get One-Time Password for client enrollment
is trying to obtain the OTP by executing the ipaclient_get_otp.py
on FreeIPA server which assumes that it's running on a host but that not the case with freeipa-container
.
To workaround this I tried to fix this installing the ipalib
and ipaserver
,using pip, on the host server (ubuntu) and the error changed to:
TASK [ipaclient : Install - Get One-Time Password for client enrollment] *******************************************************************************************************************
fatal: [freeipa-client.foo.com -> freeipa-master.foo.com]: FFAILED! => {"changed": false, "msg": "cannot import name 'kinit_password' from 'ipapython.ipautil' (/usr/local/lib/python3.10/dist-packages/ipapython/ipautil.py)"}
Maybe I have not installed the correct modules?
@adalsa91 I need to know which is the target OS for the target node you are trying to deploy the client to.
I see "/usr/local/lib/python3.10/dist-packages/ipapython/ipautil.py" which is not a path we usually see when deploying IPA.
On RHEL we only support platform python which would be something like /usr/lib/pythonX.Y
on any RedHat-derived hoste. The /usr/local
path prefix is not something we often see, and I wonder if you either have a broken package or a broken environment.
I don't think ipaclient_get_otp
assmes it's running on a host. If it's on a container it should be isolated enough to work.
Are you trying to enroll the container host in the IPA server runnig on the container guest?
Sorry I misunderstood you. I'm using ansible-freeipa v1.11.0, the target OS is Ubuntu 22.04.2 LTS too and it's a different host that the one that is running freeipa-server container. I enrolled identical hosts without using OTP without any problem.
I don't think ipaclient_get_otp assmes it's running on a host. If it's on a container it should be isolated enough to work.
Sure, I'm not saying that it makes any difference between executing ipaclient_get_otp
on a host or on a container. The problem is that the freeipa-server container is not exposing its ssh service because this is not a common practice in containers and therefore when ansible tries to execute task ipaclient_get_otp
it's accessing the host machine not the freeipa-server container guest as both share the same FQDN. I know that one possible solution it's to expose the container ssh service and point ansible inventory to this port but I wonder if there is any way to do this OTP tasks using something like ipa_context
as with another tasks. If I am not mistaken that was the purpose of this option:
https://github.com/freeipa/ansible-freeipa/pull/631 https://github.com/freeipa/ansible-freeipa/issues/602
ipaclient_get_otp
is using the API from ipalib to be able to connect to the server. The use of ipaclient_get_otp
without installed ipa packages is not possible.
Sorry, I forgot this issue. Yes. I assume ipa packages are needed on target machine. I only wanted to use a host other than the freeipa server to perform this action as you can do with ipaapi_context
in other modules . But digging in the code of ipaclient_get_otp it seems that context is hardcoded to server. Anyway, in the end I ended up using another method, so we can close this issue. Maybe in the future it can be implemented as an improvement. Thank you all for helping me!
@adalsa91 the internal modules on the roles are not to be used except within the roles, so ipaclient_*
modules cannot be used as the other modules.
And for the other modules, the target host must be an IPA server or client host.
I am trying to enroll a client to a freeipa-container server using
ipaclient
role and I got an error (No module named 'ipalib'"
) in taskInstall - Get One-Time Password for client enrollment
. I suppose the problem is related to usingfreeipa-container
and that probablyipalib
is installed in host along freeipa package in regular installations. As exposingfreeipa-container
ssh doesn't seem like the best approach there is any other way to make it work? I read something aboutipa_context
variable but I am not sure if it is used onipaclient
role as I haven't found any reference.Inventory file:
The command I used:
The error I got: