msg: cannot import name 'kinit_password' from 'ipapython.ipautil

[Tas-sos]

• Debian GNU/Linux 11.9 (bullseye)
• ansible [core 2.15.9]
• python version = 3.9.2

Python system libraries/modules/packages installed

```bash apt list --installed | grep python WARNING: apt does not have a stable CLI interface. Use with caution in scripts. hexchat-python3/oldstable,now 2.14.3-6+deb11u1 amd64 [installed] libpython3-dev/oldstable,now 3.9.2-3 amd64 [installed] libpython3-stdlib/oldstable,now 3.9.2-3 amd64 [installed,automatic] libpython3.9-dev/oldstable,now 3.9.2-1 amd64 [installed,automatic] libpython3.9-minimal/oldstable,now 3.9.2-1 amd64 [installed,automatic] libpython3.9-stdlib/oldstable,now 3.9.2-1 amd64 [installed,automatic] libpython3.9/oldstable,now 3.9.2-1 amd64 [installed,automatic] python-apt-common/oldstable,now 2.2.1 all [installed,automatic] python-pip-whl/oldstable,now 20.3.4-4+deb11u1 all [installed,automatic] python3-aiohttp/oldstable,now 3.7.4-1 amd64 [installed,automatic] python3-appdirs/oldstable,now 1.4.4-1 all [installed,automatic] python3-apt/oldstable,now 2.2.1 amd64 [installed,automatic] python3-argcomplete/oldstable,now 1.8.1-1.5 all [installed,automatic] python3-async-timeout/oldstable,now 3.0.1-1.1 all [installed,automatic] python3-attr/oldstable,now 20.3.0-1 all [installed,automatic] python3-autopep8/oldstable,now 1.5.5-1 all [installed] python3-brlapi/oldstable,now 6.3+dfsg-1+deb11u1 amd64 [installed,automatic] python3-bs4/oldstable,now 4.9.3-1 all [installed,automatic] python3-cairo/oldstable,now 1.16.2-4+b2 amd64 [installed,automatic] python3-certifi/oldstable,now 2020.6.20-1 all [installed,automatic] python3-cffi-backend/oldstable,now 1.14.5-1 amd64 [installed,automatic] python3-chardet/oldstable,now 4.0.0-1 all [installed,automatic] python3-click/oldstable,now 7.1.2-1 all [installed,automatic] python3-colorama/oldstable,now 0.4.4-1 all [installed,automatic] python3-configobj/oldstable,now 5.0.6-4 all [installed,automatic] python3-cryptography/oldstable,now 3.3.2-1 amd64 [installed,automatic] python3-cups/oldstable,now 2.0.1-4+b1 amd64 [installed,automatic] python3-cupshelpers/oldstable,now 1.5.14-1 all [installed,automatic] python3-dbus/oldstable,now 1.2.16-5 amd64 [installed,automatic] python3-debconf/oldstable,now 1.5.77 all [installed,automatic] python3-debian/oldstable,now 0.1.39 all [installed,automatic] python3-debianbts/oldstable,now 3.1.0 all [installed,automatic] python3-decorator/oldstable,now 4.4.2-2 all [installed,automatic] python3-dev/oldstable,now 3.9.2-3 amd64 [installed,automatic] python3-distro-info/oldstable,now 1.0+deb11u1 all [installed,automatic] python3-distro/oldstable,now 1.5.0-1 all [installed,automatic] python3-distutils/oldstable,now 3.9.2-1 all [installed,automatic] python3-dns/oldstable,now 3.2.1-1 all [installed] python3-firewall/oldstable,now 0.9.3-2 all [installed,automatic] python3-gi-cairo/oldstable,now 3.38.0-2 amd64 [installed,automatic] python3-gi/oldstable,now 3.38.0-2 amd64 [installed,automatic] python3-gnucash/oldstable,now 1:4.4-1 amd64 [installed,automatic] python3-gpg/oldstable,now 1.14.0-1+b2 amd64 [installed,automatic] python3-html5lib/oldstable,now 1.1-3 all [installed,automatic] python3-httplib2/oldstable,now 0.18.1-3 all [installed,automatic] python3-ibus-1.0/oldstable,now 1.5.23-2 all [installed,automatic] python3-idna/oldstable,now 2.10-1 all [installed,automatic] python3-jedi/oldstable,now 0.18.0-1 all [installed] python3-ldap/oldstable,now 3.2.0-4+b3 amd64 [installed] python3-ldb/oldstable,oldstable-security,now 2:2.2.3-2~deb11u2 amd64 [installed,automatic] python3-lib2to3/oldstable,now 3.9.2-1 all [installed,automatic] python3-libvirt/oldstable,now 7.0.0-2 amd64 [installed,automatic] python3-libxml2/oldstable,oldstable-security,now 2.9.10+dfsg-6.7+deb11u4 amd64 [installed,automatic] python3-louis/oldstable,now 3.16.0-1 all [installed,automatic] python3-lxml/oldstable,oldstable-security,now 4.6.3+dfsg-0.1+deb11u1 amd64 [installed,automatic] python3-magic/oldstable,now 2:0.4.20-3 all [installed,automatic] python3-mako/oldstable,now 1.1.3+ds1-2 all [installed,automatic] python3-markupsafe/oldstable,now 1.1.1-1+b3 amd64 [installed,automatic] python3-minimal/oldstable,now 3.9.2-3 amd64 [installed,automatic] python3-multidict/oldstable,now 5.1.0-1 amd64 [installed,automatic] python3-mypy-extensions/oldstable,now 0.4.3-2 all [installed,automatic] python3-nautilus/oldstable,now 1.2.3-3+b1 amd64 [installed,automatic] python3-nftables/oldstable,now 0.9.8-3.1+deb11u2 amd64 [installed,automatic] python3-olefile/oldstable,now 0.46-3 all [installed,automatic] python3-parso/oldstable,now 0.8.1-1 all [installed,automatic] python3-pathspec/oldstable,now 0.8.1-1 all [installed,automatic] python3-pep8/oldstable,now 1.7.1-9 all [installed,automatic] python3-pil/oldstable,oldstable-security,now 8.1.2+dfsg-0.3+deb11u1 amd64 [installed,automatic] python3-pip/oldstable,now 20.3.4-4+deb11u1 all [installed] python3-pkg-resources/oldstable,now 52.0.0-4 all [installed,automatic] python3-psutil/oldstable,now 5.8.0-1 amd64 [installed,automatic] python3-pyasn1-modules/oldstable,now 0.2.1-1 all [installed,automatic] python3-pyasn1/oldstable,now 0.4.8-1 all [installed,automatic] python3-pyatspi/oldstable,now 2.38.1-1 all [installed,automatic] python3-pycodestyle/oldstable,now 2.6.0-1 all [installed,automatic] python3-pycurl/oldstable,now 7.43.0.6-5 amd64 [installed,automatic] python3-pyfavicon/oldstable,now 0.1.1+dfsg1-3 all [installed,automatic] python3-pygments/oldstable,now 2.7.1+dfsg-2.1 all [installed,automatic] python3-pyinotify/oldstable,now 0.9.6-1.3 all [installed,automatic] python3-pyotp/oldstable,now 2.3.0-1 all [installed,automatic] python3-pysimplesoap/oldstable,now 1.16.2-3 all [installed,automatic] python3-pyxattr/oldstable,now 0.7.2-1+b1 amd64 [installed,automatic] python3-pyzbar/oldstable,now 0.1.8-2 all [installed,automatic] python3-regex/oldstable,now 0.1.20201113-1 amd64 [installed,automatic] python3-reportbug/oldstable,now 7.10.3+deb11u1 all [installed] python3-requests/oldstable,now 2.25.1+dfsg-2 all [installed,automatic] python3-selinux/oldstable,now 3.1-3 amd64 [installed,automatic] python3-setuptools/oldstable,now 52.0.0-4 all [installed,automatic] python3-six/oldstable,now 1.16.0-2 all [installed,automatic] python3-slip-dbus/oldstable,now 0.6.5-2 all [installed,automatic] python3-slip/oldstable,now 0.6.5-2 all [installed,automatic] python3-smbc/oldstable,now 1.0.23-1+b1 amd64 [installed,automatic] python3-software-properties/oldstable,now 0.96.20.2-2.1 all [installed,automatic] python3-soupsieve/oldstable,now 2.2.1-1 all [installed,automatic] python3-speechd/oldstable,now 0.10.2-2+deb11u2 all [installed,automatic] python3-sqlparse/oldstable,now 0.4.1-1 all [installed,automatic] python3-systemd/oldstable,now 234-3+b4 amd64 [installed,automatic] python3-tabulate/oldstable,now 0.8.7-0.1 all [installed,automatic] python3-talloc/oldstable,now 2.3.1-2+b1 amd64 [installed,automatic] python3-toml/oldstable,now 0.10.1-1 all [installed,automatic] python3-typed-ast/oldstable,now 1.4.2-1 amd64 [installed,automatic] python3-typing-extensions/oldstable,now 3.7.4.3-1 all [installed,automatic] python3-unidiff/oldstable,now 0.5.5-2 all [installed,automatic] python3-uno/oldstable,oldstable-security,now 1:7.0.4-4+deb11u8 amd64 [installed,automatic] python3-urllib3/oldstable,now 1.26.5-1~exp1 all [installed,automatic] python3-venv/oldstable,now 3.9.2-3 amd64 [installed] python3-webencodings/oldstable,now 0.5.1-2 all [installed,automatic] python3-wheel/oldstable,now 0.34.2-1 all [installed,automatic] python3-xdg/oldstable,now 0.27-2 all [installed,automatic] python3-yaml/oldstable,now 5.3.1-5 amd64 [installed,automatic] python3-yapf/oldstable,now 0.30.0-1 all [installed] python3-yarl/oldstable,now 1.6.3-2 amd64 [installed,automatic] python3-yoyo/oldstable,now 7.3.1+dfsg1-1 all [installed,automatic] python3.9-dev/oldstable,now 3.9.2-1 amd64 [installed,automatic] python3.9-minimal/oldstable,now 3.9.2-1 amd64 [installed,automatic] python3.9-venv/oldstable,now 3.9.2-1 amd64 [installed,automatic] python3.9/oldstable,now 3.9.2-1 amd64 [installed,automatic] python3/oldstable,now 3.9.2-3 amd64 [installed,automatic] ```

Python required modules ( requirements.txt )

```bash ansible-core==2.15.9 # Collections Requirements # freeipa.ansible_freeipa.ipaservice netaddr==1.2.1 gssapi==1.8.3 ipalib==4.10.2 ```

Ansible required collections ( requirements.yml )

```yaml --- collections: - name: ansible.posix version: 1.5.4 - name: community.general version: '>=7.4.0,<7.5.0' - name: freeipa.ansible_freeipa version: '>=1.11.1,<1.12.0' ```

Output

failed: [testvm.example.com -> localhost] 
(item=
    {'path': '/etc/httpd/conf/httpd.keytab',
     'principal': 'HTTP/testvm.example.com@example.com',
     'aliases': ['HTTP/testvm.com@example.com'], 
     'owner': 48, 
     'group': 48, 
     'mode': '0400'})
 => changed=false 
  ansible_loop_var: item
  invocation:
    module_args:
      action: service
      allow_create_keytab_group: null
      allow_create_keytab_host: null
      allow_create_keytab_hostgroup: null
      allow_create_keytab_user: null
      allow_retrieve_keytab_group: null
      allow_retrieve_keytab_host: null
      allow_retrieve_keytab_hostgroup: null
      allow_retrieve_keytab_user: null
      auth_ind: null
      certificate: null
      delete_continue: null
      force: null
      host: null
      ipaadmin_password: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      ipaadmin_principal: ipaadmin-username
      ipaapi_context: null
      ipaapi_ldap_cache: true
      name:
      - HTTP/testvm.example.com@example.com
      netbiosname: null
      ok_as_delegate: null
      ok_to_auth_as_delegate: null
      pac_type: null
      principal:
      - HTTP/testvm.example.com@example.com
      requires_pre_auth: null
      services: null
      skip_host_check: null
      smb: null
      state: present
  item:
    aliases:
    - HTTP/testvm.example.com@example.com
    group: 48
    mode: '0400'
    owner: 48
    path: /etc/httpd/conf/httpd.keytab
    principal: HTTP/testvm.example.com@example.com
  msg: cannot import name 'kinit_password' from 'ipapython.ipautil' (/home/username/.python-env/ipa-python-venv/lib/python3.9/site-packages/ipapython/ipautil.py)

I cannot understand why I have this error.

cannot import name 'kinit_password' from 'ipapython.ipautil'

I have this error with the following versions:

• freeipa.ansible_freeipa 1.11.1
• freeipa.ansible_freeipa 1.12.1 ( latest)

Any advice/help/idea ?

[Tas-sos]

In my attempt to solve this, I have also installed the following python 3 modules.

pip freeze

```bash ipa==4.10.2 ipaclient==4.10.2 ipalib==4.10.2 ipaplatform==4.10.2 ipapython==4.10.2 python-freeipa==1.0.8 ansible-core==2.15.9 certifi==2024.2.2 cffi==1.16.0 charset-normalizer==3.3.2 cryptography==42.0.5 decorator==5.1.1 dnspython==2.6.1 gssapi==1.8.3 idna==3.6 importlib-resources==5.0.7 Jinja2==3.1.3 MarkupSafe==2.1.5 netaddr==1.2.1 packaging==23.2 pkg_resources==0.0.0 pyasn1==0.5.1 pyasn1-modules==0.3.0 pycparser==2.21 pypng==0.20220715.0 PyYAML==6.0.1 qrcode==7.4.2 requests==2.31.0 resolvelib==1.0.1 six==1.16.0 typing_extensions==4.10.0 urllib3==2.2.1 ```

[Tas-sos]

• Red Hat Enterprise Linux release 9.1 (Plow)
• Python 3.9.18

System python related packages

```bash dnf install python3 python3-devel krb5-workstation krb5-libs krb5-devel gcc -y ``` ```bash dnf list installed | grep python libcap-ng-python3.x86_64 0.8.2-7.el9 policycoreutils-python-utils.noarch 3.5-2.el9 python-unversioned-command.noarch 3.9.18-1.el9_3.1 python3.x86_64 3.9.18-1.el9_3.1 python3-attrs.noarch 20.3.0-7.el9 python3-audit.x86_64 3.0.7-103.el9 python3-babel.noarch 2.9.1-2.el9 python3-chardet.noarch 4.0.0-5.el9 python3-cloud-what.x86_64 1.29.30-1.el9 python3-configobj.noarch 5.0.6-25.el9 python3-dasbus.noarch 1.4-5.el9 python3-dateutil.noarch 1:2.8.1-6.el9 python3-dbus.x86_64 1.2.18-2.el9 python3-decorator.noarch 4.4.2-6.el9 python3-devel.x86_64 3.9.18-1.el9_3.1 python3-distro.noarch 1.5.0-7.el9 python3-dnf.noarch 4.12.0-4.el9 python3-dnf-plugin-versionlock.noarch 4.3.0-11.el9_3 python3-dnf-plugins-core.noarch 4.3.0-11.el9_3 python3-ethtool.x86_64 0.15-2.el9 python3-file-magic.noarch 5.39-10.el9 python3-firewall.noarch 1.2.1-1.el9 python3-gobject-base.x86_64 3.40.1-6.el9 python3-gobject-base-noarch.noarch 3.40.1-6.el9 python3-gpg.x86_64 1.15.1-6.el9 python3-hawkey.x86_64 0.67.0-3.el9 python3-idna.noarch 2.10-7.el9 python3-iniparse.noarch 0.4-45.el9 python3-inotify.noarch 0.9.6-25.el9 python3-jinja2.noarch 2.11.3-4.el9 python3-jsonpatch.noarch 1.21-16.el9 python3-jsonpointer.noarch 2.0-4.el9 python3-jsonschema.noarch 3.2.0-13.el9 python3-ldap.x86_64 3.4.3-2.el9 python3-libcomps.x86_64 0.1.18-1.el9 python3-libdnf.x86_64 0.67.0-3.el9 python3-librepo.x86_64 1.14.2-3.el9 python3-libs.x86_64 3.9.18-1.el9_3.1 python3-libselinux.x86_64 3.5-1.el9 python3-libsemanage.x86_64 3.5-2.el9 python3-libxml2.x86_64 2.9.13-2.el9 python3-linux-procfs.noarch 0.7.0-1.el9 python3-markupsafe.x86_64 1.1.1-12.el9 python3-netifaces.x86_64 0.10.6-15.el9 python3-nftables.x86_64 1:1.0.4-11.el9_3 python3-oauthlib.noarch 3.1.1-2.el9 python3-perf.x86_64 5.14.0-139.kpq0.el9 python3-pexpect.noarch 4.8.0-7.el9 python3-pip.noarch 21.2.3-7.el9_3.1 python3-pip-wheel.noarch 21.2.3-6.el9 python3-policycoreutils.noarch 3.5-2.el9 python3-prettytable.noarch 0.7.2-27.el9 python3-psycopg2.x86_64 2.8.6-6.el9 python3-ptyprocess.noarch 0.6.0-12.el9 python3-pyasn1.noarch 0.4.8-6.el9 python3-pyasn1-modules.noarch 0.4.8-6.el9 python3-pyrsistent.x86_64 0.17.3-8.el9 python3-pyserial.noarch 3.4-12.el9 python3-pysocks.noarch 1.7.1-12.el9 python3-pytz.noarch 2021.1-4.el9 python3-pyudev.noarch 0.22.0-6.el9 python3-pyyaml.x86_64 5.4.1-6.el9 python3-requests.noarch 2.25.1-6.el9 python3-rpm.x86_64 4.16.1.3-18.el9_1 python3-setools.x86_64 4.4.0-5.el9 python3-setuptools.noarch 53.0.0-10.el9 python3-setuptools-wheel.noarch 53.0.0-10.el9 python3-six.noarch 1.15.0-9.el9 python3-subscription-manager-rhsm.x86_64 1.29.30-1.el9 python3-systemd.x86_64 234-18.el9 python3-urllib3.noarch 1.26.5-3.el9 ```

pip freeze

* requirements.txt ```bash ansible-core==2.15.9 # Collections Requirements # freeipa.ansible_freeipa.ipaservice netaddr==1.2.1 gssapi==1.8.3 ipalib==4.10.2 ``` ```bash ansible-core==2.15.9 cffi==1.16.0 cryptography==42.0.5 decorator==5.1.1 dnspython==2.6.1 gssapi==1.8.3 importlib-resources==5.0.7 ipalib==4.10.2 ipaplatform==4.10.2 ipapython==4.10.2 Jinja2==3.1.3 MarkupSafe==2.1.5 netaddr==1.2.1 packaging==23.2 pyasn1==0.5.1 pyasn1-modules==0.3.0 pycparser==2.21 PyYAML==6.0.1 resolvelib==1.0.1 six==1.16.0 ```

But again exactly the same:

msg: cannot import name 'kinit_password' from 'ipapython.ipautil'

---

pip install ipaclient

```bash pip freeze | grep ipa ipaclient==4.10.2 ipalib==4.10.2 ipaplatform==4.10.2 ipapython==4.10.2 ```

But, nothing changed.

[t-woerner]

ansible-freeipa modules are supporting management nodes that are part of an IPA domain as a client or server. If the node is part of an IPA domain, all the needed packages and bindings are installed and the management modules are able to be used. ansible-core and ansible-freeipa is only needed on the controller, it is not needed on the management nodes.

[t-woerner]

The management node needs to deployed as a server/replica or client in an IPA domain. Installing ipaclient with pip is not able to do this.

For information how to deploy a client, please have a look at https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaclient/README.md

[Tas-sos]

So, the task below cannot be run on my laptop - which is not an IPA server/client ( at least client ) ?

---
- name: Create service
  delegate_to: localhost
  freeipa.ansible_freeipa.ipaservice:
    name: "{{ item.principal }}"
    principal: "{{ item.aliases | default(omit) }}"
    state: "present"
    ipaadmin_principal: "{{ ipa_host_enrollment_principal }}"
    ipaadmin_password: "{{ ipa_host_enrollment_password }}"
  loop: "{{ custom_keytabs }}"

As you mentioned above from the Ansible controller side you only need ansible-core & ansible-freeipa. \ So I cannot run the above from my localhost, if my localhost/controller is not already deployed as a server/replica or client in an IPA domain.

Excuse me, I'm confused because I ran it locally and the error message doesn't help me enough. \ Could we change the error message to give more information about what is going wrong? For example, with some kind of condition checking whether "Ω" has already been done or not, print "χ message", otherwise "ψ message".

Thank you very much for your prompt reply above and for the really useful reference which is really helpful! :pray:

[t-woerner]

Good point, please open a ticket to work on the error messages for missing IPA bindings.

[rjeffman]

@Tas-sos no, you can't delegate the task to your localhost if it is not a server or a client in a FreeIPA deployment.

The controller does not need to be part of FreeIPA, but any target node needs to be.

We should make this clearer in the documentation, but IMO, working this on the error messages provided will open a lot of unknown issues, and this might be too much work for too small improvement.