search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
502 stars 232 forks source link

Unsupported parameters for (freeipa.ansible_freeipa.ipaclient_get_otp) module: keytab #328

Open dsroark-dt opened 4 years ago

dsroark-dt commented 4 years ago

when i try to run the Install - Get One-Time Password for client enrollment task for an ipaclient enrollment, I get the following error:

msg: 'Unsupported parameters for (freeipa.ansible_freeipa.ipaclient_get_otp) module: keytab Supported parameters include: ccache, certificates, fqdn, ipaddress, principal, random, sshpubkey, state'

I invoked the task with:

  invocation:
    module_args:
      fqdn: ipaclient-host.example.com
      keytab: /etc/krb5.keytab
      principal: admin
      random: true
      state: present

And looking at the module, it appears that this parameter is indeed not a part of it. Is this as designed? Should I avoid using a keytab when enrolling hosts?

Running ansible version 2.9.11 and the ansible-freeipa galaxy collection.

The controller is running MacOS Catalina and the target client host is running the latest CentOS 7. My IPA cluster is up and running fine, installed through the same collection and I can generate a keytab using the admin principal.

The controller's (my mac's) virtualenv:

(ins) ~/code/ansible (0) $ pip freeze
ansible==2.9.11
ansible-lint==4.2.0
appdirs==1.4.4
arrow==0.15.7
attrs==19.3.0
bcrypt==3.1.7
binaryornot==0.4.4
boto3==1.14.25
botocore==1.17.25
Cerberus==1.3.2
certifi==2020.6.20
cffi==1.14.0
chardet==3.0.4
click==7.1.2
click-completion==0.5.2
click-help-colors==0.8
colorama==0.4.3
cookiecutter==1.7.2
cryptography==3.0
distlib==0.3.1
dnspython==2.0.0
docker==4.2.2
docutils==0.15.2
fasteners==0.15
filelock==3.0.12
idna==2.10
Jinja2==2.11.2
jinja2-time==0.2.0
jmespath==0.10.0
jsonxs==0.6
lxml==4.5.2
Mako==1.1.3
MarkupSafe==1.1.1
molecule==3.0.6
monotonic==1.5
more-itertools==8.4.0
nsx-policy-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-policy-python-sdk/nsx_policy_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
nsx-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-python-sdk/nsx_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
nsx-vmc-aws-integration-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-vmc-aws-integration-python-sdk/nsx_vmc_aws_integration_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
nsx-vmc-policy-python-sdk @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/nsx-vmc-policy-python-sdk/nsx_vmc_policy_python_sdk-2.5.1.0.5.16221899-py2.py3-none-any.whl
packaging==20.4
paramiko==2.7.1
pathspec==0.8.0
pexpect==4.8.0
pipenv==2020.6.2
pluggy==0.13.1
poyo==0.5.0
ptyprocess==0.6.0
py==1.9.0
pyasn1==0.4.8
pycparser==2.20
PyNaCl==1.4.0
pyOpenSSL==19.1.0
pyparsing==2.4.7
pytest==5.4.3
python-dateutil==2.8.1
python-gilt==1.2.3
python-gssapi==0.6.4
python-slugify==4.0.1
pyvmomi==7.0
PyYAML==5.3.1
requests==2.24.0
ruamel.yaml==0.16.10
ruamel.yaml.clib==0.2.0
s3transfer==0.3.3
sh==1.13.1
shellingham==1.3.2
six==1.15.0
suds-jurko==0.6
tabulate==0.8.7
testinfra==5.2.2
text-unidecode==1.3
tree-format==0.1.2
urllib3==1.25.9
ushlex==0.99.1
vapi-client-bindings @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vapi-client-bindings/vapi_client_bindings-3.3.0-py2.py3-none-any.whl
vapi-common-client @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vapi-common-client/vapi_common_client-2.15.0-py2.py3-none-any.whl
vapi-runtime @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vapi-runtime/vapi_runtime-2.15.0-py2.py3-none-any.whl
virtualenv==20.0.27
virtualenv-clone==0.5.4
vmc-client-bindings @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vmc-client-bindings/vmc_client_bindings-1.26.0-py2.py3-none-any.whl
vmc-draas-client-bindings @ file://localhost//private/var/folders/g2/xf564rvs4f360cm53qpp03g80000gq/T/pip-req-build-b9nafnoc/lib/vmc-draas-client-bindings/vmc_draas_client_bindings-1.9.0-py2.py3-none-any.whl
vSphere-Automation-SDK @ git+https://github.com/vmware/vsphere-automation-sdk-python.git@a18a979c25083567ff39198ed611fdd31aa36c28
wcwidth==0.2.5
websocket-client==0.57.0
yamllint==1.24.2
dsroark-dt commented 4 years ago

update: similar error when I try to get an OTP using ipaadmin_password instead of ipaadmin_keytab

t-woerner commented 4 years ago

Yes, the combination of ipaadmin_keytab and ipaclient_get_otp is not supported by the module. I do not understand why you have issues with ipaadmin_password though. Have you been trying to use the module outside of the ipaclient role? Have you modified the ipaclient role?

t-woerner commented 2 years ago

PR https://github.com/freeipa/ansible-freeipa/pull/987 is changing the code for OTP. The action plugin is removed and the OTP is generated on the first entry in the server list returned by ipaclient_test.