search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
504 stars 231 forks source link

IPA Client OTP enrollment failing, likely due to mismatch in code #518

Open justchris1 opened 3 years ago

justchris1 commented 3 years ago

I have installed the ansible collection 0.3.5 and set the following ansible variable to 'yes': ipaclient_use_otp. I am trying to run the iparelipca role on the replica. Installation of the master (on the master, of course) went great.

In roles/ipaclient/tasks/install.yml: 

- name: Install - Get One-Time Password for client enrollment
      no_log: yes
      freeipa.ansible_freeipa.ipaclient_get_otp:
        state: present
        principal: "{{ ipaadmin_principal | default(omit) }}"
        password: "{{ ipaadmin_password | default(omit) }}"
        keytab: "{{ ipaadmin_keytab | default(omit) }}"
        fqdn: "{{ result_ipaclient_test.hostname }}"
        lifetime: "{{ ipaclient_lifetime | default(omit) }}"
        random: True
      register: result_ipaclient_get_otp
      # If the host is already enrolled, this command will exit on error
      # The error can be ignored
      failed_when: result_ipaclient_get_otp is failed and
                   "Password cannot be set on enrolled host" not
                       in result_ipaclient_get_otp.msg
      delegate_to: "{{ result_ipaclient_test.servers[0] }}"
      ignore_errors: yes

However, plugins/modules/ipaclient_get_otp.py has the following signature for the module:

module = AnsibleModule(
        argument_spec=dict(
            principal=dict(default='admin'),
            ccache=dict(required=False, type='path'),
            fqdn=dict(required=True),
            certificates=dict(required=False, type='list'),
            sshpubkey=dict(required=False),
            ipaddress=dict(required=False),
            random=dict(default=False, type='bool'),
            state=dict(default='present', choices=['present', 'absent']),
        ),

Unless I am missing something, there is no way this can succeed since we are passing in password, keytab, and lifetime which aren't supported by the module. The exact error I get is: (I have substituted my hostname for my-host.local, but I am using a 'real' FQDN)

TASK [freeipa.ansible_freeipa.ipaclient : Install IPA client] *********************************************************
included: /home/justchris1/.ansible/collections/ansible_collections/freeipa/ansible_freeipa/roles/ipaclient/tasks/install.yml for my-host.local

TASK [freeipa.ansible_freeipa.ipaclient : Install - Ensure that IPA client packages are installed] ********************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Set ipaclient_servers] ********************************************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Set ipaclient_servers from cluster inventory] *********************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Check that either principal or keytab is set] *********************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Set default principal if no keytab is given] **********************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - IPA client test] **************************************************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Cleanup leftover ccache] ******************************************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Configure NTP] ****************************************************
changed: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Make sure One-Time Password is enabled if it's already defined] ***
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Disable One-Time Password for on_master] **************************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Test if IPA client has working krb5.keytab] ***********************
ok: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Disable One-Time Password for client with working krb5.keytab] ****
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Keytab or password is required for getting otp] *******************
skipping: [my-host.local]

TASK [freeipa.ansible_freeipa.ipaclient : Install - Get One-Time Password for client enrollment] **********************
fatal: [my-host.local -> apple.0a.org]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
...ignoring

TASK [freeipa.ansible_freeipa.ipaclient : Install - Report error for OTP generation] **********************************
fatal: [my-host.local]: FAILED! => {
    "msg": "Unsupported parameters for (freeipa.ansible_freeipa.ipaclient_get_otp) module: password Supported parameters include: ccache, certificates, fqdn, ipaddress, principal, random, sshpubkey, state"
}
t-woerner commented 2 years ago

PR https://github.com/freeipa/ansible-freeipa/pull/987 is changing the code for OTP. The action plugin is removed and the OTP is generated on the first entry in the server list returned by ipaclient_test.