t-woerner
commented
5 years ago Please try again with latest ansible-freeipa version. I just pushed a fix for adtrust setup.
Closed RobVerduijn closed 5 years ago
t-woerner
commented
5 years ago Please try again with latest ansible-freeipa version. I just pushed a fix for adtrust setup.
RobVerduijn
commented
5 years ago yep, that fixes that
but now the addreplica fails, I'm still digging into that to see why
Rob
t-woerner
commented
5 years ago The new commit should fix the issue for replica.
RobVerduijn
commented
5 years ago Hello It stil breaks at this task: ipareplica : Install - DS enable SSL
Traceback (most recent call last):
File "/root/.ansible/tmp/ansible-tmp-1555586842.4990764-62135770002703/AnsiballZ_ipareplica_ds_enable_ssl.py", line 113, in
t-woerner
commented
5 years ago Which FreeIPA version are you using? And which configuration settings are you using additionally?
RobVerduijn
commented
5 years ago FreeIPA, version: 4.6.4 And no additional config (yet) just running your roles inside two dedicated vm's. i've got the following settings: in the group vars folder:
file all.yml ipa_domain: linux.example.poc ipa_realm: '{{ ipa_domain | upper }}'
contents of ipaserver.yml: ipaserver_install_packages: true ipaserver_setup_firewalld: true ipaserver_reverse_zones: 122.168.192.in-addr.arpa ipaserver_auto_reverse: true ipaserver_allow_zone_overlap: true ipaserver_domain: "{{ ipa_domain }}" ipaserver_realm: '{{ ipa_realm }}' ipaserver_setup_adtrust: true ipaserver_setup_dns: true ipaserver_no_forwarders: true
contents of ipareplicas.yml ipareplica_domain: "{{ ipa_domain }}" ipareplica_realm: '{{ ipa_realm }}' ipareplica_setup_adtrust: true ipareplica_setup_dns: true ipareplica_auto_reverse: true ipareplica_no_forwarders: true ipareplica_setup_ca: true
contents of ipaclients.yml ipaclient_mkhomedir: true ipaclient_use_otp: false ipaadmin_principal: admin ipassd_enable_dns_updates: true ipaclient_domain: '{{ ipa_domain }}' ipaclient_realm: '{{ ipa_realm }}'
the primary server is a member of ipaserver,ipacluster,ipaclients the replica server is a member of ipareplicas,ipacluster,ipaclients
your ansible-freeipa roles are all symlinked to $HOME/.ansible/roles authentication is with pubkey for the root user
name: setup ipa server hosts: ipaserver become: false remote_user: root
roles:
name: setup ipa replicas hosts: ipareplicas become: false remote_user: root
pre_tasks:
name: set dns to ipa01 nmcli: conn_name: eth0 dns4: 192.168.122.2 state: present type: ethernet notify: restart NetworkManager
meta: flush_handlers
roles:
handlers:
Rob
RobVerduijn
commented
5 years ago duh ...ofcourse it says present with ipareplica
RobVerduijn
commented
5 years ago hello,
I've just tested your latest commit 4d759b6
ipareplica now works, with a workaround
ipareplica issue: task: ipareplica : Install - Replica preparation fails because the primary ipa server cannot resolve the ipareplica fqdn which I solved by running ipaclient play before the ipareplica playbook
ipaclient play issue 1: the ipaclient fails on task: ipaclient : Install - IPA client test the /etc/resolv.conf does not have the correct dns config, so it cannot find the ipaserver ensure the dns setup points to the ipa servers (i used the nmcli module, but it's not idempotent)
ipaclient play issue 2: the dns update is not run so the ipaserver still cannot resolve the ipareplica fqdn which is easely solved by adding a handler restarting sssd
after this the ipareplica play works
cheers Rob
t-woerner
commented
5 years ago hello,
I've just tested your latest commit 4d759b6
ipareplica now works, with a workaround
* ipareplica issue: task: ipareplica : Install - Replica preparation fails because the primary ipa server cannot resolve the ipareplica fqdn which I solved by running ipaclient play before the ipareplica playbookThis is exactly what ipareplica role is doing internally. The ipaclient role is run as one of the first steps after the replica test has been done (before replica preparation). Have you been using other settings for the client deploment?
* ipaclient play issue 1: the ipaclient fails on task: ipaclient : Install - IPA client test the /etc/resolv.conf does not have the correct dns config, so it cannot find the ipaserver ensure the dns setup points to the ipa servers (i used the nmcli module, but it's not idempotent)The modification of resolv.conf is not done while deploying a client. I thought about this as an additional feature compared to the command line installer, but it would be an behaviour change if this is enabled by default.
* ipaclient play issue 2: the dns update is not run so the ipaserver still cannot resolve the ipareplica fqdn which is easely solved by adding a handler restarting sssdWhere was it needed to restart sssd?
I have made several tests using ipa-4.6.4 on CentOS-7.6. Only if there was a DNS server conflicting with the zone that the server should handle, I ran into issues with name resolving especially reverse mapping. This was happening for me with the ansible-freeipa roles and also the normal command line installers.
after this the ipareplica play works
cheers Rob
t-woerner
commented
5 years ago Please do not use the adtrust ticket to report other issues. Please open an extra ticket for DNS issues.
RobVerduijn
commented
5 years ago Hello, I'll have to test it again, I'll let you know when done.
Rob
RobVerduijn
commented
5 years ago Hello,
I've found the time to test it and it does indeed work as you describe. Only thing that still fails is the length issue I mentioned in issue #77
Rob
Hello,
When enabling ipaserver_setup_adtrust it fails on the default smb.conf
It complains there is already a smb.conf and that it would break the existing samba configuration.
Since this is a clean install this should not happen (ie there was no samba installed/configured before running this play)
Rob