ipauser fails with "The password is not set"

[ikke-t]

When I try running the playbook after a user is already once created (re-running), the ipauser tasks always fails with

TASK [Create users] ********************************************************************************************************************************
Friday 14 January 2022  13:37:52 +0200 (0:00:02.096)       0:00:02.139 ******** 
fatal: [rh-idm-01.cool.lab]: FAILED! => {"changed": false, "msg": "The password is not set"}

This is the task:

    - name: Create users
      freeipa.ansible_freeipa.ipauser:
        state: present
        update_password: on_create
        users:
          - name: ikke
            first: Ilkka
            last: Tengvall
            uid: 10001
            gid: 10001
            password: "coolpw-changeme123"
            # passwordexpiration: "2025-12-31 23:59:59"
            # yamllint disable-line rule:line-length
            sshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC577GzJaVha0u0byNEFLDbGQhMkPSyXeT9gqIfZMKIxgh9PhOjpHl739lcdbsbgiUVAjZYI7M3PwuGghYTZpk2amJEZXUrul2MQudEc5tUX9wbpdKx9PEhzCywynRN+ZWGK15R5uVyc8mhqbvE0xQnkX0d+/eh+K8reFw451rPJuXrbbk13x/KBs/WqjEGCe6Yto/BotRRadpxTP5gPTxs/MIZ9LZC5EjmuOxDVt1xNROUNdD7gdK8DdpAHK72OoaT5ooc3Zq9uum4sYhCc611IGMNy2yjaYsJWWiVpDFy+APs5u9oK7wdtYFZwhf6B1O3U1X21CoaU8nJsFxJmI1g32IaAfh18sGiTBKKu8vYfF1y2eHa0I/App5WI+H5BS9WV7QyW5s7FQQ9R0okZ3kWbiGj8tVcVdTviwKmNm/7FtED6vPDe9ji+ou56YyzX7sd8ZFZjCX4rG9ZfpCzwsCCRdYHcKEyTIM5is9aggSUVWIkhdD9IKKsJEuW2ZCo8zpVMqSKm4G05tieIAGGr546m1OiTVBFVzuhYuTmwGuVfR0szoDCV6nOc1vcZMLyWYM5zWZRMuCw6NMzMuL+ot0JXyVKtgfFt4q5Q+Ha87jYXsiLOezsTiycgG1c/HmF4NxfWHt8nkDP/hQI0ESb1AKqxqp3++mCciHd1PlE/Y1CaQ==

Why can't I rerun it?

[ikke-t]

I don't also get what's the purpose os action variable. What is it used for? The module documentation miss an example for it.

[ikke-t]

This got solved. It's the case of this module failing if there is no keytab at the idm server. So my kerberos ticket for admin had expired at idm. I didn't know this module depends on it, especially while it knows the ipaadmin_password.

I think there would be two fixes:

1. going around the problem, and adding kinit instructions to examples, and to mention it is required:
2. fixing it so that the module will do kinit if it's expired. Or in any case.

This is the temporary fix I got tipped:

- name: Ensure admin keytab is valid
  shell: "echo {{ ipaadmin_password }} | kinit admin"

naturally the option 2 would be the preferred way. Or at least to have a proper warning about kerberos ticket expiry, where as now I thought its about user password.

[rjeffman]

@ikke-t, it seem you are missing ipaadmin_password in the task (and, optionally ipaadmin_principal, which defaults to admin). With the password in place, the module use GSSAPI to authenticate. All examples in the README have this option set, and both variables are explained on it.

By default, an existing TGT will be used, if not, authentication will be performed with the provided credentials.

[ikke-t]

No I do not. It comes from vault. See how I use it now with kinit above. And principal is the default, admin.

[t-woerner]

If there is no valid credential, then there is a kinit call internally. The test before using kinit is failing with the error "The password is not set" if the password is not set. If you are using kinit admin on the server is it asking for a new admin password?

[t-woerner]

Using the module depends on either having valid credentials or providing ipaadmin_password for the module task.

[ikke-t]

Just to verify I need

ipauser:
  ipaadmin_password: "{{ ipaadmin_password }}"

[rjeffman]

@ikke-t either that or a valid TGT on the target host.

[ikke-t]

I'm just a bit surpriced why doesn't it pick it from the host variables. I have verified with debug it is set correctly in the playbook.

[mproehl]

Maybe the same issue: I would like to use ipauser with my Kerberos credentials from login. When system login creates a credential cache and sets KRB5CCNAME environment variable, everything works as expected. When system login creates a default credential cache and does not set KRB5CCNAME, ipauser fails with "The password is not set". (Using ansible-freeipa-0.3.8-1.el8.noarch)

[gasinvein]

I've stumbled upon the same problem. It looks like I need to set ipaadmin_password: "{{ ipaadmin_password }}" in every tasks' parameters. Why isn't the password (and I suppose the principal, too) picked up from the host variables automatically?