search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
479 stars 231 forks source link

Running ```ipareplica``` with ```setup_adtrust``` enabled does not configure AD trust roles #792

Open Thulium-Drake opened 2 years ago

Thulium-Drake commented 2 years ago

Hi there!

I'm deploying a IPA setup based on RH IdM 4.9.6 using the Ansible roles, this works just fine, except for 1 thing:

After running ipareplica role, when I check the Topology, it only mentions that the system configured with ipaserver has the AD trust agent and controller roles present.

I've been able to manually fix it by 'just' running the ipa-adtrust-install command on the replica, as the packages required for the ad trust are present on the system.

Did I miss anything in my configuration? Or is the role not doing something it's supposed to :-)

Thank you!

t-woerner commented 2 years ago

setup_adtrust is not a valid parameter name for the ipareplica role. Are you using ipareplica_setup_adtrust?

Thulium-Drake commented 2 years ago

Sorry, yes, my bad, I didn't want to make the title too long... :)

I have the correct variable in my inventory

t-woerner commented 2 years ago

Which ansible-freeipa version are you using? Please add your inventory and playbook. The log file on the replica might also provide some information. Do you have firewalls enabled?

Thulium-Drake commented 2 years ago

I'll prepare a lab setup in which I can reproduce it and share the logs (as I can't really export the logs from the environment the setup is running in). I'll get back to you :)

Thulium-Drake commented 2 years ago

I have reinstalled a setup with the same components as where I ran into this issue

Collection version is 1.6.2

The packages required for adtrust are installed by Ansible, so that's working just fine.

Here's the -vv output of the Ansible run for the adtrust task

TASK [freeipa.ansible_freeipa.ipareplica : Install - Setup adtrust] **************************************************
task path: /root/projects/rhlab/collections/ansible_collections/freeipa/ansible_freeipa/roles/ipareplica/tasks/install.yml:737
changed: [idm2.rh.lab] => changed=true

I have the ipareplica-install.log but it's 12MB, is there anything specific I need to look for?

After running the role, I ran the following command to let IdM tell me what the roles of the servers are:

[ansible@idm2 log]$ ipa server-role-find
-----------------------
10 server roles matched
-----------------------
  Server name: idm1.rh.lab
  Role name: AD trust agent
  Role status: enabled

  Server name: idm2.rh.lab
  Role name: AD trust agent
  Role status: absent

  Server name: idm1.rh.lab
  Role name: AD trust controller
  Role status: enabled

  Server name: idm2.rh.lab
  Role name: AD trust controller
  Role status: absent

  Server name: idm1.rh.lab
  Role name: CA server
  Role status: enabled

  Server name: idm2.rh.lab
  Role name: CA server
  Role status: enabled

  Server name: idm1.rh.lab
  Role name: DNS server
  Role status: absent

  Server name: idm2.rh.lab
  Role name: DNS server
  Role status: absent

Finally, the playbook:

---
- name: 'Install IPA replicas'
  hosts: 'rhidm_server_replica'
  vars:
    ipaserver_domain: "{{ ipaclient_domain }}"
    ipaserver_realm: "{{ ipaclient_domain | upper }}"
  tasks:
    - name: 'Run hardening role'
      ansible.builtin.include_role:
        name: 'cis_hardening_el8'
      when: not skip_cis | default(false)

    - name: 'Install IPA replica servers'
      ansible.builtin.import_role:
        name: 'freeipa.ansible_freeipa.ipareplica'
      vars:
        ipaclient_force_join: true

And the relevant parts of the inventory:

# Active Directory Integration
# Enable AD trust module
ipaserver_setup_adtrust: true
ipareplica_setup_adtrust: true

For the primary server, it works just fine!

Thulium-Drake commented 2 years ago

@t-woerner ping :-)