On Fri, Jan 8, 2021 at 11:03 AM Dominik Vogt via FreeIPA-users <
[email protected]> wrote:
> We have to set up the ipa-server with Ansible scripts, but there
> isn't a module for everything. For example, this command needs to
> be executed.
>
> - name: ...
> shell: ipa config-mod --ipaselinuxusermaporder="..."
>
> However, that doesn't work (using either the "root" or ipa "admin"
> accounts) because the Kerberos ticket granting ticket is missing.
> Hard coding user and password in a plain script or on the command
> line is bad. I've really no idea how to solve this.
>
If running IPA commands with the `shell` module, you need to `kinit` in the
script. If I need to, I wrap them with something like:
- block:
- name: Verify assymetric-only fields are not present.
shell: |
echo {{ some_secret }} | kinit -c {{ KRB5CCNAME }} admin
KRB5CCNAME={{ KRB5CCNAME }} ipa vault-show test_vault
kdestroy -A -q -c {{ KRB5CCNAME }}
vars:
KRB5CCNAME: some_very_unique_name
But I resort to it only if I really need to.
P.S.: The existing ipa modules for Ansible seem to do their work
> over the http interface.
>
These are the Ansible community-general modules. If using ansible-freeipa,
as Thomas suggested, it does not uses http
I'd second the suggestion to use ansible-freeipa's ipaconfig module.
Regards,
Rafael
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
