OTP client enrollment fails with freeipa-container
adalsa91 opened this issue · comments
I am trying to enroll a client to a freeipa-container server using ipaclient role and I got an error (No module named 'ipalib'") in task Install - Get One-Time Password for client enrollment. I suppose the problem is related to using freeipa-container and that probably ipalib is installed in host along freeipa package in regular installations. As exposing freeipa-container ssh doesn't seem like the best approach there is any other way to make it work? I read something about ipa_context variable but I am not sure if it is used on ipaclient role as I haven't found any reference.
Inventory file:
[ipaserver]
freeipa-master.foo.com ansible_user=admin
[ipaserver:vars]
ipaadmin_password=supersecretpassword
ipadm_password=supersecretpassword
ipaserver_domain=foo.com
ipaserver_realm=foo.com
[ipareplicas]
freeipa-replica.foo.com ansible_user=admin
[ipareplicas:vars]
ipaadmin_password=supersecretpassword
ipadm_password=supersecretpassword
ipaserver_domain=foo.com
ipaserver_realm=FOO.COM
[ipaclients]
freeipa-client.foo.com ansible_user=admin
[ipaclients:vars]
ipaclient_use_otp=yes
ipaclient_no_dns_lookup=yes
ipaclient_configure_dns_resolver=yes
ipaclient_dns_servers=192.168.1.1 #freeipa master IP
ipaclient_cleanup_dns_resolver=yes
ipaclient_domain=foo.com
ipaadmin_password=supersecretpassword
The command I used:
ansible-playbook -vvv -i hosts ansible-freeipa/playbooks/install-client.yml
The error I got:
TASK [ipaclient : Install - Get One-Time Password for client enrollment]
fatal: [freeipa-client.foo.com -> freeipa-master.foo.com]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"hostname": "freeipa-client.foo.com",
"ipaadmin_keytab": null,
"ipaadmin_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ipaadmin_principal": "admin"
}
},
"msg": "No module named 'ipalib'"
}
Which OS version is running on the target node ? Which ansible-freeipa version are you using?
Did you check /var/log/ipaclient-install.log for errors?
The host is running Ubuntu 22.04.2 LTS but as I'm using freeipa-container the real OS version where Freeipa is running is Fedora release 37. I checked /var/log/ipaclient-install.log but found nothing interesting.
I think the problem here is that the task Install - Get One-Time Password for client enrollment is trying to obtain the OTP by executing the ipaclient_get_otp.py on FreeIPA server which assumes that it's running on a host but that not the case with freeipa-container.
To workaround this I tried to fix this installing the ipalib and ipaserver ,using pip, on the host server (ubuntu) and the error changed to:
TASK [ipaclient : Install - Get One-Time Password for client enrollment] *******************************************************************************************************************
fatal: [freeipa-client.foo.com -> freeipa-master.foo.com]: FFAILED! => {"changed": false, "msg": "cannot import name 'kinit_password' from 'ipapython.ipautil' (/usr/local/lib/python3.10/dist-packages/ipapython/ipautil.py)"}
Maybe I have not installed the correct modules?
@adalsa91 I need to know which is the target OS for the target node you are trying to deploy the client to.
I see "/usr/local/lib/python3.10/dist-packages/ipapython/ipautil.py" which is not a path we usually see when deploying IPA.
On RHEL we only support platform python which would be something like /usr/lib/pythonX.Y on any RedHat-derived hoste. The /usr/local path prefix is not something we often see, and I wonder if you either have a broken package or a broken environment.
I don't think ipaclient_get_otp assmes it's running on a host. If it's on a container it should be isolated enough to work.
Are you trying to enroll the container host in the IPA server runnig on the container guest?
Sorry I misunderstood you. I'm using ansible-freeipa v1.11.0, the target OS is Ubuntu 22.04.2 LTS too and it's a different host that the one that is running freeipa-server container. I enrolled identical hosts without using OTP without any problem.
I don't think ipaclient_get_otp assmes it's running on a host. If it's on a container it should be isolated enough to work.
Sure, I'm not saying that it makes any difference between executing ipaclient_get_otp on a host or on a container. The problem is that the freeipa-server container is not exposing its ssh service because this is not a common practice in containers and therefore when ansible tries to execute task ipaclient_get_otp it's accessing the host machine not the freeipa-server container guest as both share the same FQDN. I know that one possible solution it's to expose the container ssh service and point ansible inventory to this port but I wonder if there is any way to do this OTP tasks using something like ipa_context as with another tasks. If I am not mistaken that was the purpose of this option:
ipaclient_get_otp is using the API from ipalib to be able to connect to the server. The use of ipaclient_get_otp without installed ipa packages is not possible.
Sorry, I forgot this issue. Yes. I assume ipa packages are needed on target machine. I only wanted to use a host other than the freeipa server to perform this action as you can do with ipaapi_context in other modules . But digging in the code of ipaclient_get_otp it seems that context is hardcoded to server. Anyway, in the end I ended up using another method, so we can close this issue. Maybe in the future it can be implemented as an improvement. Thank you all for helping me!
@adalsa91 the internal modules on the roles are not to be used except within the roles, so ipaclient_* modules cannot be used as the other modules.
And for the other modules, the target host must be an IPA server or client host.