bf64c0bb8f
Test if the krb5.keytab on the machine is valid and can be used.
options:
servers:
description: The FQDN of the IPA servers to connect to.
required: true
domain:
description: The primary DNS domain of an existing IPA deployment.
required: true
realm:
description: The Kerberos realm of an existing IPA deployment.
required: true
hostname:
description: The hostname of the machine to join (FQDN).
required: true
kdc:
description: The name or address of the host running the KDC.
required: true
principal:
description: The authorized kerberos principal used to join the IPA realm.
required: false
kinit_attempts:
description: Repeat the request for host Kerberos ticket X times.
required: false
default: 5
returns:
krb5_keytab_ok:
description: The flag describes if krb5.keytab on the host is usable.
returned: always
type: bool
ansible-freeipa
Description
This role allows to join hosts as clients to an IPA domain. This can be done in differnt ways using auto-discovery of the servers, domain and other settings or by specifying them.
Usage
Example inventory file with fixed principal and using auto-discovery with DNS records:
[ipaclients]
ipaclient1.example.com
ipaclient2.example.com
[ipaclients:vars]
ipaclient_principal=admin
Example playbook to setup the IPA client(s) using principal from inventory file and password from an Ansible Vault file:
- name: Playbook to configure IPA clients with username/password
hosts: ipaclients
become: true
vars_files:
- playbook_sensitive_data.yml
roles:
- role: ipaclient
state: present
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- name: Playbook to unconfigure IPA clients
hosts: ipaclients
become: true
roles:
- role: ipaclient
state: absent
Example inventory file with fixed servers, principal, password and domain:
[ipaclients]
ipaclient1.example.com
ipaclient2.example.com
[ipaservers]
ipaserver.example.com
[ipaclients:vars]
ipaclient_domain=example.com
ipaclient_principal=admin
ipaclient_password=MySecretPassword123
Example playbook to setup the IPA client(s) using principal and password from inventory file:
- name: Playbook to configure IPA clients with username/password
hosts: ipaclients
become: true
roles:
- role: ipaclient
state: present
Variables
ipaservers - Group of IPA server hostnames. (list of strings, optional)
ipaadmin_keytab - The path to the admin keytab used for alternative authentication. (string, optional)
ipaclient_domain - The primary DNS domain of an existing IPA deployment. (string, optional)
ipaclient_realm - The Kerberos realm of an existing IPA deployment. (string, optional)
ipaclient_principal - The authorized kerberos principal used to join the IPA realm. (string, optional)
ipaclient_password - The password for the kerberos principal. (string, optional)
ipaclient_keytab - The path to a backed-up host keytab from previous enrollment. (string, optional)
ipaclient_force_join - Set force_join to yes to join the host even if it is already enrolled. (bool, optional)
ipaclient_kinit_attempts - Repeat the request for host Kerberos ticket X times if it fails. (int, optional)
ipaclient_ntp - Set to no to not configure and enable NTP (bool, optional)
ipaclient_mkhomedir - Set to yes to configure PAM to create a users home directory if it does not exist. (string, optional)
Requirements
freeipa-client v4.6
Authors
Florence Blanc-Renaud
Thomas Woerner