Bug 1868020
| Summary: | [ansible-freeipa] allow_retrieve_keytab_host variable is not working in service module | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Varun Mylaraiah <mvarun> |
| Component: | ansible-freeipa | Assignee: | Rafael Jeffman <rjeffman> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | rjeffman, twoerner |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:46:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
There is an upstream PR for this issue: https://github.com/freeipa/ansible-freeipa/pull/345 The upstream PR has been merged. Verified
ansible-freeipa-0.1.12-6.el8.noarch
Passed ansible_freeipa_tests/service_module.py::TestServiceKeytab::()::test_service_update_host_retrieve_keytab
------------------------------ Captured log call -------------------------------
channel.py 1212 DEBUG [chan 36] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 36] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 36 opened.
transport.py 318 INFO RUN ['/usr/bin/rpm', '-q', 'ansible-freeipa']
transport.py 519 DEBUG RUN ['/usr/bin/rpm', '-q', 'ansible-freeipa']
channel.py 1212 DEBUG [chan 36] Sesch channel 36 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py 1212 DEBUG [chan 36] EOF received (36)
transport.py 563 DEBUG ansible-freeipa-0.1.12-6.el8.noarch
channel.py 1212 DEBUG [chan 36] EOF sent (36)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 209] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 209] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 209 opened.
transport.py 318 INFO RUN ['kinit', 'admin']
transport.py 519 DEBUG RUN ['kinit', 'admin']
channel.py 1212 DEBUG [chan 209] Sesch channel 209 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG Password for admin:
channel.py 1212 DEBUG [chan 209] EOF received (209)
channel.py 1212 DEBUG [chan 209] EOF sent (209)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 210] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 210] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 210 opened.
transport.py 318 INFO RUN ['ipa', 'service-show', 'svcretrievekeytab/master.ipadomain.test', '--all']
transport.py 519 DEBUG RUN ['ipa', 'service-show', 'svcretrievekeytab/master.ipadomain.test', '--all']
channel.py 1212 DEBUG [chan 210] Sesch channel 210 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG dn: krbprincipalname=svcretrievekeytab/master.ipadomain.test,cn=services,cn=accounts,dc=ipadomain,dc=test
transport.py 563 DEBUG Principal name: svcretrievekeytab/master.ipadomain.test
transport.py 563 DEBUG Principal alias: svcretrievekeytab/master.ipadomain.test
transport.py 563 DEBUG Requires pre-authentication: True
transport.py 563 DEBUG Trusted for delegation: False
transport.py 563 DEBUG Trusted to authenticate as user: False
transport.py 563 DEBUG Keytab: False
transport.py 563 DEBUG Managed by: master.ipadomain.test
transport.py 563 DEBUG Users allowed to retrieve keytab: suser01
transport.py 563 DEBUG Groups allowed to retrieve keytab: sgroup01
transport.py 563 DEBUG Host Groups allowed to retrieve keytab: svchostgroup01
transport.py 563 DEBUG ipakrbprincipalalias: svcretrievekeytab/master.ipadomain.test
transport.py 563 DEBUG ipauniqueid: b60bdf80-e17e-11ea-9005-fa163ee35f47
transport.py 563 DEBUG krbpwdpolicyreference: cn=Default Service Password Policy,cn=services,cn=accounts,dc=ipadomain,dc=test
transport.py 563 DEBUG objectclass: krbprincipal, krbprincipalaux, krbticketpolicyaux, ipaobject, ipaservice, pkiuser, ipakrbprincipal, top, ipaallowedoperations
channel.py 1212 DEBUG [chan 210] EOF received (210)
channel.py 1212 DEBUG [chan 210] EOF sent (210)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 211] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 211] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 211 opened.
transport.py 318 INFO RUN ['kdestroy', '-A']
transport.py 519 DEBUG RUN ['kdestroy', '-A']
channel.py 1212 DEBUG [chan 211] Sesch channel 211 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py 1212 DEBUG [chan 211] EOF received (211)
channel.py 1212 DEBUG [chan 211] EOF sent (211)
transport.py 217 DEBUG Exit code: 0
transport.py 293 INFO WRITE inventory/service.hosts
sftp.py 158 DEBUG [chan 0] open(b'inventory/service.hosts', 'wb')
sftp.py 158 DEBUG [chan 0] open(b'inventory/service.hosts', 'wb') -> 00000000
sftp.py 158 DEBUG [chan 0] close(00000000)
transport.py 329 INFO PUT service_module.yml
sftp.py 158 DEBUG [chan 0] open(b'service_module.yml', 'wb')
sftp.py 158 DEBUG [chan 0] open(b'service_module.yml', 'wb') -> 00000000
sftp.py 158 DEBUG [chan 0] close(00000000)
sftp.py 158 DEBUG [chan 0] stat(b'service_module.yml')
channel.py 1212 DEBUG [chan 37] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 37] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 37 opened.
transport.py 318 INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/service.hosts', 'service_module.yml']
transport.py 519 DEBUG RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/service.hosts', 'service_module.yml']
channel.py 1212 DEBUG [chan 37] Sesch channel 37 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG ansible-playbook 2.9.12
transport.py 563 DEBUG config file = /root/ansible.cfg
transport.py 563 DEBUG configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
transport.py 563 DEBUG ansible python module location = /usr/lib/python3.6/site-packages/ansible
transport.py 563 DEBUG executable location = /usr/bin/ansible-playbook
transport.py 563 DEBUG python version = 3.6.8 (default, Jun 26 2020, 12:10:09) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
transport.py 563 DEBUG Using /root/ansible.cfg as config file
transport.py 563 DEBUG
transport.py 563 DEBUG PLAYBOOK: service_module.yml ***************************************************
transport.py 563 DEBUG 1 plays in service_module.yml
transport.py 563 DEBUG
transport.py 563 DEBUG PLAY [Playbook to ensure the Host is present in service allow to retrieve of keytab.] ***
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [Gathering Facts] *********************************************************
transport.py 563 DEBUG task path: /root/service_module.yml:3
transport.py 563 DEBUG ok: [master.ipadomain.test]
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [Get Domain from server name] *********************************************
transport.py 563 DEBUG task path: /root/service_module.yml:7
transport.py 563 DEBUG ok: [master.ipadomain.test] => {"ansible_facts": {"ipaserver_domain": "ipadomain.test"}, "changed": false}
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [Get Realm from server name] **********************************************
transport.py 563 DEBUG task path: /root/service_module.yml:10
transport.py 563 DEBUG ok: [master.ipadomain.test] => {"ansible_facts": {"ipaserver_realm": "IPADOMAIN.TEST"}, "changed": false}
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [ipaservice] **************************************************************
transport.py 563 DEBUG task path: /root/service_module.yml:13
transport.py 563 DEBUG changed: [master.ipadomain.test] => {"changed": true}
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG
transport.py 563 DEBUG PLAY RECAP *********************************************************************
transport.py 563 DEBUG master.ipadomain.test : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
transport.py 563 DEBUG
channel.py 1212 DEBUG [chan 37] EOF received (37)
channel.py 1212 DEBUG [chan 37] EOF sent (37)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 212] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 212] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 212 opened.
transport.py 318 INFO RUN ['kinit', 'admin']
transport.py 519 DEBUG RUN ['kinit', 'admin']
channel.py 1212 DEBUG [chan 212] Sesch channel 212 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG Password for admin:
channel.py 1212 DEBUG [chan 212] EOF received (212)
channel.py 1212 DEBUG [chan 212] EOF sent (212)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 213] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 213] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 213 opened.
transport.py 318 INFO RUN ['ipa', 'service-show', 'svcretrievekeytab/master.ipadomain.test', '--all']
transport.py 519 DEBUG RUN ['ipa', 'service-show', 'svcretrievekeytab/master.ipadomain.test', '--all']
channel.py 1212 DEBUG [chan 213] Sesch channel 213 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG dn: krbprincipalname=svcretrievekeytab/master.ipadomain.test,cn=services,cn=accounts,dc=ipadomain,dc=test
transport.py 563 DEBUG Principal name: svcretrievekeytab/master.ipadomain.test
transport.py 563 DEBUG Principal alias: svcretrievekeytab/master.ipadomain.test
transport.py 563 DEBUG Requires pre-authentication: True
transport.py 563 DEBUG Trusted for delegation: False
transport.py 563 DEBUG Trusted to authenticate as user: False
transport.py 563 DEBUG Keytab: False
transport.py 563 DEBUG Managed by: master.ipadomain.test
transport.py 563 DEBUG Users allowed to retrieve keytab: suser01
transport.py 563 DEBUG Groups allowed to retrieve keytab: sgroup01
transport.py 563 DEBUG Hosts allowed to retrieve keytab: mysvchost1.ipadomain.test
transport.py 563 DEBUG Host Groups allowed to retrieve keytab: svchostgroup01
transport.py 563 DEBUG ipakrbprincipalalias: svcretrievekeytab/master.ipadomain.test
transport.py 563 DEBUG ipauniqueid: b60bdf80-e17e-11ea-9005-fa163ee35f47
transport.py 563 DEBUG krbpwdpolicyreference: cn=Default Service Password Policy,cn=services,cn=accounts,dc=ipadomain,dc=test
transport.py 563 DEBUG objectclass: krbprincipal, krbprincipalaux, krbticketpolicyaux, ipaobject, ipaservice, pkiuser, ipakrbprincipal, top, ipaallowedoperations
channel.py 1212 DEBUG [chan 213] EOF received (213)
channel.py 1212 DEBUG [chan 213] EOF sent (213)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 214] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 214] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 214 opened.
transport.py 318 INFO RUN ['kdestroy', '-A']
transport.py 519 DEBUG RUN ['kdestroy', '-A']
channel.py 1212 DEBUG [chan 214] Sesch channel 214 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py 1212 DEBUG [chan 214] EOF received (214)
channel.py 1212 DEBUG [chan 214] EOF sent (214)
transport.py 217 DEBUG Exit code: 0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4663 |
Description of problem: allow_retrieve_keytab_host variable is not working in service module. Version-Release number of selected component (if applicable): ansible-freeipa-0.1.12-5.el8.noarch Steps to Reproduce: [root@master ~]# ipa service-show svcretrievekeytab/master.ipadomain.test Principal name: svcretrievekeytab/master.ipadomain.test Principal alias: svcretrievekeytab/master.ipadomain.test Keytab: False Managed by: master.ipadomain.test Users allowed to retrieve keytab: suser01 Groups allowed to retrieve keytab: sgroup01 Host Groups allowed to retrieve keytab: svchostgroup01 [root@master ~]# ipa host-show mysvchost1 Host name: mysvchost1.ipadomain.test Description: Example host Principal name: host/mysvchost1.ipadomain.test Principal alias: host/mysvchost1.ipadomain.test Password: False Keytab: False Managed by: mysvchost1.ipadomain.test [root@ansible ~]# cat service_module.yml --- - name: Playbook to ensure the User, group, Host, HostGroup are present in service allow to retrieve of keytab. hosts: ipaserver tasks: - name: Get Domain from server name set_fact: ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}" - name: Get Realm from server name set_fact: ipaserver_realm: "{{ ipaserver_domain | upper }}" - ipaservice: ipaadmin_password: <xxxxxxxxxxx> name: "{{'svcretrievekeytab/master.' + ipaserver_domain + '@' + ipaserver_realm }}" allow_retrieve_keytab_host: "{{ 'mysvchost1.' + ipaserver_domain }}" action: member Actual results: Allowed to retrieve keytab host is not added TASK [ipaservice] ************************************************************************************************************ task path: /root/service_module.yml:12 ok: [master.ipadomain.test] => {"changed": false} META: ran handlers META: ran handlers PLAY RECAP ******************************************************************************************************************* master.ipadomain.test : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 [root@master ~]# ipa service-show svcretrievekeytab/master.ipadomain.test Principal name: svcretrievekeytab/master.ipadomain.test Principal alias: svcretrievekeytab/master.ipadomain.test Keytab: False Managed by: master.ipadomain.test Users allowed to retrieve keytab: suser01 Groups allowed to retrieve keytab: sgroup01 Host Groups allowed to retrieve keytab: svchostgroup01 Expected results: Allowed to retrieve keytab host should present in the service Additional info: