1828176 – [ansible-freeipa] Kerberos credentials(ipaadmin_password) is not recognizing in the vault module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1828176 - [ansible-freeipa] Kerberos credentials(ipaadmin_password) is not recognizing in the vault module

Summary: [ansible-freeipa] Kerberos credentials(ipaadmin_password) is not recognizing ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ansible-freeipa
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Rafael Jeffman
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-27 08:39 UTC by Varun Mylaraiah
Modified:	2020-11-04 02:47 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ansible-freeipa-0.1.11-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:46:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2020:4663	0	None	None	None	2020-11-04 02:46:46 UTC

Description Varun Mylaraiah 2020-04-27 08:39:09 UTC

Description of problem:
Ipaadmin_password variable is not recognized in the ansible-freeipa vault module.


Version-Release number of selected component (if applicable):
ansible-freeipa-0.1.9-1

Steps to Reproduce:
On server: run “kdestroy -A”
On controller: run playbook.

[root@ansible ~]# cat stdvault9.yaml
---
- name: Test vault
  hosts: ipaserver

  tasks:
  - name: Ensure vault is present
    ipavault:
      Ipaadmin_password: <xxxx>
      name: stdvault9
      vault_type: standard
      username: vault_user9

[root@ansible ~]# ansible-playbook -vv -i inventory/server.hosts stdvault9.yaml 
ansible-playbook 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.7/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.7.6 (default, Jan 30 2020, 09:44:41) [GCC 9.2.1 20190827 (Red Hat 9.2.1-1)]
Using /etc/ansible/ansible.cfg as config file

PLAYBOOK: stdvault9.yaml ********************************************************************************************************************************************************************************************
1 plays in stdvault9.yaml

PLAY [Test vault] ***************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************
task path: /root/stdvault9.yaml:2
[DEPRECATION WARNING]: Distribution fedora 31 on host master.ipadomain.test should use /usr/bin/python3, but is using /usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible 
release will default to using the discovered platform python for this host. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. This feature will be 
removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [master.ipadomain.test]
META: ran handlers

TASK [Ensure vault is present] **************************************************************************************************************************************************************************************
task path: /root/stdvault9.yaml:6
fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "did not receive Kerberos credentials"}

PLAY RECAP **********************************************************************************************************************************************************************************************************
master.ipadomain.test      : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0 

Actual results:
fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "did not receive Kerberos credentials"}

Expected results:
 Ipaadmin_password variable should work

Comment 1 Rafael Jeffman 2020-05-04 19:40:14 UTC

Proposed upstream PR: https://github.com/freeipa/ansible-freeipa/pull/256

Comment 2 Rafael Jeffman 2020-05-13 13:44:14 UTC

PR merged upstream.

Comment 6 Varun Mylaraiah 2020-08-04 06:55:31 UTC

Verified

ansible-freeipa-0.1.12-5.el8.noarch

Automation test result:

ansible-freeipa-tests/ansible_freeipa_tests/vault_module.py::TestMiscellaneousVaultTests::()::test_vault_verifying_kerberos_credentials
------------------------------ Captured log call -------------------------------
channel.py                1212 DEBUG    [chan 95] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 95] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 95 opened.
transport.py               318 INFO     RUN ['kinit', 'admin']
transport.py               519 DEBUG    RUN ['kinit', 'admin']
channel.py                1212 DEBUG    [chan 95] Sesch channel 95 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py               563 DEBUG    Password for admin: 
channel.py                1212 DEBUG    [chan 95] EOF received (95)
channel.py                1212 DEBUG    [chan 95] EOF sent (95)
transport.py               217 DEBUG    Exit code: 0
channel.py                1212 DEBUG    [chan 96] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 96] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 96 opened.
transport.py               318 INFO     RUN ['ipa', 'vault-find']
transport.py               519 DEBUG    RUN ['ipa', 'vault-find']
channel.py                1212 DEBUG    [chan 96] Sesch channel 96 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py               563 DEBUG    ----------------
transport.py               563 DEBUG    2 vaults matched
transport.py               563 DEBUG    ----------------
transport.py               563 DEBUG      Vault name: 17stdvault
transport.py               563 DEBUG      Type: standard
transport.py               563 DEBUG      Vault user: admin
transport.py               563 DEBUG    
transport.py               563 DEBUG      Vault name: 21stdvault
transport.py               563 DEBUG      Type: standard
transport.py               563 DEBUG      Vault user: admin
transport.py               563 DEBUG    ----------------------------
transport.py               563 DEBUG    Number of entries returned 2
transport.py               563 DEBUG    ----------------------------
channel.py                1212 DEBUG    [chan 96] EOF received (96)
channel.py                1212 DEBUG    [chan 96] EOF sent (96)
transport.py               217 DEBUG    Exit code: 0
channel.py                1212 DEBUG    [chan 97] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 97] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 97 opened.
transport.py               318 INFO     RUN ['kdestroy', '-A']
transport.py               519 DEBUG    RUN ['kdestroy', '-A']
channel.py                1212 DEBUG    [chan 97] Sesch channel 97 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py                1212 DEBUG    [chan 97] EOF received (97)
channel.py                1212 DEBUG    [chan 97] EOF sent (97)
transport.py               217 DEBUG    Exit code: 0
transport.py               293 INFO     WRITE inventory/vault.hosts
sftp.py                    158 DEBUG    [chan 0] open(b'inventory/vault.hosts', 'wb')
sftp.py                    158 DEBUG    [chan 0] open(b'inventory/vault.hosts', 'wb') -> 00000000
sftp.py                    158 DEBUG    [chan 0] close(00000000)
transport.py               329 INFO     PUT vault_module.yml
sftp.py                    158 DEBUG    [chan 0] open(b'vault_module.yml', 'wb')
sftp.py                    158 DEBUG    [chan 0] open(b'vault_module.yml', 'wb') -> 00000000
sftp.py                    158 DEBUG    [chan 0] close(00000000)
sftp.py                    158 DEBUG    [chan 0] stat(b'vault_module.yml')
channel.py                1212 DEBUG    [chan 98] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 98] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 98 opened.
transport.py               318 INFO     RUN ['kdestroy', '-A']
transport.py               519 DEBUG    RUN ['kdestroy', '-A']
channel.py                1212 DEBUG    [chan 98] Sesch channel 98 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py                1212 DEBUG    [chan 98] EOF received (98)
channel.py                1212 DEBUG    [chan 98] EOF sent (98)
transport.py               217 DEBUG    Exit code: 0
channel.py                1212 DEBUG    [chan 20] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 20] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 20 opened.
transport.py               318 INFO     RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
transport.py               519 DEBUG    RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
channel.py                1212 DEBUG    [chan 20] Sesch channel 20 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py               563 DEBUG    ansible-playbook 2.9.11
transport.py               563 DEBUG      config file = /root/ansible.cfg
transport.py               563 DEBUG      configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
transport.py               563 DEBUG      ansible python module location = /usr/lib/python3.6/site-packages/ansible
transport.py               563 DEBUG      executable location = /usr/bin/ansible-playbook
transport.py               563 DEBUG      python version = 3.6.8 (default, Jun 26 2020, 12:10:09) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
transport.py               563 DEBUG    Using /root/ansible.cfg as config file
transport.py               563 DEBUG    
transport.py               563 DEBUG    PLAYBOOK: vault_module.yml *****************************************************
transport.py               563 DEBUG    1 plays in vault_module.yml
transport.py               563 DEBUG    
transport.py               563 DEBUG    PLAY [Playbook  to Verify Kerberos credentials(ipaadmin_password) is recognizing correctly.] ***
transport.py               563 DEBUG    
transport.py               563 DEBUG    TASK [Gathering Facts] *********************************************************
transport.py               563 DEBUG    task path: /root/vault_module.yml:2
transport.py               563 DEBUG    ok: [master.ipadomain.test]
transport.py               563 DEBUG    META: ran handlers
transport.py               563 DEBUG    
transport.py               563 DEBUG    TASK [ipavault] ****************************************************************
transport.py               563 DEBUG    task path: /root/vault_module.yml:6
transport.py               563 DEBUG    changed: [master.ipadomain.test] => {"changed": true}
transport.py               563 DEBUG    META: ran handlers
transport.py               563 DEBUG    META: ran handlers
transport.py               563 DEBUG    
transport.py               563 DEBUG    PLAY RECAP *********************************************************************
transport.py               563 DEBUG    master.ipadomain.test      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
transport.py               563 DEBUG    
channel.py                1212 DEBUG    [chan 20] EOF received (20)
channel.py                1212 DEBUG    [chan 20] EOF sent (20)
transport.py               217 DEBUG    Exit code: 0
channel.py                1212 DEBUG    [chan 99] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 99] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 99 opened.
transport.py               318 INFO     RUN ['kinit', 'admin']
transport.py               519 DEBUG    RUN ['kinit', 'admin']
channel.py                1212 DEBUG    [chan 99] Sesch channel 99 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py               563 DEBUG    Password for admin: 
channel.py                1212 DEBUG    [chan 99] EOF received (99)
channel.py                1212 DEBUG    [chan 99] EOF sent (99)
transport.py               217 DEBUG    Exit code: 0
channel.py                1212 DEBUG    [chan 100] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 100] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 100 opened.
transport.py               318 INFO     RUN ['ipa', 'vault-find', '95vault']
transport.py               519 DEBUG    RUN ['ipa', 'vault-find', '95vault']
channel.py                1212 DEBUG    [chan 100] Sesch channel 100 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py               563 DEBUG    ---------------
transport.py               563 DEBUG    1 vault matched
transport.py               563 DEBUG    ---------------
transport.py               563 DEBUG      Vault name: 95vault
transport.py               563 DEBUG      Description: default_vault
transport.py               563 DEBUG      Type: symmetric
transport.py               563 DEBUG      Vault user: admin
transport.py               563 DEBUG    ----------------------------
transport.py               563 DEBUG    Number of entries returned 1
transport.py               563 DEBUG    ----------------------------
channel.py                1212 DEBUG    [chan 100] EOF received (100)
channel.py                1212 DEBUG    [chan 100] EOF sent (100)
transport.py               217 DEBUG    Exit code: 0
channel.py                1212 DEBUG    [chan 101] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 101] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 101 opened.
transport.py               318 INFO     RUN ['kdestroy', '-A']
transport.py               519 DEBUG    RUN ['kdestroy', '-A']
channel.py                1212 DEBUG    [chan 101] Sesch channel 101 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py                1212 DEBUG    [chan 101] EOF received (101)
channel.py                1212 DEBUG    [chan 101] EOF sent (101)
transport.py               217 DEBUG    Exit code: 0

Comment 9 errata-xmlrpc 2020-11-04 02:46:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4663

Note You need to log in before you can comment on or make changes to this bug.