[Freeipa-users] Re: Ansible vs. ipa-server-install vs. RHEL8

Problem ------- A machine has just been installed with a minimal RHEL8.1 distro. Note that in /etc/login.defs there is the line UMASK 0077 Installing the server from a shell works fine: $ umask 0022 $ ipa-server-install <options> ... OK However, installing the server through Ansible (2.9.6) from another host does *not* work. Snippet from the Ansible script: ... - name: Install ipa-server shell: | /usr/bin/umask 022 && /usr/bin/ipa-server-install <options> ... => The installer complains about the umask being 0077 and that it should be 0022. Removing the UMASK line from login.defs fixes the immediate problem. There is really no Ansible configuration Questions --------- 1) Is there a good way to fix this without opening up system umask? 2) If I comment out the UMASK line from login.defs for the installation and reactivate it afterwards, will that cause problems later? (I think this is about access rights to the certificates of the builtin dogtag.)