Hello,
I have a few services that I want to configure for kerberos authentication.
I use ansible for this.

So, I register the host in IPA, get the OTP, install the ipa-client, create the service and then I need to go to the CLI to download the keytab.

I have this in my playbooks:

=====================
- name: Download the Keytab
  block:
    - name: Login to IPA Master
      command: echo '{{ ipa_password }}' | kinit admin
      no_log: true

    - name: Download the keytab
      command: >
        ipa-getkeytab -s {{ ipa_master }} -p HTTP/{{ inventory_hostname }} -k /etc/httpd/http_{{ inventory_hostname }}.keytab
=====================

This is failing with the error:


==============================

fatal: [server.example.com]: FAILED! => changed=true
  cmd:
  - ipa-getkeytab
  - -s
  - ipamaster.example.com
  - -p
  - HTTP/server.example.com
  - -k
  - /etc/httpd/http_server.example.com.keytab
  delta: '0:00:00.005696'
  end: '2020-05-11 12:43:59.935641'
  msg: non-zero return code
  rc: 6
  start: '2020-05-11 12:43:59.929945'
  stderr: Kerberos User Principal not found. Do you have a valid Credential Cache?
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

==============================

However, if I login to the server, issue a ticket (kinit admin), logout and then re-run the playbook succeeds!!!

Any idea how to fix this? Obviously I cannot login to each host and then run the playbooks, this is not automation.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org