Hi Peter,

Looks like the whole environment is cleaned up when using the `command` module, including Kerberos tickets.

For example, this does not work.
```
---
- name: Test KRB5
  hosts: ipaserver
  become: yes
  gather_facts: no

  tasks:
  - name: Login to IPA Master
    command: echo "SomeADMINpassword" | kinit admin

  - name: Run an IPA command
    command: ipa dnsrecord-find ipatest.local
    register: result

  - debug:
      msg: "{{ result.stdout_lines }}"
```

If instead you use the `shell` module for `kinit`, things work as if executed manually. Not the best solution, but I'm couldn't find anything else.

This does work.
```
---
- name: Test KRB5
  hosts: ipaserver
  become: yes
  gather_facts: no

  tasks:
  - name: Login to IPA Master
    shell: echo "SomeADMINpassword" | kinit admin

  - name: Run an IPA command
    command: ipa dnsrecord-find ipatest.local
    register: result

  - debug:
      msg: "{{ result.stdout_lines }}"
```

Remember that until you run `kdestroy`, credentials will remain valid (as configured to).

Regards,

Rafael

On Mon, May 11, 2020 at 8:01 AM Peter Tselios via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,
I have a few services that I want to configure for kerberos authentication.
I use ansible for this.

So, I register the host in IPA, get the OTP, install the ipa-client, create the service and then I need to go to the CLI to download the keytab.

I have this in my playbooks:

=====================
- name: Download the Keytab
  block:
    - name: Login to IPA Master
      command: echo '{{ ipa_password }}' | kinit admin
      no_log: true

    - name: Download the keytab
      command: >
        ipa-getkeytab -s {{ ipa_master }} -p HTTP/{{ inventory_hostname }} -k /etc/httpd/http_{{ inventory_hostname }}.keytab
=====================

This is failing with the error:


==============================

fatal: [server.example.com]: FAILED! => changed=true
  cmd:
  - ipa-getkeytab
  - -s
  - ipamaster.example.com
  - -p
  - HTTP/server.example.com
  - -k
  - /etc/httpd/http_server.example.com.keytab
  delta: '0:00:00.005696'
  end: '2020-05-11 12:43:59.935641'
  msg: non-zero return code
  rc: 6
  start: '2020-05-11 12:43:59.929945'
  stderr: Kerberos User Principal not found. Do you have a valid Credential Cache?
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

==============================

However, if I login to the server, issue a ticket (kinit admin), logout and then re-run the playbook succeeds!!!

Any idea how to fix this? Obviously I cannot login to each host and then run the playbooks, this is not automation.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
Rafael Guterres Jeffman
Senior Software Engineer 
FreeIPA - Red Hat