On 30.11.21 12:52, Alexander Bokovoy via FreeIPA-users wrote:
> On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>> On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
>>> What I dislike is that the output of a very simple curl command told
>>> me that there was a problem with insufficient access:
>>>
>>> curl --negotiate
https://ipa07.linux.mydomain.at/ipa/session/json
>>> <html>
>>> <head>
>>> <title>401 Unauthorized</title>
>>> </head>
>>> <body>
>>> <h1>Invalid Authentication</h1>
>>> <p>
>>> <strong>Insufficient access: Invalid credentials</strong>
>>> </p>
>>> </body>
>>> </html>
>>>
>>> whereas the ipalib error was not that specific
>>>
>>> myuser@someserver:ansible_tower $ ./ipaInventory.py --list
>>> Traceback (most recent call last):
>>> File "./ipaInventory.py", line 121, in <module>
>>> api = initialize()
>>> File "./ipaInventory.py", line 44, in initialize
>>> api.finalize()
>>> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>> 740, in finalize
>>> self.__do_if_not_done('load_plugins')
>>> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>> 431, in __do_if_not_done
>>> getattr(self, name)()
>>> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>> 619, in load_plugins
>>> for package in self.packages:
>>> File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line
>>> 954, in packages
>>> ipaclient.remote_plugins.get_package(self),
>>> File
>>>
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
>>> line 134, in get_package
>>> plugins = schema.get_package(server_info, client)
>>> File
>>>
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>> line 553, in get_package
>>> schema = Schema(client)
>>> File
>>>
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>> line 401, in __init__
>>> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
>>> File
>>>
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>> line 413, in _fetch
>>> client.connect(verbose=False)
>>> File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line
>>> 69, in connect
>>> conn = self.create_connection(*args, **kw)
>>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1115,
>>> in create_connection
>>> error=', '.join(urls))
>>> ipalib.errors.NetworkError: cannot connect to 'any of the configured
>>> servers':
https://ipa07.linux.mydomain.at/ipa/session/json, ...
>>
>> When using ipalib do I always have to use Kerberos or is it possible
>> to specify a username/password combination as well?
> Yes, you always have to present a valid Kebreros ticket right now.
>
> If you have a keytab, you can obtain a ticket automatically if you'd
> set KRB5_CLIENT_KTNAME:
>
https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html
>
You mean I need a keytab for the user running the script? So this should
work, right:
ipa-getkeytab -s ipa07.mydomain.oebb.at -p someipauser(a)LINUX.OEBB.AT -P
-k ./someipauser.keytab
export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab
kdestroy
ipa host-find
Maybe you do also know how to specify the user Ansible Tower runs an
inventory script with. (I do have experience with Ansible but it is my
first day with Tower so I am lacking a little bit of in-depth knowledge ;-)
Cheers,
Ronald