For our servers, I test in Puppet for the existence of files under /var/lib/ipa (for IPA servers) or /var/lib/ipa-client/ (for everything else).

Specifically, /var/lib/ipa{-client}/sysrestore/sysrestore.index should exist if IPA setup has been run, and should not exist if IPA uninstall has been run.

Try it on one of your hosts to confirm.

Dagan McGregor

On April 23, 2018 6:19:53 AM UTC, Lachlan Musicman via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Not 100% sure where to send this. Am trying to write an Ansible playbook to install SSSD and enroll the host in a domain.

The problem starts when the host exists in the domain and ipa-client is already installed.

We can use Ansible's delegate module to remove host from domain enrollment (would be more ideal to test if it's enrolled, then unenroll if test returns true). And we can use ipa-client-install --uninstall to if ipa-client is already configured. But neither of these commands provide easy answers quickly.

ipa host-find {{ host }} | grep matched | cut -d " " -f 1

will turn ipa host-find into something usable. A switch that just returned the number matched would be ideal, but it's workable currently.

More interestingly, once a host is unenrolled from the domain (ie, ipa host-del <host> runs successfully on the IPA server), it doesn't, and probably shouldn't, uninstall ipa-client on the host itself.

But there doesn't seem to be any way to check ipa-client --install/--uninstall for it's opposite.

IE, if ipa-client is installed, and is run again, one is urged to uninstall first:

IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

if ipa-client is not installed, and you run

ipa-client --uninstall

The message returned is:

IPA client is not configured on this system.
The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information

Have I missed a true/false return value cli arg for ipa-client-install?

ipa-client-install --exists
ipa-client-install --configured

or something like that?

Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed?

Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is authentication and authorization, errors shouldn't be ignored (opinion).


"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "

Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857