On 24 April 2018 at 15:43, Lachlan Musicman <datakid(a)gmail.com> wrote:
On 23 April 2018 at 17:00, Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
> On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
>>>
>>>> Am I making hard work of something that is relatively straight forward
>>>> and
>>>> solved elsewhere but I've missed?
>>>>
>>>> Ansible has "ignore_errors: True" available, but I feel that is
a weak
>>>> get
>>>> out of jail free card. Given that this is authentication and
>>>> authorization,
>>>> errors shouldn't be ignored (opinion).
>>>>
>>> Not really answering your question but did you actually look at
>>>
https://github.com/freeipa/ansible-freeipa instead of creating new
>>> ones?
>>
>>
>
> Initial impression: it's a very smooth process using the Ansible scripts.
> Unfortunately I can reproducibly not login when using it. If
> ipa-client-install manually I can login.
>
> I will have to work through the install-client playbook line by line -
> there's a lot in the playbook I don't recognise as part of the process.
> Also, I'm on CentOS which isn't officially supported.
>
> But it does install ipa-client very easily.
>
I should clarify. The client seems to install successfully. From the
client I can `id user@domain` and get the results I'm looking for. But
actual login fails. I tried debug_level = 7 and debug_level = 9 but there
were no errors thrown or obvious failures?
For those that come looking after me, I found the problem. For reasons that
I lack the skills to dive into properly, the ansible playbook for
install-client sets two vars in /etc/krb5.conf to false which are set to
true when I run ipa-client-install manually.
By over-riding these two vars to true in the playbook
dns_lookup_realm: true
dns_lookup_kdc: true
I could get it to work as expected.
Cheers
L.