On 24 April 2018 at 15:43, Lachlan Musicman <datakid@gmail.com> wrote:
On 23 April 2018 at 17:00, Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote:
Am I making hard work of something that is relatively straight forward and
solved elsewhere but I've missed?

Ansible has "ignore_errors: True" available, but I feel that is a weak get
out of jail free card. Given that this is authentication and authorization,
errors shouldn't be ignored (opinion).
Not really answering your question but did you actually look at
https://github.com/freeipa/ansible-freeipa instead of creating new ones?

Initial impression: it's a very smooth process using the Ansible scripts. Unfortunately I can reproducibly not login when using it. If ipa-client-install manually I can login.

I will have to work through the install-client playbook line by line - there's a lot in the playbook I don't recognise as part of the process. Also, I'm on CentOS which isn't officially supported.

But it does install ipa-client very easily.

I should clarify. The client seems to install successfully. From the client I can `id user@domain` and get the results I'm looking for. But actual login fails. I tried debug_level = 7 and debug_level = 9 but there were no errors thrown or obvious failures?

For those that come looking after me, I found the problem. For reasons that I lack the skills to dive into properly, the ansible playbook for install-client sets two vars in /etc/krb5.conf to false which are set to true when I run ipa-client-install manually.

By over-riding these two vars to true in the playbook

dns_lookup_realm: true
dns_lookup_kdc: true

I could get it to work as expected.