Install and configure FREEIPA client via ansible role

I am using an ansible role ipaclient to configure Rockey linux clients. I did something like this nstalling an Identity Management client using an Ansible playbook The role works but I can not get the role to set krb5_store_password_if_offline = False and krb5_store_password_if_offline = False.

I add veritable ipasssd_no_krb5_offline_passwords=false in the host inventory file but no luck. Still set to true every time regardless if I set to true or false. I could add a post task at the end to change that but if it;s possible to configure as a variable that is preferred

Any idea why it’s not setting it as expected.

Hi dsexton,
Can you post your inventory file? Be sure to redact any confidential info.

Here is a good help document: ansible-freeipa/roles/ipaclient/ at master · freeipa/ansible-freeipa · GitHub
Looks like these variables need to be set in the [ipaclients:vars] section. Like below:


Please provide any further info/details that may be helpful such as ansible playbook output…etc.

I removed some of the sensitiveness values.

- name: Playbook to configure IPA clients with username/password
  hosts: ipaclients
  become: true
  become_method: sudo
  #- playbook_sensitive_data.yml

  - role: ipaclient
    state: present

[ipaclients] ansible_host=


As always krb5_store_password_if_offline = True and cache_credentials = True both are True I wold like them set as false. I could do task at the end to set both to false but It looks like the role should allow me to set them to either true or false.

cat /etc/sssd/sssd.conf 

id_provider = ipa
ipa_server = _srv_,
ipa_domain = foo.lan
ipa_hostname =
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens18
krb5_store_password_if_offline = True
services = nss, pam, ssh

domains = foo.lan
homedir_substring = /home







type or paste code here

ipasssd_no_krb5_offline_passwords=false seems like a double negative which actually equates to storing the krb5 password when offline. So, maybe set ipasssd_no_krb5_offline_passwords=true will result in the functionality you are looking for.

1 Like

Thanks that did the trick for krb5_store_password_if_offline no longer shows up in the sssd.conf file.

Now I just need to figure out what variable sets cache_credentials = true I would like that to be false.

1 Like

Could you close this post out as Solved and feel free to open a new Post for cache_creds ?