Install and configure FREEIPA client via ansible role

I am using an ansible role ipaclient to configure Rockey linux clients. I did something like this nstalling an Identity Management client using an Ansible playbook The role works but I can not get the role to set krb5_store_password_if_offline = False and krb5_store_password_if_offline = False.

I add veritable ipasssd_no_krb5_offline_passwords=false in the host inventory file but no luck. Still set to true every time regardless if I set to true or false. I could add a post task at the end to change that but if it;s possible to configure as a variable that is preferred

Any idea why it’s not setting it as expected.

Hi dsexton,
Can you post your inventory file? Be sure to redact any confidential info.

Here is a good help document: ansible-freeipa/roles/ipaclient/README.md at master · freeipa/ansible-freeipa · GitHub
Looks like these variables need to be set in the [ipaclients:vars] section. Like below:

[ipaclients:vars]
ipaclient_domain=example.com
ipaadmin_principal=admin
ipaadmin_password=MySecretPassword123

Please provide any further info/details that may be helpful such as ansible playbook output…etc.

I removed some of the sensitiveness values.

install-client.yaml
- name: Playbook to configure IPA clients with username/password
  hosts: ipaclients
  become: true
  become_method: sudo
  #vars_files:
  #- playbook_sensitive_data.yml

  roles:
  - role: ipaclient
    state: present

inventory
[ipaclients]
client1.foo.lan ansible_host=

[ipaclients:vars]
ipaclient_domain=foo.lan
ipaclient_configure_dns_resolver=true
ipaadmin_principal=fooadmin
ipaadmin_password=foopassword
ipaclient_mkhomedir=true
ipasssd_enable_dns_updates=true
ipasssd_no_krb5_offline_passwords=false
#ipaclient_automount_location=
ipaclient_install_packages=true
ipaclient_dns_servers=iphere
ipaclient_force_join=yes
ipaclient_no_sudo=true

As always krb5_store_password_if_offline = True and cache_credentials = True both are True I wold like them set as false. I could do task at the end to set both to false but It looks like the role should allow me to set them to either true or false.

cat /etc/sssd/sssd.conf 
[domain/foo.lan]

id_provider = ipa
ipa_server = _srv_, idm2.foo.lan
ipa_domain = foo.lan
ipa_hostname = client1.foo.lna
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh

domains = foo.lan
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[session_recording]
type or paste code here

ipasssd_no_krb5_offline_passwords=false seems like a double negative which actually equates to storing the krb5 password when offline. So, maybe set ipasssd_no_krb5_offline_passwords=true will result in the functionality you are looking for.

Thanks that did the trick for krb5_store_password_if_offline no longer shows up in the sssd.conf file.

Now I just need to figure out what variable sets cache_credentials = true I would like that to be false.

Awesome!
Could you close this post out as Solved and feel free to open a new Post for cache_creds ?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.