I am using an ansible role ipaclient to configure Rockey linux clients. I did something like this nstalling an Identity Management client using an Ansible playbook The role works but I can not get the role to set krb5_store_password_if_offline = False and krb5_store_password_if_offline = False.
I add veritable ipasssd_no_krb5_offline_passwords=false in the host inventory file but no luck. Still set to true every time regardless if I set to true or false. I could add a post task at the end to change that but if it;s possible to configure as a variable that is preferred
Any idea why it’s not setting it as expected.
Hi dsexton,
Can you post your inventory file? Be sure to redact any confidential info.
Here is a good help document: ansible-freeipa/roles/ipaclient/README.md at master · freeipa/ansible-freeipa · GitHub
Looks like these variables need to be set in the [ipaclients:vars] section. Like below:
[ipaclients:vars]
ipaclient_domain=example.com
ipaadmin_principal=admin
ipaadmin_password=MySecretPassword123
Please provide any further info/details that may be helpful such as ansible playbook output…etc.
I removed some of the sensitiveness values.
install-client.yaml
- name: Playbook to configure IPA clients with username/password
hosts: ipaclients
become: true
become_method: sudo
#vars_files:
#- playbook_sensitive_data.yml
roles:
- role: ipaclient
state: present
inventory
[ipaclients]
client1.foo.lan ansible_host=
[ipaclients:vars]
ipaclient_domain=foo.lan
ipaclient_configure_dns_resolver=true
ipaadmin_principal=fooadmin
ipaadmin_password=foopassword
ipaclient_mkhomedir=true
ipasssd_enable_dns_updates=true
ipasssd_no_krb5_offline_passwords=false
#ipaclient_automount_location=
ipaclient_install_packages=true
ipaclient_dns_servers=iphere
ipaclient_force_join=yes
ipaclient_no_sudo=true
As always krb5_store_password_if_offline = True and cache_credentials = True both are True I wold like them set as false. I could do task at the end to set both to false but It looks like the role should allow me to set them to either true or false.
cat /etc/sssd/sssd.conf
[domain/foo.lan]
id_provider = ipa
ipa_server = _srv_, idm2.foo.lan
ipa_domain = foo.lan
ipa_hostname = client1.foo.lna
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh
domains = foo.lan
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
type or paste code here
ipasssd_no_krb5_offline_passwords=false seems like a double negative which actually equates to storing the krb5 password when offline. So, maybe set ipasssd_no_krb5_offline_passwords=true will result in the functionality you are looking for.
1 Like
Thanks that did the trick for krb5_store_password_if_offline no longer shows up in the sssd.conf file.
Now I just need to figure out what variable sets cache_credentials = true I would like that to be false.
1 Like
Awesome!
Could you close this post out as Solved and feel free to open a new Post for cache_creds ?