Ansible Role freeipa_client¶
This role installs and configures FreeIPA as a client.
Mandatory Requirements¶
Install the ansible-freeipa Ansible Collection on the Ansible control node. This can be done by calling
ansible-galaxy collection install freeipa.ansible_freeipa.
Optional Role Variables¶
freeipa_client__create_home_dir
Defines if PAM will be configured to create a users home directory if it does not exist.
Type: Bool.
Default:
true
freeipa_client__ipa_admin_user
The IPA admin user / Kerberos admin principal.
Type: Dictionary.
Default:
freeipa_client__ipa_admin_user:
username: 'admin'
password: '{{ freeipa_server__ipa_admin_password }}'
Subkeys:
username:Optional. The admin username.
Type: String.
Default:
'admin'
password:Optional. The admin password.
Type: String.
Default:
'{{ freeipa_server__ipa_admin_password }}'
Example:
# optional
freeipa_client__create_home_dir: true
freeipa_client__ipa_admin_user:
username: 'admin'
password: 'linuxfabrik'
Troubleshooting¶
Q: msg: Unable to discover domain, not provided on command line
A: Check your DNS server configuration - IN SOA and IN NS options, as well as a correct _ldap._tcp IN SRV 10 10 389 freeipa-server.example.com. in your forward zone.
Q: Joining realm failed: JSON-RPC call failed: Couldn't connect to server
A: Check firewall settings, perhaps a port like LDAP or HTTPS is blocked.
Q: msg: krb5.keytab missing! Retry with ipaclient_force_join=yes to generate a new one
A: Re-join an unprovisioned host: ansible-playbook ... --extra-vars='ipaclient_force_join=true'
Q: IPA client already installed with a conflicting domain
A: Follow Manually Unconfiguring Client Machines
Q: Kerberos authentication failed: kinit: Cannot read password while getting initial credentials
A: Check that your admin credentials have not expired by logging into the FreeIPA Web GUI.