plugins/module_utils/ansible_freeipa_module.py · 6e2fa7e7d6e7e0c9ce002b3c2009d93cc1de72be · Mirror / Ansible FreeIPA

ansible_freeipa_module: Add support for GSSAPI · 09ab29b4

Thomas Woerner authored Aug 12, 2019

The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.

For KRB5CCNAME it is needed to create a ccache file

  kinit admin@TEST.LOCAL -c /root/admin.ccache

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5CCNAME: /root/admin.ccache

For KRB5_CLIENT_KTNAME a admin keytab has to be generated

  ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
  /root/admin.keytab

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5_CLIENT_KTNAME: /root/admin.keytab

It will be needed to set ipaadmin_principal if the admin principal is not
admin.

The management modules can be used without a password in this case.

09ab29b4