Try SpotterTest if the krb5.keytab on the machine is valid and can be used.
Authors: Thomas Woerner (@t-woerner)
preview | supported by community
Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1
collections:
- name: freeipa.ansible_freeipa
version: 1.11.1Test if the krb5.keytab on the machine is valid and can be used. A temporary krb5.conf file will be generated to not fail on an invalid one.
# Test IPA with local keytab
- name: Test IPA in force mode with maximum 5 kinit attempts
freeipa.ansible_freeipa.ipaclient_test_keytab:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
realm: EXAMPLE.COM
kdc: server1.example.com
hostname: client1.example.com
kinit_attempts: 5
# Test IPA with ipadiscovery return values
- name: Join IPA
freeipa.ansible_freeipa.ipaclient_test_keytab:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
kdc: "{{ ipadiscovery.kdc }}"
hostname: "{{ ipadiscovery.hostname }}"
kdc:
description: The name or address of the host running the KDC
required: true
type: str
realm:
description: Kerberos realm name of the IPA deployment
required: true
type: str
domain:
description: Primary DNS domain of the IPA deployment
required: true
type: str
servers:
description: Fully qualified name of IPA servers to enroll to
elements: str
required: true
type: list
hostname:
description: Fully qualified name of this host
required: true
type: str
kinit_attempts:
default: 5
description: Repeat the request for host Kerberos ticket X times
type: int
ca_crt_exists: description: The flag describes if ca.crt exists. returned: always type: str krb5_conf_ok: description: The flag describes if krb5.conf on the host is usable. returned: always type: bool krb5_keytab_ok: description: The flag describes if krb5.keytab on the host is usable. returned: always type: bool ping_test_ok: description: The flag describes if ipa ping test succeded. returned: always type: bool