There are some variables that need to be filled in ipa-rewrite.conf, but it was
not in template directory, so that didn't happen.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
To deploy the ipa01 again we need to remove it from server first. This will need
to be reverted after deployment.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
I forgot to use the '--' for the flags and used
`hostvars[item]['ansible_hostname']` instead of just item.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
Previous change split the argument to two, which caused error in number of
parameters for the command. Let's try if this will fix it.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
On RHEL9 ipa-replica-install fails if there is already client installed with
"Your system is partly configured." To prevent this we need to uninstall the
existing installation before trying to do replica.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
The deploy replica step wasn't executed because it's checking if
`/etc/ipa/default.conf` exists. Remove that and use only the return code from
ipactl to check if the replication is done.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
The ipactl status returns non 0 code when the IPA server is not set yet. We need
to ignore the error code when checking that.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
As the /etc/ipa/default.conf is already created by ipa/client role, we need to
find another way to check if replication is needed. Calling `ipactl status`
should be more reliable.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
This reverts commit df1445a64b.
Turns out we do have to enable sshd on client enroll because it passes
'ssh' to services in sssd.conf, which we need to get ssh keys for users.
:( Instead will try another approach.
In RHEL9, ipa-enroll-client by default adds a
/etc/ssh/sshd_config.d/04-ipa.conf file with some sshd configuration.
Almost all of these things are things we already set in our sshd_config,
but one of them causes sshd to enable password (and 2nd factor required)
auth. We don't want this, we only want to allow ssh keys.
So, pass --no-sshd to enrollment and that should prevent it from
messing with our sshd config.
I have also removed this file and reloaded sshd all around.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have a postgres user in ipa to prevent people from making an account
with that name, but we need/want to use a local version of this on
database servers, not the ipa one. We need the local one because the ipa
one is locked and this prevents database backups from working.
(Locked accounts can't run cron jobs).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now since minutes aren't specified, it runs it every minute of
03. ;(
Also provide full path to script.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The 'stat' can't work because "{{ service }}/{{ host }}" isn't a real
path name.
Revert "check if ipa service entry exists"
This reverts commit 98475f6ae4.
