Hello, Jacob M Cutright via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> It would be nice if ansible.cfg had keytab support I'm not sure what you mean/want here. I'm using an LDAP inventory from FreeIPA in ansible. Authentication on the clients uses authorized_keys here (no kerberos). Until recently I did a manual "kinit -t /etc/ansible/ansible.keytab -k ansible/echidna.example.org! before running ansible. I've now seen two other possibilites to have a TGT when running ansible. Recently I looked into gssproxy. Once it is correctly set uo, run ansible wirh environment "GSS_USE_PROXY=yes". This is my gssproxy,conf snippet: root# cat:/etc/gssproxy/50-ansible.conf [service/ansible] mechs = krb5 cred_store = client_keytab:/etc/ansible/ansible.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_usage = initiate # program = /usr/bin/python3.9 euid = ansible The other possibility was to set KRB5_CLIENT_KTNAME: export KRB5_CLIENT_KTNAME=/etc/ansible/ansible.keytab This doesn't require gssproxy, but has the keytab accessible to user ansible. Both options work for me - take your pick :-) Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
