salt-formula-freeipa help needed...

83 views

Skip to first unread message

Jeff

unread,

Aug 15, 2020, 2:05:42 AM8/15/20

to salt-...@googlegroups.com

Not sure the best place for help with this but I am really hoping someone has some insight on how to use this formula.

I've inherited our FreeIPA setup and know very little of Kerberos and such. For the last couple of years we used a fork of the salt-formula-freeipa modules (that I inadvertently overwrote...don't ask). To install FreeIPA on a client, we previously used salt version 2018.3.x (and earlier) using the command from the minion:

salt-call state.sls freeipa pillar='{ ... }'

Where the pillar data passed in was:

{ "freeipa": {
"client": {
"enabled": true,
"servers": ["ipa-replica-01.myorg.com"],
"domain": "myorg.com",
"realm": "MYORG.COM",
"principal": "hadder",
"otp": "mypwd",
"dns": {
"updates": false
} } } }

The version we had does not work with python3 and consequently the latest Salt version 3001 and so I'm trying to update to using the latest salt-formula-freeipa with salt v3001 on Ubuntu 20.04 but it seems to need more pillar data. I have gotten the following pillar data to successfully render with the states after generating a principal.keytab file for my personal admin user and installing it into the salt state file system under 'salt://freeipa/files/principal.keytab':

{
"freeipa": {
"client": {
"enabled": true,
"server": "ipa-replica-01.myorg.com",
"domain": "myorg.com",
"realm": "MYORG.COM",
"principal": "hadder",
"otp": "mypwd",
"install_principal": {
"source": "salt://freeipa/files/principal.keytab",
"mode": 0600,
"principal_user": "hadder",
"file_user": "root",
"file_group": "root",
},
"dns": {
"updates": false
}
}
},
"openssh": {
"server": {
"enabled": true,
"permit_root_login": true,
"public_key_auth": true,
"password_auth": true,
"host_auth": true,
"banner": "Welcome to FreeIPA!",
"bind": {
"address": 0.0.0.0,
"port": 22
}
}
}
}

but when salt attempts to start the SSSD service, I get an error and the logs show:

sssd[be[65882]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keytab

I don't know what I need to get past this. The keytab.sls state has a section to create keytab files and identities but I have no idea what it's trying to do or what is required:

{%- for keytab_file, keytab in client.get("keytab", {}).items() %}
freeipa_keytab_{{ keytab_file }}:
file.managed:
- name: {{ keytab_file }}
- mode: {{ keytab.get("mode", 0600) }}
- user: {{ keytab.get("user", "root") }}
- group: {{ keytab.get("group", "root") }}

{%- for identity in keytab.get("identities", []) %}
freeipa_keytab_{{ keytab_file }}_{{ identity.service }}_{{ identity.get('host', ipa_host) }}:
cmd.run:
- name: "kinit -kt /etc/krb5.keytab host/{{ ipa_host }} && ipa-getkeytab -k {{ keytab_file }} -s {{ client.server }} -p {{ identity.service }}/{{ identity.get('host', ipa_host) }}; E=$?; kdestroy; exit $E"
- unless: "kinit -kt {{ keytab_file }} {{ identity.service }}/{{ identity.get('host', ipa_host) }}; E=$?; /usr/bin/kdestroy; exit $E"
- env:
- KRB5CCNAME: /tmp/krb5cc_salt
- require:
{%- if server.get('enabled', False) %}
- cmd: freeipa_server_install
{%- else %}
- cmd: freeipa_client_install
{%- endif %}
- require_in:
- file: freeipa_keytab_{{ keytab_file }}
{%- endfor %}
{%- endfor %}