Skip to content

Instantly share code, notes, and snippets.

Using Ansible SSH transport with GSSAPI in FreeIPA.
```
[root@master ~]# cat my-hosts
[mymachines]
master.ipa.test
[root@master ~]# id ansible
id: ‘ansible’: no such user
[root@master ~]# kinit admin
Password for [email protected]:
@abbra
abbra / set-dns-resolvers.yml
Created December 9, 2019 19:49
A task to configure DNS resolvers to look at IPA master before deploying replicas and clients
- name: "Set DNS to IPA master"
hosts:
- ipareplicas
- ipaclients
tasks:
- name: determine resolvers
set_fact:
resolvers: "{{ resolvers|default([]) + [hostvars[item].ansible_default_ipv4.address] }}"
with_items: "{{ groups.ipaserver }}"
- debug:
@abbra
abbra / sync-ranges.py
Created August 23, 2019 13:23
Verifying DNA and ID ranges in FreeIPA
from ipaserver.install import replication
def check_ids_in_modified_range(ldap, old_base, old_size, new_base, new_size):
from ipalib import errors
if new_base is None and new_size is None:
# nothing to check
return (0, [])
if new_base is None:
new_base = old_base
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab