community.general.ipa_getkeytab module – Manage keytab file in FreeIPA

Note

This module is part of the community.general collection (version 10.0.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.general.ipa_getkeytab.

New in community.general 9.5.0

Synopsis

Requirements

The below requirements are needed on the host that executes this module.

  • freeipa-client

  • Managed host is FreeIPA client

Parameters

Parameter

Comments

bind_dn

string

The LDAP DN to bind as when retrieving a keytab without Kerberos credentials.

Generally used with the bind_pw option.

bind_pw

string

The LDAP password to use when not binding with Kerberos.

ca_cert

path

The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections.

encryption_types

string

The list of encryption types to use to generate keys.

It will use local client defaults if not provided.

Valid values depend on the Kerberos library version and configuration.

force

boolean

Force recreation if exists already.

Choices:

  • false

  • true

ipa_host

string

The IPA server to retrieve the keytab from (FQDN).

ldap_uri

string

LDAP URI. If ldap:// is specified, STARTTLS is initiated by default.

Can not be used with the ipa_host option.

password

string

Use this password for the key instead of one randomly generated.

path

aliases: keytab

path / required

The base path where to put generated keytab file.

principal

string / required

The non-realm part of the full principal name.

retrieve_mode

boolean

Retrieve an existing key from the server instead of generating a new one.

This is incompatible with the password, and will work only against a IPA server more recent than version 3.3.

The user requesting the keytab must have access to the keys for this operation to succeed.

Be aware that if set true, a new keytab will be generated.

This invalidates all previously retrieved keytabs for this service principal.

Choices:

  • false

  • true

sasl_mech

string

SASL mechanism to use if bind_dn and bind_pw are not specified.

Choices:

  • "GSSAPI"

  • "EXTERNAL"

state

string

The state of the keytab file.

present only check for existence of a file, if you want to recreate keytab with other parameters you should set force=true.

Choices:

  • "present" ← (default)

  • "absent"

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Get Kerberos ticket using default principal
  community.general.krb_ticket:
    password: "{{ aldpro_admin_password }}"

- name: Create keytab
  community.general.ipa_getkeytab:
    path: /etc/ipa/test.keytab
    principal: HTTP/freeipa-dc02.ipa.test
    ipa_host: freeipa-dc01.ipa.test

- name: Retrieve already existing keytab
  community.general.ipa_getkeytab:
    path: /etc/ipa/test.keytab
    principal: HTTP/freeipa-dc02.ipa.test
    ipa_host: freeipa-dc01.ipa.test
    retrieve_mode: true

- name: Force keytab recreation
  community.general.ipa_getkeytab:
    path: /etc/ipa/test.keytab
    principal: HTTP/freeipa-dc02.ipa.test
    ipa_host: freeipa-dc01.ipa.test
    force: true

Authors

  • Alexander Bakanovskii (@abakanovskii)