I'm getting a strange message with Ansible.
On a RHEL 9 server, I can join our domain via the shell command line
realm join example.xyz --user=svc-ansible --computer-ou="OU=Linux Servers, OU=Servers, OU=ACME, OU=Units, DC=example, DC=xyz" Once done that I can successfully change user via su - [email protected], where "johndoe" is an user defined in the AD and belonging to an AD group defined in simple_allow_groups in the file /etc/sssd/sssd.conf. So the config seems to be working.
After that, I run an realm leave example.xyz --remove -U 'svc-ansible' and realm list beforehand to check that the server is not in the domain anymore.
However, when I run via AWX an Ansible playbook defined as this
(...) - name: Set staging_ou ansible.builtin.set_fact: staging_ou: "OU=Linux Servers, OU=Servers, OU=ACME, OU=Units, DC=example, DC=xyz" - name: Realm join into domain ansible.builtin.expect: command: /bin/bash -c 'realm join {{ domain }} --user={{ ad_join_user }} --computer-ou="{{ staging_ou }}"' responses: Password.*: "{{ ad_join_password }}" timeout: 120 (...) I get the following error:
TASK [playbook_ad_join : Realm join into domain] ********************************** fatal: [myrhel9server]: FAILED! => {"changed": true, "cmd": "/bin/bash -c 'realm join example.xyz --user=svc-ansible --computer-ou="OU=Linux Servers, OU=Servers, OU=ACME, OU=Units, DC=example, DC=xyz"'", "delta": "0:00:00.152467", "end": "2024-11-13 11:45:09.577079", "msg": "non-zero return code", "rc": 1, "start": "2024-11-13 11:45:09.424612", "stdout": "realm: Already joined to this domain\r\nPlease check\r\n https://red.ht/support_rhel_ad \r\nto get help for common issues.", "stdout_lines": ["realm: Already joined to this domain", "Please check", " https://red.ht/support_rhel_ad ", "to get help for common issues."]}
A realm list confirms that the server is indeed in the example.xyz domain and returns the same output as when I ran the realm join ... command via shell. However, I cannot su to AD users anymore: trying to do so returns an error
su: user [email protected] does not exist or the user entry does not contain all the required fields
The link cited in the error message doesn't help.
What could be wrong?
EDIT 1: Running via shell the same command run via ansible, i.e.
/bin/bash -c 'realm join example.xyz (...) ' doesn't change anything with respect to running realm join example.xyz (...) (see top of post).
The other tasks in the playbook only modify a few config files:
/etc/krb5.conf /etc/sssd/sssd.conf /usr/local/bin/sss_ssh_authorizedkeys_ad /etc/ssh/sshd_config and install some packages. These do not matter as the configuration already converged. I have removed a line which restarted the realmd daemon, since it could be the one causing the issue, but nothing changed.
/bin/bash -c ..... and (b) what happens when you run a playbook that has only the two tasks you posted in this question, and nothing else? (i.e., a simulation of what you type manually)realm listcommand to a task right before theRealm join into domaintask.