community.general.krb_ticket module – Kerberos utils for managing tickets
Note
This module is part of the community.general collection (version 10.0.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.general.krb_ticket
.
New in community.general 10.0.0
Synopsis
Manage Kerberos tickets with
kinit
,klist
andkdestroy
base utilities.See https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/index.html for reference.
Requirements
The below requirements are needed on the host that executes this module.
krb5-user and krb5-config packages
Parameters
Parameter |
Comments |
---|---|
Request tickets restricted to the host’s local address or non-restricted. Choices:
|
|
Requests anonymous processing. Choices:
|
|
Use If this option is not used, the default cache name and location are used. The default credentials cache may vary between systems. If not set the the value of |
|
Requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. Choices:
|
|
Treats the principal name as an enterprise name (implies the Choices:
|
|
Request forwardable or non-forwardable tickets. Choices:
|
|
When Equivalent of running Choices:
|
|
Requests a ticket, obtained from a key in the local host’s keytab. If Choices:
|
|
Use when It is required to specify |
|
Requests a ticket with the lifetime, if the Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. The value for You cannot mix units; a value of See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html for reference. |
|
Principal password. It is required to specify |
|
The principal name. If not set, the user running this module will be used. |
|
Request proxiable or non-proxiable tickets. Choices:
|
|
Requests renewable tickets, with a total lifetime equal to The value for You cannot mix units; a value of See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html for reference. |
|
Requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Choices:
|
|
Requests a postdated ticket. Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use.
You can use absolute time formats, for example You can also use time duration format similar to See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html for reference. |
|
The state of the Kerberos ticket.
Choices:
|
|
Requests that the ticket-granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: none |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Get Kerberos ticket using default principal
community.general.krb_ticket:
password: some_password
- name: Get Kerberos ticket using keytab
community.general.krb_ticket:
keytab: true
keytab_path: /etc/ipa/file.keytab
- name: Get Kerberos ticket with a lifetime of 7 days
community.general.krb_ticket:
password: some_password
lifetime: 7d
- name: Get Kerberos ticket with a starting time of July 2, 2024, 1:35:30 p.m.
community.general.krb_ticket:
password: some_password
start_time: "240702133530"
- name: Get Kerberos ticket using principal name
community.general.krb_ticket:
password: some_password
principal: admin
- name: Get Kerberos ticket using principal with realm
community.general.krb_ticket:
password: some_password
principal: admin@IPA.TEST
- name: Check for existence by ticket cache
community.general.krb_ticket:
cache_name: KEYRING:persistent:0:0
- name: Make sure default ticket is destroyed
community.general.krb_ticket:
state: absent
- name: Make sure specific ticket destroyed by principal
community.general.krb_ticket:
state: absent
principal: admin@IPA.TEST
- name: Make sure specific ticket destroyed by cache_name
community.general.krb_ticket:
state: absent
cache_name: KEYRING:persistent:0:0
- name: Make sure all tickets are destroyed
community.general.krb_ticket:
state: absent
kdestroy_all: true