From 4b2b6751b29709917bb024dd3733024b6f4b3120 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 15 Sep 2017 15:08:22 +0200
Subject: [PATCH] roles/ipaclient/tasks/install.yml: Purge realm from keytab
 after otp generation

If a otp has bene generated it is needed to purge the realm from an exising
host keytab. If there is no host keytab or if the keytab is not containing
information about the realm, ipa-rmkeytab will fail and these two errors are
ignored.
---
 roles/ipaclient/tasks/install.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index ceedea0c..ddb82f9d 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -47,6 +47,14 @@
     set_fact:
       ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
 
+  - name: Install - Purge {{ ipadiscovery.realm }} from existing host keytab
+    command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
+    register: iparmkeytab
+    # Do not fail on error codes 3 and 5:
+    #   3 - Unable to open keytab
+    #   5 - Principal name or realm not found in keytab
+    failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
+
   when: ipaclient_use_otp | bool
 
 - name: Install - Check if principal and keytab are set
-- 
GitLab