roles/ipaclient/tasks/install.yml: Purge realm from keytab after otp generation

If a otp has bene generated it is needed to purge the realm from an exising host keytab. If there is no host keytab or if the keytab is not containing information about the realm, ipa-rmkeytab will fail and these two errors are ignored.

roles/ipaclient/tasks/install.yml: Purge realm from keytab after otp generation
4b2b6751 · Thomas Woerner · 7eb98eaa · 4b2b6751
Commit 4b2b6751 authored 7 years ago by Thomas Woerner
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -47,6 +47,14 @@
    set_fact:
      ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
+  - name: Install - Purge {{ ipadiscovery.realm }} from existing host keytab
+    command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
+    register: iparmkeytab
+    # Do not fail on error codes 3 and 5:
+    #   3 - Unable to open keytab
+    #   5 - Principal name or realm not found in keytab
+    failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
  when: ipaclient_use_otp | bool
 - name: Install - Check if principal and keytab are set