Skip to content
Snippets Groups Projects
Commit 7ab7494e authored by Thomas Woerner's avatar Thomas Woerner
Browse files

roles/ipaclient/tasks/install.yml: Add ipatest, disable otp and join if ipatest.krb5_keytab_ok

If a working krb5.keytab has been detected on the host then use_otp will be
disabled and join will not be called. This is done to preserve the keytab
entry in the host entry on the server.

Enforcing the creation of a one-time-password will result in a host-disable
call for the host entry. This will remove an existing keytab and password from
the entry.
parent 1f2d3975
No related branches found
No related tags found
No related merge requests found
......@@ -21,6 +21,23 @@
ipaclient_principal: admin
when: ipaclient_principal is undefined and ipaclient_keytab is undefined
- block:
- name: Install - Test if IPA client has working krb5.keytab
ipatest:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
kdc: "{{ ipadiscovery.kdc }}"
principal: "{{ ipaclient_principal if not ipaclient_use_otp | bool else '' }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipatest
- name: Install - Disable One-Time Password for client with working krb5.keytab
set_fact:
ipaclient_use_otp: "no"
when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok
# The following block is executed when using OTP to enroll IPA client
# ie when ipaclient_use_otp is set.
# It connects to ipaserver and add the host with --random option in order
......@@ -80,6 +97,8 @@
keytab: "{{ ipaclient_keytab | default(omit) }}"
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipajoin
when: not ipatest.krb5_keytab_ok
- name: Install - Configure IPA default.conf
include_role:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment