From 860794232e18bda757c00667b57d15b08d0e01af Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 21 Sep 2017 12:16:02 +0200
Subject: [PATCH] library/ipajoin.py: Fail for already joined hosts if
 krb5.keytab is missing

It is not possible to restore a missing krb5.keytab using the admin
credential. Therefore the only way is to fail in this case.
---
 library/ipajoin.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/ipajoin.py b/library/ipajoin.py
index 014ff0aa..dc550736 100644
--- a/library/ipajoin.py
+++ b/library/ipajoin.py
@@ -332,6 +332,10 @@ def main():
             changed = True
             module.log("Enrolled in IPA realm %s" % realm)
 
+        # Fix missing krb5.keytab file for already joined host
+        if already_joined and not os.path.exists(paths.KRB5_KEYTAB):
+            module.fail_json(msg="krb5.keytab missing! Retry with ipaclient_force_join=yes to generate a new one.")
+
         start = stderr.find('Certificate subject base is: ')
         if start >= 0:
             start = start + 29
-- 
GitLab