From 92d73ae2b8de0ab48cce7f5db2858eda34cf2d47 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 11 Oct 2017 16:48:26 +0200
Subject: [PATCH] Fix otp + force-join usecase

When the client already has a working keytab, use_otp is disabled. This creates
an issue when ipaclient_force_join is set, because the join module is called
with ipaadmin_principal and ipaadmin_password, but these variables may be
undefined if ipaadmin_keytab is used instead.
We should not disable OTP when force-join is specified.
---
 roles/ipaclient/tasks/install.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 297102d1..adf32398 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -45,7 +45,7 @@
   - name: Install - Disable One-Time Password for client with working krb5.keytab
     set_fact:
       ipaclient_use_otp: "no"
-    when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok
+    when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok and not ipaclient_force_join | bool
 
 
   # The following block is executed when using OTP to enroll IPA client
-- 
GitLab