From c824cf6745fb9a702b11d472d40b6096e51fa629 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 15 Sep 2017 13:49:09 +0200
Subject: [PATCH] Fix logic trying to obtain a keytab

When ipahost is run to generate an OTP and the host is already existing,
the OTP is properly generated but ipa-join will fail if the host is
already enrolled (ie when it has a keytab).
Add a step calling ipa host-disable to erase OTP and keytab before
requesting an OTP.
---
 library/ipahost.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/library/ipahost.py b/library/ipahost.py
index 08305fc1..932a1341 100644
--- a/library/ipahost.py
+++ b/library/ipahost.py
@@ -197,6 +197,12 @@ def ensure_host_present(module, api, ipahost):
         if module.check_mode:
             module.exit_json(changed=True)
 
+        # If we want to create a random password, and the host
+        # already has Keytab: true, then we need first to run
+        # ipa host-disable in order to remove OTP and keytab
+        if module.params.get('random') and ipahost['has_keytab'] == True:
+            api.Command.host_disable(fqdn)
+
         result = api.Command.host_mod(fqdn, **diffs)
         # Save random password as it is not displayed by host-show
         if module.params.get('random'):
-- 
GitLab