roles/ipaclient/tasks/install.yml: Purge realm from keytab also needed for force_join

For force_join it is also needed to purge the realm information from the keytab, otherwise new entries will be added with every join.

roles/ipaclient/tasks/install.yml: Purge realm from keytab also needed for force_join
f366fb52 · Thomas Woerner · 4b2b6751 · f366fb52
Commit f366fb52 authored 7 years ago by Thomas Woerner
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -47,14 +47,6 @@
    set_fact:
      ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"

-  - name: Install - Purge {{ ipadiscovery.realm }} from existing host keytab
-    command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
-    register: iparmkeytab
-    # Do not fail on error codes 3 and 5:
-    #   3 - Unable to open keytab
-    #   5 - Principal name or realm not found in keytab
-    failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
-
  when: ipaclient_use_otp | bool

 - name: Install - Check if principal and keytab are set
@@ -65,6 +57,15 @@
  fail: msg="At least one of password or keytab must be specified"
  when: (ipaclient_password is undefined or ipaclient_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")

+- name: Install - Purge {{ ipadiscovery.realm }} from host keytab
+  command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
+  register: iparmkeytab
+  # Do not fail on error codes 3 and 5:
+  #   3 - Unable to open keytab
+  #   5 - Principal name or realm not found in keytab
+  failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
+  when: ipaclient_use_otp | bool or ipaclient_force_join | bool
+
 - name: Install - Join IPA
  ipajoin:
    servers: "{{ ipadiscovery.servers }}"