Browse Source

fix in case of expired kerberos ticket

If we attempt the registration with an expired ticket, the attempt to
find existing systems fails.  With the current code, this can result in
an attempt to re-create an existing host, resulting in problems on
stack updates.

To ensure we always have a valid ticket, we now do a kdestroy and kinit
before the first ipa invocation.  We will also output the result of the
host show command to alllow errors to be diagnosed more easily.

Change-Id: Id5f38d89a3c358288ff8dd21d718c161e03d9e36
changes/69/778769/3 0.2.1
Ade Lee 2 months ago
1 changed files with 9 additions and 0 deletions
  1. +9

+ 9
- 0
tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml View File

@ -30,17 +30,26 @@
base_server_short_name: "{{ tripleo_ipa_base_server_fqdn.split('.')[0] }}"
base_server_domain: "{{ tripleo_ipa_base_server_fqdn.split('.', 1)[1] }}"
enroll_base_server: "{{ tripleo_ipa_enroll_base_server }}"
principal: "nova/{{ ansible_fqdn }}"
- name: add main host to IPA with OTP
when: enroll_base_server|bool
become: true
- name: destroy the old keytab
command: "kdestroy -A"
- name: get a new keytab
command: "kinit -kt /etc/novajoin/krb5.keytab {{ principal }}"
- name: get host raw data and keytab info
command: "ipa host-show --raw --all {{ base_server_fqdn }}"
register: host_raw_data
changed_when: false
failed_when: false
- debug: var=host_raw_data
- name: confirm that host is not already registered with current keytab
when: '"has_keytab: TRUE" not in host_raw_data.stdout'