From b592a6479f851bbf3983388b1145bdc12fe5c5c4 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 4 Mar 2021 14:28:35 -0500 Subject: [PATCH] fix in case of expired kerberos ticket If we attempt the registration with an expired ticket, the attempt to find existing systems fails. With the current code, this can result in an attempt to re-create an existing host, resulting in problems on stack updates. To ensure we always have a valid ticket, we now do a kdestroy and kinit before the first ipa invocation. We will also output the result of the host show command to alllow errors to be diagnosed more easily. Change-Id: Id5f38d89a3c358288ff8dd21d718c161e03d9e36 --- .../roles/tripleo_ipa_registration/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml index 4a05924..46d68b9 100644 --- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml +++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml @@ -30,17 +30,26 @@ base_server_short_name: "{{ tripleo_ipa_base_server_fqdn.split('.')[0] }}" base_server_domain: "{{ tripleo_ipa_base_server_fqdn.split('.', 1)[1] }}" enroll_base_server: "{{ tripleo_ipa_enroll_base_server }}" + principal: "nova/{{ ansible_fqdn }}" - name: add main host to IPA with OTP when: enroll_base_server|bool become: true block: + - name: destroy the old keytab + command: "kdestroy -A" + + - name: get a new keytab + command: "kinit -kt /etc/novajoin/krb5.keytab {{ principal }}" + - name: get host raw data and keytab info command: "ipa host-show --raw --all {{ base_server_fqdn }}" register: host_raw_data changed_when: false failed_when: false + - debug: var=host_raw_data + - name: confirm that host is not already registered with current keytab when: '"has_keytab: TRUE" not in host_raw_data.stdout' block: