fix in case of expired kerberos ticket
If we attempt the registration with an expired ticket, the attempt to find existing systems fails. With the current code, this can result in an attempt to re-create an existing host, resulting in problems on stack updates. To ensure we always have a valid ticket, we now do a kdestroy and kinit before the first ipa invocation. We will also output the result of the host show command to alllow errors to be diagnosed more easily. Change-Id: Id5f38d89a3c358288ff8dd21d718c161e03d9e36
This commit is contained in:
parent
03f636c129
commit
b592a6479f
|
@ -30,17 +30,26 @@
|
||||||
base_server_short_name: "{{ tripleo_ipa_base_server_fqdn.split('.')[0] }}"
|
base_server_short_name: "{{ tripleo_ipa_base_server_fqdn.split('.')[0] }}"
|
||||||
base_server_domain: "{{ tripleo_ipa_base_server_fqdn.split('.', 1)[1] }}"
|
base_server_domain: "{{ tripleo_ipa_base_server_fqdn.split('.', 1)[1] }}"
|
||||||
enroll_base_server: "{{ tripleo_ipa_enroll_base_server }}"
|
enroll_base_server: "{{ tripleo_ipa_enroll_base_server }}"
|
||||||
|
principal: "nova/{{ ansible_fqdn }}"
|
||||||
|
|
||||||
- name: add main host to IPA with OTP
|
- name: add main host to IPA with OTP
|
||||||
when: enroll_base_server|bool
|
when: enroll_base_server|bool
|
||||||
become: true
|
become: true
|
||||||
block:
|
block:
|
||||||
|
- name: destroy the old keytab
|
||||||
|
command: "kdestroy -A"
|
||||||
|
|
||||||
|
- name: get a new keytab
|
||||||
|
command: "kinit -kt /etc/novajoin/krb5.keytab {{ principal }}"
|
||||||
|
|
||||||
- name: get host raw data and keytab info
|
- name: get host raw data and keytab info
|
||||||
command: "ipa host-show --raw --all {{ base_server_fqdn }}"
|
command: "ipa host-show --raw --all {{ base_server_fqdn }}"
|
||||||
register: host_raw_data
|
register: host_raw_data
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
|
- debug: var=host_raw_data
|
||||||
|
|
||||||
- name: confirm that host is not already registered with current keytab
|
- name: confirm that host is not already registered with current keytab
|
||||||
when: '"has_keytab: TRUE" not in host_raw_data.stdout'
|
when: '"has_keytab: TRUE" not in host_raw_data.stdout'
|
||||||
block:
|
block:
|
||||||
|
|
Loading…
Reference in New Issue