ipaclient_join: Support to use ipaadmin_keytab without ipaclient_use_otp

ipaadmin_keytab has been supported only with with ipaclient_use_otp. But it can also be used without for ipa-join. Important is that ipaadmin_keytab needs to be placed on the cliend node and ipaadmin_keytab needs to be a full path. Otherwise the file will not be found.
2026-06-23 09:14:43 +00:00 · 2019-06-14 17:30:53 +02:00
parent da14fa29bb
commit ac24f9c067
2 changed files with 33 additions and 6 deletions
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -156,6 +156,7 @@
      fail: msg="At least one of password or keytabs must be specified"
      when: not result_ipaclient_test_keytab.krb5_keytab_ok
            and ipaadmin_password is undefined
+            and ipaadmin_keytab is undefined
            and ipaclient_keytab is undefined
    when: not ipaclient_on_master | bool

@@ -190,6 +191,7 @@
                     ipaclient_keytab is not defined else omit }}"
      password: "{{ ipaadmin_password | default(omit) }}"
      keytab: "{{ ipaclient_keytab | default(omit) }}"
+      admin_keytab: "{{ ipaadmin_keytab if not ipaclient_use_otp | bool and ipaadmin_keytab else omit }}"
      # ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
      kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    register: result_ipaclient_join