roles/ipaclient/tasks/install.yml: Purge realm from keytab also needed for force_join

For force_join it is also needed to purge the realm information from the
keytab, otherwise new entries will be added with every join.

roles/ipaclient/tasks/install.yml

@@ -47,14 +47,6 @@
     set_fact:
       ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
 
-  - name: Install - Purge {{ ipadiscovery.realm }} from existing host keytab
-    command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
-    register: iparmkeytab
-    # Do not fail on error codes 3 and 5:
-    #   3 - Unable to open keytab
-    #   5 - Principal name or realm not found in keytab
-    failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
-
   when: ipaclient_use_otp | bool
 
 - name: Install - Check if principal and keytab are set
@@ -65,6 +57,15 @@
   fail: msg="At least one of password or keytab must be specified"
   when: (ipaclient_password is undefined or ipaclient_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
 
+- name: Install - Purge {{ ipadiscovery.realm }} from host keytab
+  command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
+  register: iparmkeytab
+  # Do not fail on error codes 3 and 5:
+  #   3 - Unable to open keytab
+  #   5 - Principal name or realm not found in keytab
+  failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
+  when: ipaclient_use_otp | bool or ipaclient_force_join | bool
+
 - name: Install - Join IPA
   ipajoin:
     servers: "{{ ipadiscovery.servers }}"