I use this in a play

Rob

---
- name: get keytzb
hosts: keytab_host
become: true
gather_facts: true

tasks:

- name: add service {{ keytab }} principal to ipa
ipaservice:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ principal }}'
state: present
force: true
when: keytab.type == 'service'
delegate_to: "{{ groups['ipaserver'][0] }}"

- name: check if {{ keytab.value.keytab }} exists
stat:
path: '{{ keytab.value.keytab }}'
register: keytab_stat

- name: check kvno of keytab
command: kinit -k -t {{ keytab }} {{ principal }}
register: validate_keytab
changed_when: false
failed_when:
- validate_keytab.rc > 1
when: keytab_stat.stat.exists

- name: install {{ keytab }}
shell: |
echo {{ ipaadmin_password }}| kinit {{ ipa_admin }}
ipa-getkeytab -s {{ groups['ipaserver'][0] }} -p {{ principal }} -k {{ keytab }}
register: get_keytab
when: ( not keytab_stat.stat.exists ) or ( validate_keytab.rc )
changed_when: "'Keytab successfully retrieved and stored in' in get_keytab.stdout"
no_log: true

- name: ensure {{ keytab.value.keytab }} owner and mode
file:
path: '{{ keytab }}'
group: '{{ group }}'
state: file
mode: '0600'
owner: '{{ user }}'




Op di 12 mei 2020 om 15:37 schreef Peter Tselios via FreeIPA-users <freeipa-users@lists.fedorahosted.org>:
Thank you, shell did the trick for me.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org