Hi,
I have consulted the inventory file in ch03s07 with the ansible-freeipa SMEs, and they spotted an incorrect option used there: instead of ipaclient_otp, the ipaclient_use_otp is used there.
The definition of ipaclient_otp is: The string value sets an already generated one-time password for the host. The role will use it and not try to generate a new one. Do not enable ipaclient_use_otp additionally.
This is the option you need. Not the ipaclient_use_otp option, which is defined as:
The bool value defines if a one-time password will be generated to join a new or existing host. ipaclient_use_otp defaults to no. The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets disabled and the containing keytab gets removed.
So the inventory should be:
[user@host ~]$ cat hosts
...output omitted...
[ipaclients:vars]
ipaclient_domain=lab.example.com
ansible_become_password=RedHat123
ipaclient_otp=2Dc89iRcMBwq1hNHQOpdcKf
...output omitted...
The current, incorrect version of the inventory is:
...output omitted...
[ipaclients]
client1.lab.example.com
[ipaclients:vars]
ipaclient_domain=lab.example.com
ansible_become_password=RedHat123 ipaclient_use_otp=yes ipaadmin_password=2Dc89iRcMBwq1hNHQOpdcKf
...output omitted...
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.