From cf1301fb064fc230c780c4bc5eeccb723899f7b6 Mon Sep 17 00:00:00 2001
From: Armando Neto <abiagion@redhat.com>
Date: Sep 05 2018 13:14:32 +0000
Subject: Delete empty keytab during client installation


Client installation fails if '/etc/krb5.keytab' exists as a zero-length
file. Deleting empty keytab before proceeding with the installation
fixes the problem.

https://pagure.io/freeipa/issue/7625

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 3fc1fe7..b5ee923 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2126,6 +2126,16 @@ def install_check(options):
         logger.warning("Option 'force-join' has no additional effect "
                        "when used with together with option 'keytab'.")
 
+    # Remove invalid keytab file
+    try:
+        gssapi.Credentials(
+            store={'keytab': paths.KRB5_KEYTAB},
+            usage='accept',
+        )
+    except gssapi.exceptions.GSSError:
+        logger.debug("Deleting invalid keytab: '%s'.", paths.KRB5_KEYTAB)
+        remove_file(paths.KRB5_KEYTAB)
+
     # Check if old certificate exist and show warning
     if (
         not options.ca_cert_file and