Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer.
We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them.
ticket 1029 To test do something like: # ipa-client-install --hostname some_other_host.example.com # ipa-getcert list # id adminIf id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf.
The certificate in ipa-getcert should be MONITORING.Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True
Now run: ipa-client-install --uninstall The host entry on the server should have Keytab: Falseipa-getcert list should return nothing (you'll need to start the certmonger service to see it)
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel