Steven Jones wrote:

I have gone into the webgui and manually removed the no1 client/host, it
has now joined successfully...

So Yes, the next issue....


I'm going to try to consolidate a few things here from some other responses.

* You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required.

* When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/ to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with:

# ipa host-disable


# ipa host-del

You can see if a keytab was issued with:

# ipa host-show

Look for Keytab: True

* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install.

* ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all.



Freeipa-users mailing list

Reply via email to