Steven Jones wrote:
Hi,

I have gone into the webgui and manually removed the no1 client/host, it
has now joined successfully...

So Yes, the next issue....

regards


I'm going to try to consolidate a few things here from some other responses.

* You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required.

* When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/client.example....@example.com) to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with:

# ipa host-disable client.example.com

or

# ipa host-del client.example.com

You can see if a keytab was issued with:

# ipa host-show client.example.com

Look for Keytab: True

* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install.

* ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all.

regards

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to