Steven Jones wrote:
I have gone into the webgui and manually removed the no1 client/host, it
has now joined successfully...
So Yes, the next issue....
I'm going to try to consolidate a few things here from some other responses.
* You do not need to pre-create the host in order to enroll it using
kerberos credentials. It is ok if the host already exists but not
* When a host is unenrolled it uses its own credentials (the service
principal in /etc/krb5.keytab host/client.example....@example.com) to
authenticate to IPA and say "I'm done with these credentials." If you
lack this principal it cannot authenticate to IPA to say "I'm done with
these credentials." If a keytab was actually created for this host and
the contents are lost then you will need to manually free it up for
enrollment again either with:
# ipa host-disable client.example.com
# ipa host-del client.example.com
You can see if a keytab was issued with:
# ipa host-show client.example.com
Look for Keytab: True
* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to
tracking SSL certificates and 1029 only applies if you used the
--hostname option with ipa-client-install.
* ipa-rmkeytab is client side only. It just removes the principals for a
specific host or realm from a keytab file. It has no effect on the
server at all.
Freeipa-users mailing list