On Tue, Nov 15, 2011 at 2:38 PM, Simo Sorce <[email protected]> wrote: > On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote: >> Hi, >> >> On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo <[email protected]> wrote: >> > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott <[email protected]> >> > wrote: >> >> Hi, >> >> >> >> Is there a 'nice' way to reinstall a host? i.e. The host has already >> >> been installed in FreeIPA and for whatever reason I need to reinstall >> >> the OS, so I have a clean system and the host is already enrolled on >> >> the server. >> >> >> >> ipa-client-install fails with "Host already enrolled" and I have to >> >> connect to an enrolled client, remove the host, and then return to >> >> install the client. >> >> >> >> Would it be possible to have a '--reinstall' option to >> >> ipa-client-install? It wouldn't have to add the host into IPA, just >> >> configure the files and get the keytab. >> > >> > If I understand it correctly, this could overwrite hosts passwords >> > which is probably not what you want with a kerberos realm. >> >> So *getting* a new keytab would overwrite host passwords? Why wouldn't >> I want that, if I'm reinstalling a host? >> >> > You should manually remove the host first from the realm and then rejoin >> > it. > > No, actually if the host offers services you probably prefer rejoining > in a way that keeps the original keys in the keytab and the new keys get > a new kvno. This way clients that obtained a ticket before the > re-install can still use them.
I understand your point but ..., is there not a risk that any new installed host could so supplant another one? I mean, if I boostrap a new host with the name of an existing host, it would then in fact become that host and that may not be what I want to do. This would also replace the dns A record to the host, obviously. Or am I missing something (probably :-) )? At least in my experience with AD one has to delete the computer account when re-installing a host or you get warnings about duplicate computer names and failures to joing the domain. -- natxo _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
