On Tue, Nov 15, 2011 at 2:38 PM, Simo Sorce <s...@redhat.com> wrote:
> On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote:
>> Hi,
>> On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
>> > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott <danieljamessc...@gmail.com> 
>> > wrote:
>> >> Hi,
>> >>
>> >> Is there a 'nice' way to reinstall a host? i.e. The host has already
>> >> been installed in FreeIPA and for whatever reason I need to reinstall
>> >> the OS, so I have a clean system and the host is already enrolled on
>> >> the server.
>> >>
>> >> ipa-client-install fails with "Host already enrolled" and I have to
>> >> connect to an enrolled client, remove the host, and then return to
>> >> install the client.
>> >>
>> >> Would it be possible to have a '--reinstall' option to
>> >> ipa-client-install? It wouldn't have to add the host into IPA, just
>> >> configure the files and get the keytab.
>> >
>> > If I understand it correctly, this could overwrite hosts passwords
>> > which is probably not what you want with a kerberos realm.
>> So *getting* a new keytab would overwrite host passwords? Why wouldn't
>> I want that, if I'm reinstalling a host?
>> > You should manually remove the host first from the realm and then rejoin 
>> > it.
> No, actually if the host offers services you probably prefer rejoining
> in a way that keeps the original keys in the keytab and the new keys get
> a new kvno. This way clients that obtained a ticket before the
> re-install can still use them.

I understand your point but ..., is there not a risk that any new
installed host could so supplant another one? I mean, if I boostrap a
new host with the name of an existing host, it would then in fact
become that host and that may not be what I want to do. This would
also replace the dns A record to the host, obviously.

Or am I missing something (probably :-) )?

At least in my experience with AD one has to delete the computer
account when re-installing a host or you get warnings about duplicate
computer names and failures to joing the domain.


Freeipa-users mailing list

Reply via email to