On Fri, 11 Dec 2015, Andrey Ptashnik wrote:
We have many servers in our environment that are on a different stage
of their lifecycle. All of them are added to IPA domain. There are
cases when servers gets moved, sometimes crash, sometimes are being
rebuild or decommissioned. In those cases we need to completely remove
server identity from IPA including DNS, Host, Certificate and other
What is the most proper way to completely remove client records in case
if server needs to be rebuilt with the same host name down the road?
(hardware failure happened, server crashed and needs to be rebuild – is
a perfect example).
'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h
which in turn calls 'ipa host-disable hostname'. The latter on the
IPA server side does following:
- disables the host entry
- disables any service associated with the host
- revokes certificates associated with the host
- removes keytab associated with the host
Disabling services involves revoking of certificates and removal of
keytabs associated with these services.
Of course, 'keytab removal' means only that the keys are removed from
LDAP entries, not that keytab files are removed.
Note that none of DNS entries are removed.
If you don't have hosts anymore, you can issue 'ipa host-disable hostname'
from any other host under credentials of a user that has enough
privileges to remove the host and associated services. 'admins' group
membership should be strong enough to achieve this goal.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project