Thank you for your feedback, this is what I expected to do - 
'ipa-client-install —uninstall' and expected and easy quick fix for my request. 
It seem to work in environment where server portion is on CentOS/RHEL 7.1 and 
clients as well on 7.1 with IPA 4.1

However when clients are little older like CentOS/RHEL 6.5-6.6 behavior in our 
case was different, we had to manually delete records with "ipa host-del” 
command like Martin Kosek mentioned.

So I wanted to reiterate with Red Hat team if 'ipa-client-install —uninstall' 
is still the proper way to clean up records completely. Additionally if I can 
expect the same behavior on client versions lower than CentOS/RHEL 7.1 + IPA 4.1


Andrey Ptashnik 

On 12/14/15, 4:21 AM, "Alexander Bokovoy" <> wrote:

>On Fri, 11 Dec 2015, Andrey Ptashnik wrote:
>>Hello Team,
>>We have many servers in our environment that are on a different stage
>>of their lifecycle. All of them are added to IPA domain. There are
>>cases when servers gets moved, sometimes crash, sometimes are being
>>rebuild or decommissioned. In those cases we need to completely remove
>>server identity from IPA including DNS, Host, Certificate and other
>>associated records.
>>What is the most proper way to completely remove client records in case
>>if server needs to be rebuilt with the same host name down the road?
>>(hardware failure happened, server crashed and needs to be rebuild – is
>>a perfect example).
>'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h 
>which in turn calls 'ipa host-disable hostname'. The latter on the
>IPA server side does following:
> - disables the host entry
> - disables any service associated with the host
> - revokes certificates associated with the host
> - removes keytab associated with the host
>Disabling services involves revoking of certificates and removal of
>keytabs associated with these services.
>Of course, 'keytab removal' means only that the keys are removed from
>LDAP entries, not that keytab files are removed.
>Note that none of DNS entries are removed.
>If you don't have hosts anymore, you can issue 'ipa host-disable hostname'
>from any other host under credentials of a user that has enough
>privileges to remove the host and associated services. 'admins' group
>membership should be strong enough to achieve this goal.
>/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to