Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM
Alexander, Thank you for your feedback, this is what I expected to do - 'ipa-client-install —uninstall' and expected and easy quick fix for my request. It seem to work in environment where server portion is on CentOS/RHEL 7.1 and clients as well on 7.1 with IPA 4.1 However when clients are little older like CentOS/RHEL 6.5-6.6 behavior in our case was different, we had to manually delete records with "ipa host-del” command like Martin Kosek mentioned. So I wanted to reiterate with Red Hat team if 'ipa-client-install —uninstall' is still the proper way to clean up records completely. Additionally if I can expect the same behavior on client versions lower than CentOS/RHEL 7.1 + IPA 4.1 Regards, Andrey Ptashnik On 12/14/15, 4:21 AM, "Alexander Bokovoy" wrote: >On Fri, 11 Dec 2015, Andrey Ptashnik wrote: >>Hello Team, >> >>We have many servers in our environment that are on a different stage >>of their lifecycle. All of them are added to IPA domain. There are >>cases when servers gets moved, sometimes crash, sometimes are being >>rebuild or decommissioned. In those cases we need to completely remove >>server identity from IPA including DNS, Host, Certificate and other >>associated records. >>What is the most proper way to completely remove client records in case >>if server needs to be rebuilt with the same host name down the road? >>(hardware failure happened, server crashed and needs to be rebuild – is >>a perfect example). >'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h >hostname' >which in turn calls 'ipa host-disable hostname'. The latter on the >IPA server side does following: > - disables the host entry > - disables any service associated with the host > - revokes certificates associated with the host > - removes keytab associated with the host > >Disabling services involves revoking of certificates and removal of >keytabs associated with these services. > >Of course, 'keytab removal' means only that the keys are removed from >LDAP entries, not that keytab files are removed. > >Note that none of DNS entries are removed. > >If you don't have hosts anymore, you can issue 'ipa host-disable hostname' >from any other host under credentials of a user that has enough >privileges to remove the host and associated services. 'admins' group >membership should be strong enough to achieve this goal. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM
On Fri, 11 Dec 2015, Andrey Ptashnik wrote: Hello Team, We have many servers in our environment that are on a different stage of their lifecycle. All of them are added to IPA domain. There are cases when servers gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In those cases we need to completely remove server identity from IPA including DNS, Host, Certificate and other associated records. What is the most proper way to completely remove client records in case if server needs to be rebuilt with the same host name down the road? (hardware failure happened, server crashed and needs to be rebuild – is a perfect example). 'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h hostname' which in turn calls 'ipa host-disable hostname'. The latter on the IPA server side does following: - disables the host entry - disables any service associated with the host - revokes certificates associated with the host - removes keytab associated with the host Disabling services involves revoking of certificates and removal of keytabs associated with these services. Of course, 'keytab removal' means only that the keys are removed from LDAP entries, not that keytab files are removed. Note that none of DNS entries are removed. If you don't have hosts anymore, you can issue 'ipa host-disable hostname' from any other host under credentials of a user that has enough privileges to remove the host and associated services. 'admins' group membership should be strong enough to achieve this goal. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM
Hello Team, We have many servers in our environment that are on a different stage of their lifecycle. All of them are added to IPA domain. There are cases when servers gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In those cases we need to completely remove server identity from IPA including DNS, Host, Certificate and other associated records. What is the most proper way to completely remove client records in case if server needs to be rebuilt with the same host name down the road? (hardware failure happened, server crashed and needs to be rebuild – is a perfect example). Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project