Re: [Freeipa-users] Clean up DNS Host Cert and other records from IPA

2015-12-14 Thread Martin Kosek 
On 12/11/2015 11:55 PM, Andrey Ptashnik wrote:
> Hello Team,
> 
> We have many servers in our environment that are on a different stage of 
> their lifecycle. All of them are added to IPA domain. There are cases when 
> servers gets moved, sometimes crash, sometimes are being rebuild or 
> decommissioned. In those cases we need to completely remove server identity 
> from IPA including DNS, Host, Certificate and other associated records.
> What is the most proper way to completely remove client records in case if 
> server needs to be rebuilt with the same host name down the road? (hardware 
> failure happened, server crashed and needs to be rebuild – is a perfect 
> example).

ipa host-del command (can be also with --updatedns flag) should remove all
services and revoke certificates active for the host or service records. Is
that insufficient or maybe not working for you?

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

2015-12-14 Thread Alexander Bokovoy 

On Fri, 11 Dec 2015, Andrey Ptashnik wrote:

Hello Team,

We have many servers in our environment that are on a different stage
of their lifecycle. All of them are added to IPA domain. There are
cases when servers gets moved, sometimes crash, sometimes are being
rebuild or decommissioned. In those cases we need to completely remove
server identity from IPA including DNS, Host, Certificate and other
associated records.
What is the most proper way to completely remove client records in case
if server needs to be rebuilt with the same host name down the road?
(hardware failure happened, server crashed and needs to be rebuild – is
a perfect example).

'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h 
hostname'
which in turn calls 'ipa host-disable hostname'. The latter on the
IPA server side does following:
- disables the host entry
- disables any service associated with the host
- revokes certificates associated with the host
- removes keytab associated with the host

Disabling services involves revoking of certificates and removal of
keytabs associated with these services.

Of course, 'keytab removal' means only that the keys are removed from
LDAP entries, not that keytab files are removed.

Note that none of DNS entries are removed.

If you don't have hosts anymore, you can issue 'ipa host-disable hostname'
from any other host under credentials of a user that has enough
privileges to remove the host and associated services. 'admins' group
membership should be strong enough to achieve this goal.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

2015-12-14 Thread Andrey Ptashnik 
Alexander,

Thank you for your feedback, this is what I expected to do - 
'ipa-client-install —uninstall' and expected and easy quick fix for my request. 
It seem to work in environment where server portion is on CentOS/RHEL 7.1 and 
clients as well on 7.1 with IPA 4.1

However when clients are little older like CentOS/RHEL 6.5-6.6 behavior in our 
case was different, we had to manually delete records with "ipa host-del” 
command like Martin Kosek mentioned.

So I wanted to reiterate with Red Hat team if 'ipa-client-install —uninstall' 
is still the proper way to clean up records completely. Additionally if I can 
expect the same behavior on client versions lower than CentOS/RHEL 7.1 + IPA 4.1

Regards,

Andrey Ptashnik 







On 12/14/15, 4:21 AM, "Alexander Bokovoy"  wrote:

>On Fri, 11 Dec 2015, Andrey Ptashnik wrote:
>>Hello Team,
>>
>>We have many servers in our environment that are on a different stage
>>of their lifecycle. All of them are added to IPA domain. There are
>>cases when servers gets moved, sometimes crash, sometimes are being
>>rebuild or decommissioned. In those cases we need to completely remove
>>server identity from IPA including DNS, Host, Certificate and other
>>associated records.
>>What is the most proper way to completely remove client records in case
>>if server needs to be rebuilt with the same host name down the road?
>>(hardware failure happened, server crashed and needs to be rebuild – is
>>a perfect example).
>'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h 
>hostname'
>which in turn calls 'ipa host-disable hostname'. The latter on the
>IPA server side does following:
> - disables the host entry
> - disables any service associated with the host
> - revokes certificates associated with the host
> - removes keytab associated with the host
>
>Disabling services involves revoking of certificates and removal of
>keytabs associated with these services.
>
>Of course, 'keytab removal' means only that the keys are removed from
>LDAP entries, not that keytab files are removed.
>
>Note that none of DNS entries are removed.
>
>If you don't have hosts anymore, you can issue 'ipa host-disable hostname'
>from any other host under credentials of a user that has enough
>privileges to remove the host and associated services. 'admins' group
>membership should be strong enough to achieve this goal.
>
>-- 
>/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

2015-12-13 Thread Andrey Ptashnik 
Hello Team,

We have many servers in our environment that are on a different stage of their 
lifecycle. All of them are added to IPA domain. There are cases when servers 
gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In 
those cases we need to completely remove server identity from IPA including 
DNS, Host, Certificate and other associated records.
What is the most proper way to completely remove client records in case if 
server needs to be rebuilt with the same host name down the road? (hardware 
failure happened, server crashed and needs to be rebuild – is a perfect 
example).

Regards,

Andrey Ptashnik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Clean up DNS Host Cert and other records from IPA

2015-12-11 Thread Andrey Ptashnik 
Hello Team,

We have many servers in our environment that are on a different stage of their 
lifecycle. All of them are added to IPA domain. There are cases when servers 
gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In 
those cases we need to completely remove server identity from IPA including 
DNS, Host, Certificate and other associated records.
What is the most proper way to completely remove client records in case if 
server needs to be rebuilt with the same host name down the road? (hardware 
failure happened, server crashed and needs to be rebuild – is a perfect 
example).

Regards,

Andrey Ptashnik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project